Triage Evaluation Questions
The triage questions are essentially our preliminary steps taken before beginning to evaluate the policies of a product. Triage questions are typically outside the scope of privacy policy details and offer a rudimentary view into the observable practices of a vendor.
0.1: Assessment
0.1.1: Policy Available (Privacy)
Are the privacy policies for the specific product (vs. the company website) made publicly available?
- Indicator
- Privacy Policy and Terms of Service are made available.
- Citation
- California Online Privacy Protection Act: (An operator of a service or application that collects personally identifiable information through the Internet about individual consumers from California who use or visit its service is required to conspicuously post a privacy policy) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(a)
- Background
- A company’s terms of service outline the relationship between the user and the company. The terms contain rules for what activities and content users are permitted to engage in and share on a company’s services, and as such, these terms can directly affect users’ freedom of expression rights. Companies can also take action against users for violating the conditions described in the terms. Given this, we expect companies to ensure that users can easily locate these terms and understand what they mean. See Ranking Digital Rights, F1.
- Privacy policies address how companies collect, manage, use, and secure information about users as well as information provided by users. Given this, companies should ensure that users can easily locate the policy and to make an effort to help users understand what they mean. See Ranking Digital Rights, P1.
0.1.2: Same Policy (Privacy)
Do Android or iOS app privacy policies link to the same privacy policy URL location as the home page policy?
- Indicator
- App store policies are the same as policies available for its applications and services.
- Citation
- California Online Privacy Protection Act: (An operator of a service or application that collects personally identifiable information through the Internet about individual consumers from California who use or visit its service is required to conspicuously post a privacy policy) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(a)
- California Online Privacy Protection Act: (An operator may provide a hyperlink in their privacy policy to a location containing a description, including the effects, of any program or protocol that offers the consumer a choice not to be tracked) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(b)(7)
0.1.3: Default Encryption (Security)
Does the login page use encryption with HTTPS?
- Indicator
- Provides encryption for user information transmitted during log-in, account creation, and usage.
- Citation
- California Data Breach Notification Requirements: (A person or business that owns, licenses, or maintains personal information about a California resident is required to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure) See California Data Breach Notification Requirements, Cal. Civ. Code § 1798.81.5
- Children's Online Privacy Protection Act: (An operator must maintain the confidentiality, security, and integrity of personal information collected from children) See 16 C.F.R. Part 312.8
- Family Educational Rights and Privacy Act: (An educational institution must maintain physical, technical, and administrative safeguards to protect student information) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.31(a)(1)(ii)
- Student Online Personal Information Protection Act: (An operator is required to implement reasonable security procedures, practices, and protect student data from unauthorized access, destruction, use, modification, or disclosure) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(d)(1)
- California AB 1584 - Privacy of Pupil Records: (A local educational agency that enters into a contract with a third party must ensure the contract contains a description of the actions the third party will take, including the designation and training of responsible individuals, to ensure the security and confidentiality of pupil records) See California AB 1584 - Privacy of Pupil Records, Cal. Ed. Code § 49073.1(b)(5)
0.1.4: Encryption Required (Security)
Are HTTP requests made to the login page redirected to HTTPS?
- Indicator
- Provides insecure encryption for user information transmitted during log-in, account registration, and usage.
- Citation
- California Data Breach Notification Requirements: (A person or business that owns, licenses, or maintains personal information about a California resident is required to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure) See California Data Breach Notification Requirements, Cal. Civ. Code § 1798.81.5
- Children's Online Privacy Protection Act: (An operator must maintain the confidentiality, security, and integrity of personal information collected from children) See 16 C.F.R. Part 312.8
- Family Educational Rights and Privacy Act: (An educational institution must maintain physical, technical, and administrative safeguards to protect student information) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.31(a)(1)(ii)
- Student Online Personal Information Protection Act: (An operator is required to implement reasonable security procedures, practices, and protect student data from unauthorized access, destruction, use, modification, or disclosure) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(d)(1)
- California AB 1584 - Privacy of Pupil Records: (A local educational agency that enters into a contract with a third party must ensure the contract contains a description of the actions the third party will take, including the designation and training of responsible individuals, to ensure the security and confidentiality of pupil records) See California AB 1584 - Privacy of Pupil Records, Cal. Ed. Code § 49073.1(b)(5)
0.1.5: Use Trackers (Privacy)
Does the product use trackers on its homepage, registration page, or while a user is logged-in?
- Indicator
- Uses tracking services on its product.
- Citation
- Children's Online Privacy Protection Act: (An operator is prohibited from sharing a persistent identifier collected from children that can be used to recognize and track a user over time and across different websites or services without verifiable parental consent) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2
- Student Online Personal Information Protection Act: (An operator is prohibited from tracking a student across websites with targeted advertising) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(b)(1)(A)
- California AB 1584 - Privacy of Pupil Records: (A local educational agency that enters into a contract with a third party must ensure the contract contains a prohibition against the third party using personally identifiable information in pupil records to engage in targeted advertising) See California AB 1584 - Privacy of Pupil Records, Cal. Ed. Code § 49073.1(b)(9)
- California Privacy Rights for Minors in the Digital World: (Prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to "erase" or remove and obtain removal of content or information posted on the operator's site) See California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§ 22580-22582
0.2: Policy Available
0.2.1: Policy Links (Privacy)
Are hyperlinks to the vendor's policies available on the "homepage" and labeled Privacy Policy?
- Indicator
- Policies are labeled "privacy policy" and easy to find on the product homepage.
- Citation
- California Online Privacy Protection Act: (An operator of a service or application that collects personally identifiable information through the Internet about individual consumers from California who use or visit its service is required to conspicuously post a privacy policy) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(a)
- California Online Privacy Protection Act: (An operator is required to post a conspicuous hyperlink that includes the word "privacy" to its actual privacy policy on the homepage or first significant page after entering the Web site, or an icon that hyperlinks to a Web page on which the actual privacy policy is posted, so that a reasonable person would notice it) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22577(b)(1)-(4)
- Background
- A vendor should make their Policy recognizable by giving it a descriptive title, such as 'Privacy Policy' or 'Data Collection and Use Policy.' Make the Privacy Policy available in a single location; don't make users search for it in Terms of Service or Terms and Conditions statements, for example. Make the Policy conspicuously available on the website or from within the mobile app or other online service. If your app is available through an online store or other platform, also provide a link to the Policy there so that potential users can review it before downloading the app. Be prepared to provide a copy of or a link to the Policy to a school or school district for posting on their website. Schools and districts are increasingly receiving requests from parents to share the privacy policies of the online services they use. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 15.
- A document that is easy to find is located on the homepage of the company or service, or one or two clicks away from the homepage, or in a logical place where users can expect to find it. See Ranking Digital Rights, F1, P1.