Privacy Evaluation Questions - Categories

The Category descriptions are part of the questions used to drive the Common Sense District Privacy Evaluation Initiative. The release announcement gives more information about the complete question set. This page describes the categories we use to group the evaluation questions.

1. Transparency (What is the Privacy Practice?)

Category Description

Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices. At times and in places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise Individual Control, companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and whether and for what purposes they may share personal data with third-parties.

If an online website, service, or application does not have a Privacy Policy, Terms of Service (TOS), End User License Agreement (EULA), cookie policy, data breach notification policy, or other legal notices available, then this evaluation tool should not be used, because there is no reliable or legally binding guarantees about how a user's data will be treated. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 14.

More information on Transparency

2. Focused Collection (What Information is Collected?)

Category Description

Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should collect only as much personal data as they need to accomplish the purposes in which the data is collected. Companies should also securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.

If a company provides a clear understanding of all the data collected, a user can make an informed choice about the potential privacy implications of how their data are used. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 21.

More information on Focused Collection

3. Data Sharing (How do Third-Parties Collect, Access, and Use Data?)

Category Description

Data Sharing: Companies should address in their privacy policies whether data collected are shared or sold to third-parties, and whether data are shared in an aggregate or de-identified format. In addition, companies should disclose the roles of third-parties and their functions, and whether third-parties are contractually required to provide the same level of privacy protection, as well as the use of social plugins or federated logins.

More information on Data Sharing

4. Respect for Context (What are the Data Purpose, Classification, Notice, and Changes?)

Category Description

Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data, unless required by law to do otherwise. If companies will use or disclose personal data for other purposes, they should provide heightened Transparency and Individual Choice by disclosing these other purposes in a manner that is prominent and easily actionable by consumers at the time of data collection.

If, subsequent to collection, companies decide to use or disclose personal data for purposes that are inconsistent with the context in which the data was disclosed, they must provide heightened measures of Transparency and Individual Choice to consumers. Finally, the age and familiarity with technology of consumers who engage with a company are important elements of context. Companies should fulfill the obligations under this principle in ways that are appropriate for the age and sophistication of consumers that may require greater protections for personal data obtained from children and teenagers than for adults. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 15.

More information on Respect for Context

5. Individual Control (How are Data Owned, Licensed, Used, Disclosed, and Managed?)

Category Description

Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data. Companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use, or disclose, as well as the sensitivity of the uses they make of personal data.

Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 11.

More information on Individual Control

6. Access and Accuracy (How are Data Accessed, Corrected, Retained, Deleted, and Exported?)

Category Description

Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies should use reasonable measures to ensure they maintain accurate personal data. Companies also should provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation.

Companies that handle personal data should construe this principle in a manner consistent with freedom of expression and freedom of the press. In determining what measures they may use to maintain accuracy and to provide access, correction, deletion, or suppression capabilities to consumers, companies may also consider the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 19.

More information on Access and Accuracy

7. Data Transfer (How are Data Transferred During a Bankruptcy, Merger, or Acquisition?)

Category Description

Data Transfer: Companies should disclose data ownership, notice, and choice to a user before onward transfer of personal data to a third-party occurs and must only be permitted where the third-party recipient provides the same level of privacy protection. A company transferring user data should clearly indicate in their policies how they handle data tranfer during a potential bankruptcy, merger, or acquisition.

More information on Data Transfer

8. Security (How are Data Transmitted, Stored, and Protected?)

Category Description

Security: Consumers have a right to secure and responsible handling of personal data. Companies should assess the privacy and security risks associated with their personal data practices and maintain reasonable safeguards to control risks such as loss; unauthorized access, use, destruction, or modification; encryption; and improper disclosure. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 19.

More information on Security

9. Responsible Use (How are Social Interactions Managed and User Information Displayed?)

Category Description

Responsible Use: Companies should address appropriate levels of communication, sharing, and visibility between students and adults, and describe how they handle issues related to cyberbullying and reporting inappropriate content. In addition, companies should address the rights of various stakeholders to audit and review the social interactions between users.

More information on Responsible Use

10. Advertising (How are Data used for Traditional, Contextual, or Behavioral Marketing?)

Category Description

Advertising: Companies should address when and where they provide advertising and whether they engage in traditional or targeted advertising practices. In addition, a company should define the role of third-parties in serving advertisements to students, parents, teachers, or the school and the legal issues implicated as a result. Companies should also address how they collect advertising data, display advertising content, and how they market thier products and services based on demographics.

More information on Advertising

11. Compliance (How do Statutes and Regulations apply from COPPA/FERPA/PPRA?)

Category Description

Compliance: Consumers have a right to have personal data handled by companies with appropriate measures that follow Fair Information Privacy Principles (FIPPs) and are in compliance with FERPA, COPPA, and the PPRA. Companies should be accountable to enforcement authorities and consumers for adhering to these principles and federal laws. Companies also should hold employees responsible for adhering to these principles and should train their employees as appropriate to handle personal data consistently and regularly evaluate their performance in this regard.

Where appropriate, companies should conduct both full internal audits and external audits of third-party affiliates. Companies that disclose personal data to third-parties should at a minimum ensure that the recipients are under enforceable contractual obligations to adhere to these principles, unless they are required by law to do otherwise. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 21.

More information on Compliance

12. Noise (What Information is not Relevant to the Evaluation?)

Category Description

Noise includes privacy policy or Terms of Serivce (TOS) content that is not relevant to the privacy evaluation. Over time, as we evaluate more policies, content that shows up in the "Noise" category can help inform new questions, or edits to existing questions.

Licensing and Attribution

The Privacy Evaluation Questions are released under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License. If you use these questions in your non-commercial project, please credit Common Sense Media as the author, and link back to the announcement post.

This is an example of proper attribution for the Questions: The Privacy Evaluation Questions were authored by Common Sense Media, and are reusable under the terms of a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License.

Privacy Evaluation Question Navigation and Information