Triage Evaluation Questions

The triage questions are essentially our preliminary steps taken before beginning to evaluate the policies of a product. Triage questions are typically outside the scope of privacy policy details and offer a rudimentary view into the observable practices of a vendor.

0.1: Assessment

0.1.1: Policy Available (Privacy)

Are the privacy policies for the specific product (vs. the company website) made publicly available?

  • Indicator
    • Privacy Policy and Terms of Service are made available.
  • Citation
  • Background
    • A company’s terms of service outline the relationship between the user and the company. The terms contain rules for what activities and content users are permitted to engage in and share on a company’s services, and as such, these terms can directly affect users’ freedom of expression rights. Companies can also take action against users for violating the conditions described in the terms. Given this, we expect companies to ensure that users can easily locate these terms and understand what they mean. See Ranking Digital Rights, F1.
    • Privacy policies address how companies collect, manage, use, and secure information about users as well as information provided by users. Given this, companies should ensure that users can easily locate the policy and to make an effort to help users understand what they mean. See Ranking Digital Rights, P1.

0.1.2: Same Policy (Privacy)

Do Android or iOS app privacy policies link to the same privacy policy URL location as the home page policy?

  • Indicator
    • App store policies are the same as policies available for its applications and services.
  • Citation

0.1.3: Default Encryption (Security)

Does the login page use encryption with HTTPS?

  • Indicator
    • Provides encryption for user information transmitted during log-in, account creation, and usage.
  • Citation

0.1.4: Encryption Required (Security)

Are HTTP requests made to the login page redirected to HTTPS?

  • Indicator
    • Provides insecure encryption for user information transmitted during log-in, account registration, and usage.
  • Citation

0.1.5: Use Trackers (Privacy)

Does the product use trackers on its homepage, registration page, or while a user is logged-in?

  • Indicator
    • Uses tracking services on its product.
  • Citation

0.2: Policy Available

Are hyperlinks to the vendor's policies available on the "homepage" and labeled Privacy Policy?

  • Indicator
    • Policies are labeled "privacy policy" and easy to find on the product homepage.
  • Citation
  • Background
    • A vendor should make their Policy recognizable by giving it a descriptive title, such as 'Privacy Policy' or 'Data Collection and Use Policy.' Make the Privacy Policy available in a single location; don't make users search for it in Terms of Service or Terms and Conditions statements, for example. Make the Policy conspicuously available on the website or from within the mobile app or other online service. If your app is available through an online store or other platform, also provide a link to the Policy there so that potential users can review it before downloading the app. Be prepared to provide a copy of or a link to the Policy to a school or school district for posting on their website. Schools and districts are increasingly receiving requests from parents to share the privacy policies of the online services they use. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 15.
    • A document that is easy to find is located on the homepage of the company or service, or one or two clicks away from the homepage, or in a logical place where users can expect to find it. See Ranking Digital Rights, F1, P1.