Blog

Research

Flash Guide #9: The 10 Attributes of Respectful Me2B Commitments

Written by Internet Safety Labs
September 1, 2021

Open PDF

Version 1.0 | September 1, 2021

#Me2BRelationship #Me2BDeals #RespectfulTech

IN A NUTSHELL
The Me2B Respectful Tech Specification measures technology behavior against 10 attributes that respectful Me2B Commitments should possess. These attributes represent how technology should treat us and our data at every step along the Me2B Relationship Lifecycle.

Flash Guide #8 described the types of Me2B Commitments that may occur throughout the digital Me2B Lifecycle. The Me2B Alliance has identified 10 high level attributes that respectful Me2B Commitments should possess. Our Respectful Tech Specification measures technology behavior against these 10 attributes, while taking into consideration the specific context and stage for each commitment.

The 10 Attributes of Respectful Me2B Commitments

  1. Clear Data Processing Noticei
  2. Viable Permission
  3. Identification Minimization
  4. Data Collection Minimization
  5. Private by Default
  6. Reasonable Data Use & Sharing / Me2B Deal in Action
  7. Data Processing Behavior Complies with Data Subject’s Permissions and Preferences
  8. Data Processing Behavior Complies with Policies
  9. Reasonableness of Commitment Duration
  10. Commitment Termination or Change Behavior

Each of the 10 attributes is described in more detail below: 

  1. Clear Data Processing Notice:  Measures if the app or website provides adequate notice on how data is collected, used, shared, monetized, etc. by the Data Controller(s) and all Data Processors.
     
  2. Viable Permission:  The Me2BA uses legal scholar Nancy Kim’sii three requirements for legally viable permission to enter into a commitmentiii, and checks for the following: 
    • Understandability: Can the Data Subject understand the Me2B Deal? 
    • Freely Given: Is the Data Subject coerced or manipulated in any way into providing permission for this commitment? 
    • Intentional Action: Does the Data Subject perform a distinct act to provide permission, and is it recorded?

    “Viable Permission” also evaluates the commitment’s permission flow to all Co-Data Controllers and Data Processors (which we refer to as “Transitive Permissions”).

  3. Identification Minimization: Measures if the identification constructed by the service are appropriate for the particular Me2B Commitment. Note that “appropriate” means that the identification level reflects the social norms described in Flash Guide #8.
     
  4. Data Collection Minimization: Tests whether the data collected is proportional to, and appropriate, for the particular Me2B Commitment. We measure across three types of data:   
    1. Volunteered Data – entered by the Data Subject
    2. Observed Data – automatically collected by the website or app without the individual’s awareness, and  
    3. Derived Data – data that is derived by the Data Controller(s) or Data Processors.
       
  5. Private by Default: Measures whether the Data Subject must modify any website or app settings in order to have a private experience.
     
  6. Reasonableness of Data Use & Sharing Behavior: Measures if the observed data use and sharing behavior is appropriate for the particular Me2B Commitment.
     
  7. Data Processing Behavior Complies with Data Subject’s Permissions and Preferences:  Measures if the observed data processing behavior matches the Data Subject’s permissions and preferences.
     
  8. Data Processing Behavior Complies with Policies: Measures if the observed data processing behavior matches the promised behavior as stated in the privacy policy and terms of service or terms of use.
     
  9. Reasonableness of Commitment Duration: Measures if the duration of the commitment is appropriate for the particular Me2B Commitment, and the industry sector.
     
  10. Commitment Termination Behavior: Tests three commitment termination behaviors:  
    • Usability:  If it’s easy for the Data Subject to change or end the commitment. 
    • Record:  If the commitment termination is recorded and provided to the Data Subject. 
    • Data Removal: If the Data Subject’s data is forgotten/deleted by all Data Controllers and Data Processors.  

Like in the case of “Viable Permission” (attribute 2), this attribute assesses whether changes to “Commitment Termination”-related permissions or settings cascade down to all Co-Data Controllers and Data Processors. 

  1. Note that the Me2B Alliance and our Respectful Tech Specification use GDPR terminology. In particular, note that “data processing” under GDPR Article 4, item (2) includes collection and all other behaviors relating to data: “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” Art. 4 GDPR – Definitions | General Data Protection Regulation (GDPR) (gdpr-info.eu)
  2. https://www.ali.org/members/member/344957/
  3. “Consent has a variety of meanings in the law, but it is typically a conclusion based upon the presence or absence of three conditions: an intentional manifestation of consent, knowledge, and volition/voluntariness.” Kim, Nancy S. “Consentability: Consent and its Limits” (p. 9). Cambridge University Press. 2019

© Me2B Alliance 2021