Privacy Policy updates

[Guest]

.

[JohnAtKiva]

I suggest that Kiva's privacy policy could use that kind of systematic approach evident in the privacy policies of the big players ...

Hey Peter - you posted this a while ago, but I wanted to respond to to let you know that we're in the midst of working on a Privacy Policy revamp along these lines!  It's a lot of work, but it feels like the time is right.

In the meantime, we'll be making occasional changes to beef up individual sections of the Privacy Policy, especially as new features are added (there will be some new features added later today).  I've manually redlined the old privacy policy against the new privacy policy (I left the numbers the same as in the new policy, just b/c I was doing it manually).  The new text is colored green, and the removed text has been marked with a strikethrough.  I did this all manually, so let me know if I missed some redlines!

The immediate impetus for the privacy updates is a few things:

• We wanted to add some more specificity around what information is collected.
• We're adding support for single-signon from partners like Facebook (our largest source of Kiva lenders, other than Google), so want to make sure the privacy policy addresses that.
• We are looking into offering physical gift cards that can be ordered and mailed out, so put in a reference to physical addreses.
• We may send try two newsletters next month, so wanted to clarify that that might be a possibility.
• We use Google Analytics for analytics, so want to make sure that there was some explicit mention of cookies.
• There was no mention of KivaFriends, so I asked that that be added. :-)

Here are the redlined updates:

Privacy Policy (Last Updated June 8September 14, 20092010)

1. Kiva will not rent or sell your personal information to third parties.

2. When you create an account on Kiva, we collect basic information about you through the registration process - your name, email address, and a means to authenticate your account (for example, a password). You may also provide additional information through the account creation process, such as the email address of the person who referred you to Kiva. You may also provide other information (for example, a picture of yourself, a picture of your lending team, your occupation, your physical address, your city/state/country of residence, the reasons why you choose to lend on Kiva) through the creation of a public profile page, creating/joining a lending team page on the Website, making a loan transaction on Kiva, updating your account information, or by registering with Kiva through a third-party single sign on registration tool. Public profile pages will also show the following information: the date on which you joined Kiva, the loans you have made, the lending teams you have joined, and the individuals who have accepted your invitations to create an account on Kiva. Kiva will also track information on your microloan transactions (for example, amount of the loan, recipient of the loan) and make that information available to you on your private Kiva account page. If you have a public lender profile page, such lending information may furthermore be shared in public areas of the Kiva website. Kiva will also collect information on any donations you make to Kiva via the website and communicate with you (for example, to provide donation confirmations) via the email address and/or the physical address that you provide.


3. As you use additional features of the Website, we may collect the additional information you enter. If you purchase a Kiva gift certificate, we collect information about your purchase (for example, your name as purchaser, amount you spent, number of gift certificates purchased) and information about your recipient that you provide (for example, recipient name, email address, physical address) in order to deliver the gift certificate, contact the purchaser and/or the recipient with respect to the purchased items, and note the recipient's relation to the purchaser. If you use interactive features on Kiva to write a comment - for example, on a Kiva Fellows journal - Kiva will collect your name, email address, any url address you enter, and your comment - and publicly display the information (except for your email address). If you use interactive features on Kiva to indicate that you "like" a particular feature or listing on Kiva, that information will be collected and will be noted on the Kiva website that you have "liked" that feature or listing and that information may furthermore be shared on applicable third party social networking sites to which you may have authorized such information sharing. If you contact Kiva Customer Service, we will collect the information you provide (for example, your name, email address, physical address, phone number, question/comment) in order to contact you and address your question or comment. If you submit an application to Kiva, such as via the Websites Kiva volunteer portal, we collect the information you submit (for example, name, phone number, resume, cover letter, position of interest) to assess the application and follow up with you on such submission.


4. By establishing an account on Kiva, you agree to receive emails or other written communication, such as physical mail, based on your account status or activity (for example, confirmations of loans you have made, confirmation receipts for donations you have made, notifications of loan repayments you have received, statements or other information with respect to the amount of credit available in your Kiva account, confirmation of email address or password changes, or customer service inquiries regarding the status of or activity in your account).

5. By default, you will receive update emails on your loans that are sent by our field partners through the Website. Kiva will not disclose your email address to our field partners in any case -- these emails are sent through a webform without any third party learning your address. You can choose not to receive these emails through a preference on the Website.

6. By default, you may receive periodic newsletter emails from Kiva. The frequency of these newsletters may vary but will be no greater than once per month. You can choose not to receive these newsletters through a preference on the Website.

7. Kiva will not disclose your personally identifiable lending activity to any third party without consent (please note: the creation of a public lender profile on Kiva is considered consent for such disclosure). Kiva reserves the right to record and display anonymous lending activity on the Website and display the general regions where our lenders are located.

8. Kiva's service providers, agents and representatives may be provided access to your personally identifiable information as part of, or incident to, their provision of services to Kiva (for example, processing of microloan transactions). All such access shall be under appropriate confidentiality agreements and limited to use to provide services to Kiva.

