P6. Retention of user information

The company should clearly disclose how long it retains user information.

Elements:

1. For each type of user information the company collects, does the company clearly disclose how long it retains that user information?
2. Does the company clearly disclose what de-identified user information it retains?
3. Does the company clearly disclose the process for de-identifying user information?
4. Does the company clearly disclose that it deletes all user information after users terminate their account?
5. Does the company clearly disclose the time frame in which it will delete user information after users terminate their account?
6. (For mobile ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third-party apps made available through its app store disclose how long they retain user information?
7. (For mobile ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third-party apps made available through its app store state that all user information is deleted when users terminate their accounts or delete the app?
8. (For personal digital assistant ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third-party skills made available through its skill store disclose how long they retain user information?
9. (For personal digital assistant ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third-party skills made available through its skill store state that all user information is deleted when users terminate their accounts or delete the skill?

App — A self-contained program or piece of software designed to fulfill a particular purpose; a software application, especially as downloaded by a user to a mobile device.

App store — The platform through which a company makes its own apps as well as those created by third-party developers available for download. An app store (or app marketplace) is a type of digital distribution platform for computer software, often in a mobile context.

Clearly disclose(s) — The company presents or explains its policies or practices in its public-facing materials in a way that is easy for users to find and understand.

De-identified (user information) — This refers to user information that companies collect and retain but only after removing or obscuring any identifiable information from it. This means removing explicit identifiers like names, email addresses, and any government-issued ID numbers, as well as identifiers like IP addresses, cookies, and unique device numbers. 

Mobile ecosystem — The indivisible set of goods and services offered by a mobile device company, comprising the device hardware, operating system, app store, and user account.

Personal digital assistant ecosystem — A personal digital assistant (PDA) ecosystem consists of an artificial intelligence-powered interface installed on digital devices that can interact with users through text or voice to access information on the Internet and perform certain tasks with personal data shared by the users. Users can interact with PDA ecosystems through skills, which are either made available by third-party developers/providers or the PDA itself.

Privacy policies — Documents that outline a company’s practices involving the collection and use of information, especially information about users.

Retention of user information — A company may collect data and then delete it. If the company does not delete it, the data is “retained.” The time between collection and deletion is the “retention period”. Such data may fall under our definition of “user information,” or it may be anonymous. Keep in mind that truly anonymous data may in no way be connected to a user, the user’s identity, behavior, or preference, which is very rare.

A related topic is the “retention period.” For example, a company may collect log data on a continual basis, but purge (delete) the data once a week. In this case, the data retention period is one week. However, if no retention period is specified, the default assumption must be that the data is never deleted, and the retention period is therefore indefinite. In many cases users may wish for their data to be retained while they are actively using the service, but would like it to be deleted (and therefore not retained) if and when they quit using the service. For example, users may want a social network service to keep all of their private messages, but when the user leaves the network they may wish that all of their private messages be deleted.

Skills  — Skills are voice-driven personal digital assistant capabilities allowing users to perform certain tasks or engage with online content using devices equipped with a personal digital assistant. Personal digital assistant ecosystem skills are similar to mobile ecosystem apps: users can enable or disable built-in skills or install skills developed by third-parties through stores similar to app stores.

Skill store — The platform through which a company makes its own skills as well as those created by third-party developers available for download. A skill store (or skill marketplace) is a type of digital distribution platform for computer software.

Third party – A “party” or entity that is anything other than the user or the company. For the purposes of this methodology, third parties can include government organizations, courts, or other private parties (e.g., a company, an NGO, an individual person).

User information — Any data that is connected to an identifiable person, or may be connected to such a person by combining datasets or utilizing data-mining techniques. User information may be either collected or inferred. As further explanation, user information is any data that documents a user’s characteristics and/or activities. This information may or may not be tied to a specific user account. This information includes, but is not limited to, personal correspondence, user-generated content, account preferences and settings, log and access data, data about a user’s activities or preferences collected from third parties either through behavioral tracking or purchasing of data, and all forms of metadata. User information is never considered anonymous except when included solely as a basis to generate global measures (e.g. number of active monthly users). For example, the statement, ‘Our service has 1 million monthly active users,’ contains anonymous data, since it does not give enough information to know who those 1 million users are.

Indicator guidance: Just as we expect companies to disclose what information they collect and share about us, we also expect companies to clearly disclose for how long they retain it and the extent to which they remove identifiers from user information they store. In addition, users should also be able to understand what happens to their information when they delete their accounts. In some cases, laws or regulations may require companies to retain certain information for a given period of time. In these cases, companies should clearly disclose these regulations to users. Companies that choose to retain user information for extended periods of time should also take steps to ensure that data is not tied to a specific user. Acknowledging the ongoing debates about the efficacy of de-identification processes, and the growing sophistication around re-identification practices, we still consider de-identification a positive step that companies can take to protect the privacy of their users.

In addition, if companies collect multiple types of information, we expect them to clearly disclose for how long they retain each type of information. For mobile ecosystems and personal digital assistant (PDA) ecosystems, we expect companies to disclose whether the privacy policies of the mobile apps and PDA skills that are available in their app and skill store state how long the app or skill retains user information and whether all user information is deleted if users terminate or delete the app or the skill.

• Company privacy policy
• Company webpage or section on data protection or data collection