Principle 5

Principle 5

Respect and protect people’s privacy and personal data to build online trust

So people are in control of their lives online, empowered with clear and meaningful choices around their data and privacy

1. By giving people control over their privacy and data rights, with clear and meaningful choices to control processes involving their privacy and data, including:

  1. Providing clear explanations of processes affecting users’ data and privacy and their purpose.
  2. Providing control panels where users can manage their data and privacy options in a quick and easily accessible place for each user account.
  3. Providing personal data portability, through machine-readable and reusable formats, and interoperable standards — affecting personal data provided by the user, either directly or collected through observing the users’ interaction with the service or device.

2. By supporting corporate accountability and robust privacy and data protection by design,

– carrying out regular and pro-active data processing impact assessments that are made available to regulators which hold companies accountable for review and scrutiny, to understand how their products and services could better support users’ privacy and data rights, and:

  1. Minimizing data collection to what is adequate, relevant, and necessary in relation to the specified, explicit and legitimate purposes for which the data is processed, and limiting further processing of the data to what is compatible with those purposes.
  2. Supporting independent research on how user interfaces and design patterns ⁠—including processes for obtaining consent and other relevant user controls⁠— influence privacy outcomes, and ensuring those follow good privacy practices.
  3. Enabling controls over how personal data is collected and used ⁠—including third-party and persistent tracking⁠— that could be reviewed and adjusted at the user’s convenience, and making those easy to locate and use.
  4. Developing and adopting technologies that increase the privacy and security of users’ data and communications.

3. By making privacy and data rights equally available to everyone,

– giving users options to access online content and use online services that protect their privacy, and:

  1. Providing dedicated and readily available mechanisms for individuals to report adverse privacy and data protection impacts directly linked to the company’s operations, products or services — which the company should address and mitigate as required by law.
  2. Promoting innovative business models that strengthen data rights, respect privacy, and minimize data collection practices.
  3. Providing clear and understandable privacy policies and consent forms, where the types of personal data processed are listed, and the purposes of data collection and use are explained.
  4. Clearly and effectively communicating any updates and changes regarding privacy policies, as well as changes to products and services where the impact on individuals’ privacy rights is not in line with the privacy policies in place.