Needles, Haystacks, and Policies

When evaluating software, it's often necessary to look in multiple places to find the applicable policies. This is how we do it.

December 08, 2017
Bill Fitzgerald Director, Privacy Initiative
Director, Privacy Initiative

CATEGORIES Privacy Evaluation Initiative

When running privacy evaluations, identifying the correct policies that govern the use of a service is the first hurdle to overcome. In many cases, this is straightforward, but in some situations, it's more difficult than it sounds. Problems can arise for multiple reasons, and the only way to achieve clarity is to track the various places where policies are made available and account for any variances or discrepancies.

In this post, we use "policies" to describe the different legal terms that govern use of a service, including privacy policies, terms of service, end user license agreements, and/or data use agreements. When we describe a "service," we mean the software that collects data from users. A single service can be accessed via a web browser, a desktop application, and/or a mobile application.

In some cases, all methods of accessing a service are governed by the same set of policies. In other cases, different methods of accessing a service are governed by different policies. In every case, it's necessary for the relevant policies to all be made available to people before they access a service or create an account via a downloaded app or a web browser.

Without publicly available policies, people cannot make an informed decision about how their data will be collected, used, disclosed, or protected. The following checks help ensure that the correct policies are in place and made accessible before a person creates an account or downloads an app.

These are the checks we run when completing an evaluation, and we strongly recommend that anyone who wants to understand the range of policies that govern the use of a service complete these checks. Vendors can also use these checks to verify that their policies are consistent and up to date.

  1. Go to the main web page where a person can learn about the service. See what policies (privacy policy, terms of service, EULA, etc.) are available from that page. If the policies for the service are not directly accessible from this page, is there a clear and obvious way to find the policies? Sometimes, the privacy policies available on a product overview page are the policies for the web site, which differ from the policies for the actual service. Verify that the policies for the service are available, and/or are clearly accessible, from the main product landing page.
  2. Does your product have an account registration page over the web? If yes, verify that the policies are accessible via the registration page. Additionally, verify that the policies available from the registration page point to the same URLs as the policies available from the main product landing web page.
  3. Can the product be accessed via a mobile app? If yes, go to the app store page(s) where the product can be downloaded. Check the link to the privacy policy URL. Follow the link. One of three things should occur:
    • The link leads to the same privacy policy that is available in Step 1 or Step 2. This implies that the same set of policies governs access to the service regardless of whether access occurs via a web browser or the mobile application. Ideally, this is also clarified in the policies.
    • The link leads to a different privacy policy that is not available in Step 1 or Step 2. This implies that a different policy or policies govern access to the service when the service is accessed via the mobile application. Ideally, the relationship and precedence between these different policies is clearly defined.
    • The link doesn't point to an actual privacy policy, or the link points to a dead web page. This is a data entry issue that should be fixed as quickly as possible.

If the service is only accessible via a mobile application, the app store page should contain a link to the correct privacy policy. Ideally, if there is a web site that markets the mobile app, the privacy policy for the app will also be accessible via the web site.

The goal of these checks is to ensure that the policies that govern the use of a service are clearly defined and clearly accessible to people before they download an application or create an account with a service. Ideally, these checks provide straightforward, readily comprehensible results.

Share your thoughts!