P8. Users’ access to their own user information

Companies should allow users to obtain all of their user information the company holds.

Elements:

1. Does the company clearly disclose that users can obtain a copy of their user information?
2. Does the company clearly disclose what user information users can obtain?
3. Does the company clearly disclose that users can obtain their user information in a structured data format?
4. Does the company clearly disclose that users can obtain all public-facing and private user information a company holds about them?
5. Does the company clearly disclose that users can access the list of advertising audience categories to which the company has assigned them?
6. Does the company clearly disclose that users can obtain all the information that a company has inferred about them?
7. (For mobile ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third-party apps made available through its app store disclose that users can obtain all of the user information about them the app holds?
8. (For personal digital assistant ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third-party skills made available through its skill store state that all user information is deleted when users terminate their accounts or delete the skill?

App — A self-contained program or piece of software designed to fulfill a particular purpose; a software application, especially as downloaded by a user to a mobile device.

App store — The platform through which a company makes its own apps as well as those created by third-party developers available for download. An app store (or app marketplace) is a type of digital distribution platform for computer software, often in a mobile context.

Clearly disclose(s) — The company presents or explains its policies or practices in its public-facing materials in a way that is easy for users to find and understand.

Data inference — Companies are able to draw inferences and predictions about the behaviors, preferences, and private lives of its users by applying “big data” analytics and algorithmic decision making technologies. These methods might be used to make inferences about user preferences or attributes (e.g., race, gender, sexual orientation), and opinions (e.g., political stances), or to predict behaviors (e.g., to serve advertisements). Without sufficient transparency and user control over data inference, privacy-invasive and non-verifiable inferences cannot be predicted, understood, or refuted by users. For more see: Wachter, Sandra and Mittelstadt, Brent, A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big Data and AI (October 5, 2018). Columbia Business Law Review, 2019(2), https://ssrn.com/abstract=3248829

Mobile ecosystem — The indivisible set of goods and services offered by a mobile device company, comprising the device hardware, operating system, app store, and user account.

Personal digital assistant ecosystem — A personal digital assistant (PDA) ecosystem consists of an artificial intelligence-powered interface installed on digital devices that can interact with users through text or voice to access information on the Internet and perform certain tasks with personal data shared by the users. Users can interact with PDA ecosystems through skills, which are either made available by third-party developers/providers or the PDA itself.

Privacy policies — Documents that outline a company’s practices involving the collection and use of information, especially information about users.

Skills  — Skills are voice-driven personal digital assistant capabilities allowing users to perform certain tasks or engage with online content using devices equipped with a personal digital assistant. Personal digital assistant ecosystem skills are similar to mobile ecosystem apps: users can enable or disable built-in skills or install skills developed by third-parties through stores similar to app stores.

Skill store — The platform through which a company makes its own skills as well as those created by third-party developers available for download. A skill store (or skill marketplace) is a type of digital distribution platform for computer software.

Third party – A “party” or entity that is anything other than the user or the company. For the purposes of this methodology, third parties can include government organizations, courts, or other private parties (e.g., a company, an NGO, an individual person).

User information — Any data that is connected to an identifiable person, or may be connected to such a person by combining datasets or utilizing data-mining techniques. User information may be either collected or inferred. As further explanation, user information is any data that documents a user’s characteristics and/or activities. This information may or may not be tied to a specific user account. This information includes, but is not limited to, personal correspondence, user-generated content, account preferences and settings, log and access data, data about a user’s activities or preferences collected from third parties either through behavioral tracking or purchasing of data, and all forms of metadata. User information is never considered anonymous except when included solely as a basis to generate global measures (e.g. number of active monthly users). For example, the statement, ‘Our service has 1 million monthly active users,’ contains anonymous data, since it does not give enough information to know who those 1 million users are.

Users — Individuals who use a product or service. This includes people who post or transmit the content online as well as those who try to access or receive the content. For indicators in the freedom of expression category, this includes third-party developers who create apps that are housed or distributed through a company’s product or service.

Indicator guidance: Users should be able to obtain all information that companies hold about them, including the information that a company has inferred about them. We expect companies to clearly disclose what options users have to obtain this information, what data this record contains, and what formats users can obtain it in. For mobile ecosystems, we expect the company to disclose to users whether the apps that are available in its app store specify that users can obtain all of the user information that app holds about them. We expect companies that operate personal digital assistant (PDA) skill stores to set minimum standards that the third-party skills hosted on their platform must meet. Just as we expect companies themselves to disclose that users can obtain a record of their own user information from the company, PDA skill stores should require skills in their store to provide similar disclosure.

• Company privacy policy
• Company account settings
• Company help center
• Company blog posts