When evaluating software, it's often necessary to look in multiple places to find the applicable policies. This is how we do it.
When running privacy evaluations, identifying the correct policies that govern the use of a service is the first hurdle to overcome. In many cases, this is straightforward, but in some situations, it's more difficult than it sounds. Problems can arise for multiple reasons, and the only way to achieve clarity is to track the various places where policies are made available and account for any variances or discrepancies.
In this post, we use "policies" to describe the different legal terms that govern use of a service, including privacy policies, terms of service, end user license agreements, and/or data use agreements. When we describe a "service," we mean the software that collects data from users. A single service can be accessed via a web browser, a desktop application, and/or a mobile application.
In some cases, all methods of accessing a service are governed by the same set of policies. In other cases, different methods of accessing a service are governed by different policies. In every case, it's necessary for the relevant policies to all be made available to people before they access a service or create an account via a downloaded app or a web browser.
Without publicly available policies, people cannot make an informed decision about how their data will be collected, used, disclosed, or protected. The following checks help ensure that the correct policies are in place and made accessible before a person creates an account or downloads an app.
These are the checks we run when completing an evaluation, and we strongly recommend that anyone who wants to understand the range of policies that govern the use of a service complete these checks. Vendors can also use these checks to verify that their policies are consistent and up to date.
- Does your product have an account registration page over the web? If yes, verify that the policies are accessible via the registration page. Additionally, verify that the policies available from the registration page point to the same URLs as the policies available from the main product landing web page.
The goal of these checks is to ensure that the policies that govern the use of a service are clearly defined and clearly accessible to people before they download an application or create an account with a service. Ideally, these checks provide straightforward, readily comprehensible results.