The company should clearly disclose why it collects, infers, and shares user information.
Elements:
- For each type of user information the company collects, does the company clearly disclose its purpose for collection?
- For each type of user information the company infers, does the company clearly disclose its purpose for the inference?
- Does the company clearly disclose whether it combines user information from various company services and if so, why?
- For each type of user information the company shares, does the company clearly disclose its purpose for sharing?
- Does the company clearly disclose that it limits its use of user information to the purpose for which it was collected or inferred?
Definitions:
Clearly disclose(s) — The company presents or explains its policies or practices in its public-facing materials in a way that is easy for users to find and understand.
Collect / Collection — All means by which a company may gather information about users. For example, a company may collect this information directly in a range of situations, including when users upload content for public sharing, submit phone numbers for account verification, transmit personal information in private conversation with one another, etc. A company may also collect this information indirectly, for example, by recording log data, account information, metadata, and other related information that describes users and/or documents their activities.
Collected user information — User information that a company either observes directly or acquires from a third party.
Data inference — Companies are able to draw inferences and predictions about the behaviors, preferences, and private lives of its users by applying “big data” analytics and algorithmic decision making technologies. These methods might be used to make inferences about user preferences or attributes (e.g., race, gender, sexual orientation), and opinions (e.g., political stances), or to predict behaviors (e.g., to serve advertisements). Without sufficient transparency and user control over data inference, privacy-invasive and non-verifiable inferences cannot be predicted, understood, or refuted by users. For more see: Wachter, Sandra and Mittelstadt, Brent, A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big Data and AI (October 5, 2018). Columbia Business Law Review, 2019(2), https://ssrn.com/abstract=3248829
Shares / sharing — The company allows a third party to access user information, either by freely giving the information to a third party (or the public, or other users) or selling it to a third party.
User information — Any data that is connected to an identifiable person, or may be connected to such a person by combining datasets or utilizing data-mining techniques. User information may be either collected or inferred. As further explanation, user information is any data that documents a user’s characteristics and/or activities. This information may or may not be tied to a specific user account. This information includes, but is not limited to, personal correspondence, user-generated content, account preferences and settings, log and access data, data about a user’s activities or preferences collected from third parties either through behavioral tracking or purchasing of data, and all forms of metadata. User information is never considered anonymous except when included solely as a basis to generate global measures (e.g. number of active monthly users). For example, the statement, ‘Our service has 1 million monthly active users,’ contains anonymous data, since it does not give enough information to know who those 1 million users are.
Indicator guidance: We expect companies to clearly disclose the purpose for collecting, sharing, and inferring each type of user information it collects, shares, and infers. In addition, many companies own or operate a variety of products and services, and we expect companies to clearly disclose how user information can be shared or combined across services. Companies should also publicly commit to the principle of use limitation—meaning they publicly state in their policies that they only use data for purposes for which it was specified—in line with OECD privacy guidelines, the GDPR, and other frameworks, both for the user information they collect and infer.
Potential sources:
- Company privacy policy
No Comments