P9. Collection of user information from third parties

The company should clearly disclose its practices with regard to user information it collects from third-party websites or apps through technical means, as well as user information it collects through non-technical means.

Elements:

1. (For digital platforms) Does the company clearly disclose what user information it collects from third-party websites through technical means?
2. (For digital platforms) Does the company clearly explain how it collects user information from third parties through technical means?
3. (For digital platforms) Does the company clearly disclose its purpose for collecting user information from third parties through technical means?
4. (For digital platforms) Does the company clearly disclose how long it retains the user information it collects from third parties through technical means?
5. (For digital platforms) Does the company clearly disclose that it respects user-generated signals to opt out of data collection?
6. Does the company clearly disclose what user information it collects from third parties through non-technical means?
7. Does the company clearly disclose how it collects user information from third parties through non-technical means?
8. Does the company clearly disclose its purpose for collecting user information from third parties through non-technical means?
9. Does the company clearly disclose how long it retains the user information it collects from third parties through non-technical means?

App — A self-contained program or piece of software designed to fulfill a particular purpose; a software application, especially as downloaded by a user to a mobile device.

Clearly disclose(s) — The company presents or explains its policies or practices in its public-facing materials in a way that is easy for users to find and understand.

Non-technical means — Companies can acquire user information through non-technical means, such as through purchases, data-sharing agreements, and other contractual relationships with third parties.This acquired data can become part of a “digital dossier” that companies may hold on its users, which can then form the basis for inferred and shared user information.

Technical means  — Companies deploy various technologies, such as cookies, widgets and buttons to track users’ activity on their services and on third-party sites and services. For example, a company may embed content on a third-party website and collect user information when a user “likes” or otherwise interacts with this content.

Third party – A “party” or entity that is anything other than the user or the company. For the purposes of this methodology, third parties can include government organizations, courts, or other private parties (e.g., a company, an NGO, an individual person).

User information — Any data that is connected to an identifiable person, or may be connected to such a person by combining datasets or utilizing data-mining techniques. User information may be either collected or inferred. As further explanation, user information is any data that documents a user’s characteristics and/or activities. This information may or may not be tied to a specific user account. This information includes, but is not limited to, personal correspondence, user-generated content, account preferences and settings, log and access data, data about a user’s activities or preferences collected from third parties either through behavioral tracking or purchasing of data, and all forms of metadata. User information is never considered anonymous except when included solely as a basis to generate global measures (e.g. number of active monthly users). For example, the statement, ‘Our service has 1 million monthly active users,’ contains anonymous data, since it does not give enough information to know who those 1 million users are.

Indicator guidance: We expect companies to disclose what information about users they collect from third parties, which can mean information collected from third-party websites or apps through technical means—for instance through cookies, plug-ins, or widgets, or through non-technical means, for instance through contractual agreements. Companies can also acquire user information through non-technical means, including as part of a contractual agreement, and this acquired data can become part of a “digital dossier” that companies may hold on their users, which can then form the basis for inferred and shared user information. Companies should be transparent and accountable about these practices so that users can understand if and how their activities are being tracked by companies even when they are not on a host company’s website or when the individual is not a user of a particular service or platform.

• Company privacy policy
• Company policy on third parties or cookies policy