Consumer Reports (CR) announced on March 6, 2017, that it is developing a new standard—The Digital Standard—for safeguarding consumers’ security and privacy. The eventual goal is for CR to use the Standard to evaluate and rate consumer products. By scoring products based on certain Standard criteria, CR aims to help consumers make informed purchasing decisions based on how products protect their privacy and security.
The Standard is currently divided into 35 general testing categories, each of which is (or will be) further divided into (i) test criteria, (ii) indicators of that criteria, and (iii) procedures for evaluating that criteria. For example, under the “Data control” testing category, CR first asks whether a consumer can “see and control everything the company knows about” him/her. Indicators of consumer data control include, among other things, whether users can control the collection of their information, delete their information, and control how their information is used to target advertising. In order to evaluate whether a product gives consumers control over their data, the evaluator would investigate and analyze “publicly available documentation to determine what the company clearly discloses.”
Some of the criteria are in line with guidelines from other sources. For example, both the Standard and the FTC’s Start with Security guide discuss having passwords that are unique and complex. On other issues, however, some companies may find that the Standard stretches beyond existing guidance or market practices. For example, the “Ownership” testing category appears to touch on issues related to the First Sale Doctrine: It has as testing criteria whether a consumer “own[s] every part” of the product” and the indicator of that criteria is that “[t]he company does not retain any control or ownership over the operation, use, inputs, or outputs of the product after it has been purchased by the consumer.”
Consumer Reports developed the standard in collaboration with a number of partners, primarily Disconnect, Ranking Digital Rights, and the Cyber Independent Testing Lab (CITL). It is currently a first draft, but CR and its collaborators welcome feedback and suggestions. To provide input, see the Contribute tab on the Standard’s website.