Privacy Evaluation for Slack
Slack is a business communication service. According to Slack's policy, when an authorized user submits information, it may be displayed to other authorized users in the same or connected workspaces. In order to create or update a Workspace account, the user or their Customer (e.g., the user's employer) supplies Slack with an email address, phone number, password, domain and/or similar account details. Slack's security policy lists several security-related audits and certifications are applicable to the Slack services, and it uses encryption. It is unclear what obligations Slack has to children under 13 or 16 if use is not prohibited by law, or if Slack itself has knowledge a child is using its service.
According to Slack's policy, when an authorized user submits information, it may be displayed to other authorized users in the same or connected workspaces. The policy notes that the service is used for collaborating with others, and that the services provide different ways for authorized users working in independent workspaces to collaborate, such as Slack Connect or email interoperability. Other information, such as an authorized user’s profile information, may be shared, subject to the policies and practices of the other workspace(s). Slack's authorized use policy indicates that users must not use the services in any manner that may harm minors or that interacts with or targets people under the age of thirteen nor engage in activity that incites or encourages violence or hatred against individuals or groups;
Slack's policy calls corporate users "Customers." Customers or individuals granted access to a workspace by a Customer (“Authorized Users”) routinely submit Customer Data to Slack when using the Services. Slack also collects, generates and/or receives other Information, including workspace and Account Information. For example, in order to create or update a Workspace account, the user or their Customer (e.g., the user's employer) supplies Slack with an email address, phone number, password, domain and/or similar account details. Slack's policy says they do not sell the personal information they collect and will not sell it without providing a right to opt out. The policy notes that third parties may, for example, provide virtual computing and storage services, or that Slack may share business information to "develop strategic partnerships" with third party service providers to support their common customers.
The Slack security policy explains that they place strict controls over their employees’ access to the data corporate customers and their users make available via the Slack services, and it also lists several security-related audits and certifications are applicable to the Slack services. Data is encrypted in transit and at rest while in storage, according to this policy. The policy notes that in the event of a security breach, Slack will promptly notify you of any unauthorized access to your Customer Data.
Slack's policy notes that to the extent prohibited by applicable law, Slack does not allow use of their services and websites by anyone younger than 16 years old. If a user learns that anyone younger than 16 has unlawfully provided Slack with personal data, Slack's policy asks that the user please contact them and they will take steps to delete such information. It is unclear what obligations Slack has to children under 13 or 16 if use is not prohibited by law, or if Slack itself has knowledge a child is using its service.
What data does it collect?
- Personally identifiable information (PII) is collected.
- The categories of collected personally identifiable information are indicated.
- Unclear whether the collection or use of data is limited to product requirements.
- Geolocation data are collected.
- Unclear whether this product collects biometric or health data.
- Behavioral data are collected.
- Unclear whether this product collects sensitive data.
- Non-personally identifiable information is collected.
- Unclear whether this product treats combined information as personally identifiable information (PII).
- Personal information from children under 13 years of age is not collected online.
What data does it share?
- Collected information is shared with third parties.
- The categories of information shared with third parties are indicated.
- The purpose for sharing a user's personal information with third parties is indicated.
- Unclear whether use of information is limited to the purpose for which it was collected.
- Data are shared for analytics.
- Data are shared for research and/or product improvement.
- Data are shared with third-party service providers.
- The roles of third-party service providers are indicated.
- Social or federated login is supported.
- Contractual limits are not placed on third-party data use.
How does it secure data?
- Unclear whether a user's identity is verified with additional personal information.
- Account creation is required.
- Parental controls or managed accounts are available.
- Two-factor account protection is available.
- Third-party contractual security protections are not required.
- Industry best practices are used to protect data.
- Employee or physical access to user information is limited.
- All data in transit are encrypted.
- All data at rest are encrypted.
- Notice is provided in the event of a data breach.
What rights do I have to the data?
- Unclear whether opt-in consent is requested from users at the time personal information is collected.
- Users can control their information through privacy settings.
- Unclear whether users can create or upload content.
- Unclear whether users retain ownership of their data.
- Processes to access and review user data are available.
- Processes to modify inaccurate data are available.
- A data-retention policy is available.
- Processes for the school, parents, or students to delete data are available.
- Processes to delete user data are not available.
- Processes to download user data are available.
Is the data sold?
- Data are not sold or rented to third parties.
- Unclear whether users can opt out from the disclosure or sale of their data to a third party.
- User information can be transferred to a third party.
- Unclear whether users are notified if their information is transferred to a third party.
- Unclear whether user information can be deleted prior to its transfer to a third party.
- Third-party transfer is contractually required to use the same privacy practices.
- Unclear whether user information is shared in an anonymous or deidentified format.
- Unclear whether the vendor describes their deidentification process of user information.
- Data are shared for research and/or product improvement.
- Contractual limits do not prohibit third parties from reidentifying deidentified information.
How safe is this product?
- Users can interact with trusted users and/or students.
- Unclear whether users can interact with untrusted users, including strangers and/or adults.
- Profile information is shared for social interactions.
- Personal information is displayed publicly.
- Users can control how their data are displayed.
- User-created content is reviewed, screened, or monitored by the vendor.
- Unclear whether user-created content is filtered for personal information before being made publicly visible.
- Unclear whether social interactions between users are moderated.
- Unclear whether social interactions of users are logged.
- Users can report abuse or cyberbullying.
Ads & Tracking
Are there advertisements or tracking?
- Unclear whether data are shared for third-party advertising and/or marketing.
- Unclear whether this product displays traditional or contextual advertisements.
- Behavioral or targeted advertising is displayed.
- Data are collected by third-party advertising or tracking services.
- Data are used to track and target advertisements on other third-party websites or services.
- Data profiles are created and used for data enhancement, and/or targeted advertisements.
- The vendor can send marketing messages.
- The vendor does provide promotional sweepstakes, contests, or surveys.
- Users cannot opt out of traditional, contextual, or behavioral advertising.
- Users can opt out or unsubscribe from marketing communications.
Can I provide parental consent?
- Not intended for children under 13.
- Unclear whether intended for parents or guardians.
- Vendor does not have actual knowledge that personal information from users under 13 years of age is collected.
- Unclear whether children's privacy is applicable.
- Unclear whether this product indicates COPPA parental consent exceptions.
- Unclear whether this product requires parental consent.
- Unclear whether this product limits parental consent with respect to third parties.
- Unclear whether this product allows parents to withdraw consent for the further collection of their child's information.
- Children's personal information is deleted if collected without parental consent.
- Unclear whether this product provides parental consent notice and method for submission.
Is the product intended for school?
- Unclear whether intended for students.
- Unclear whether personal information or education records are collected from preK-12 students.
- Unclear whether intended for teachers.
- Unclear whether this product is primarily used by, designed for, and marketed toward students in grades preK–12.
- Unclear whether the product creates education records.
- Unclear whether this product provides notification of a contract or additional rights.
- Unclear whether this product designates the vendor as a school official.
- Unclear whether this product transfers parental consent obligations to the school or district.
- Unclear whether the vendor indicates FERPA parental consent exceptions.
- Unclear whether this product discloses directory information.