9. If you follow any links which remove you from the Website (including, but not limited to, the independently operated KivaStore.org, Kiva CafePress, KivaFriends.org, and PayPal), this Privacy Policy no longer applies - i.e., Kiva does not control the privacy policies or the privacy practices of any third parties and use of those third party sites are governed by those third party sites' respective terms of use and privacy policies. Please note that payment processing for (i) additions of funds into a Kiva account or (ii) withdrawal of funds from a Kiva account is provided by the third-party payment processing provider, PayPal.

10. Similar to many websites, if a Website user has enabled cookies in their browser, Kiva, independently and through enabled third party tools and programs, collects certain technical information utilizing a cookie file, such as the path of users to the Website, pages visited, originating IP address, browser type, browser language, and the date and time of the user's visit. This information helps Kiva track trends and improve areas of our Website based on visits, and are common analytics used by most websites.

11. This Website is intended to be used by adults. It is not intended for children, and Kiva does not want to collect any personal information for users who are under the age of 13. Kiva recommends that parents do not post, or permit others to post, any personally identifiable information with respect to persons under the age of 13.

12. Kiva may update or modify this Privacy Policy from time to time. If any changes are made, Kiva will reflect the date on which any such changes are made and posted by updating the "last updated" date at the top of the page. Please be sure to check this page periodically for changes. This Privacy Policy was last changed and posted on our Website on June 8, 2009 September 14, 2010.

13. We take privacy seriously and we value yours.

-----------

Overall, I hope that the increased specificity here is a step in the right direction.  We will continue to work on the broader Privacy Policy revamps I mentioned above.

Please let me know if you have any questions!

Thanks,
John

[YowieFreak]

10. Similar to many websites, if a Website user has enabled cookies in their browser, Kiva, independently and through enabled third party tools and programs, collects certain technical information utilizing a cookie file, such as the path of users to the Website, pages visited, originating IP address, browser type, browser language, and the date and time of the user's visit. This information helps Kiva track trends and improve areas of our Website based on visits, and are common analytics used by most websites.

That statement probably also needs to state that you have authorised the 3rd-parties (such as google) to use details they obtain about us from you to serve up user-specific ads on sites other than Kiva.

Edit:  And, possibly, use the info for any other purpose they might like.  Or do you actually restrict them to only using it for serving ads?

[waywardcats]

The paypal situation with autofilling anonymous lenders address fields has been taken care of.  Kiva will continue to collect the address data for the ability to contact the payee in case of transaction errors, which have happened.  As kiva accounts can be families, businesses or other entities this allows them to contact the payee if the need arises.  As money is going toward lending and not just as a donation, when there is a problem, being able to access this information from paypal makes correcting it much easier.

Thanks John,

I do not see anything in this update about the collection of physical addresses from Paypal.  Is that still happening?  If so, where is that mentioned in this new privacy policy?

Thanks,

-Kerry-

[iampaul]

1. Kiva will not rent or sell your personal information to third parties.

Playing devil's advocate here for a second, that appears to leave open the transfer of personal information for non-monetary compensation or even for free.

At a quick glance, the rest looks reasonable. I'll look more closely when I have more time - pretty scarce at the moment.

Paul

[JohnAtKiva]

Responses below!

That statement probably also needs to state that you have authorised the 3rd-parties (such as google) to use details they obtain about us from you to serve up user-specific ads on sites other than Kiva.

Edit:  And, possibly, use the info for any other purpose they might like.  Or do you actually restrict them to only using it for serving ads?

I just looked up how Google Analytics works, and it looks like they've built in a series of safeguards here: Additionally, Google Analytics uses only first-party cookies. This means that all cookies set by Google Analytics for your domain send data only to the servers for your domain. This effectively makes Google Analytics cookies the personal property of your website domain, and the data cannot be altered or retrieved by any service on another domain.

http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html#HowGAUsesCookies

I do not see anything in this update about the collection of physical addresses from Paypal.  Is that still happening?  If so, where is that mentioned in this new privacy policy?

I've seen some reference to this in older KivaFriends threads along with some reports that it's been fixed.  I'll look into this.

"1. Kiva will not rent or sell your personal information to third parties."

Playing devil's advocate here for a second, that appears to leave open the transfer of personal information for non-monetary compensation or even for free.

Ah interesting catch! I'll flag that issue for our attorneys as we dig into the privacy policy revamp.

Also, here's some more detail on the Facebook connect signon:
http://www.kiva.org/blog/2010/09/14/kiva-launches-facebook-connect.html

[Jan & John]

If I choose to use Facebook Connect, what personal data from my Facebook account is shared with Kiva?
If you connect your Kiva account to Facebook, Kiva will pull your current city listed on Facebook, your profile picture, and your first name into your Kiva account.

any idea if this profile picture will over-ride the one already in our lender account here at Kiva?

I use Jan and John here but on Facebook I have right now the Kiva piggybank...

thanks -jan-

[Ali]

any idea if this profile picture will over-ride the one already in our lender account here at Kiva?

I use Jan and John here but on Facebook I have right now the Kiva piggybank...

thanks -jan-

Hi Jan! If you connect your two accounts, the picture on your Kiva account should remain the same as it was before. Facebook pictures will only be pulled into Kiva if a new Kiva lender registers for Kiva through Facebook Connect.

[AccountAbility]

Ah interesting catch! I'll flag that issue for our attorneys as we dig into the privacy policy revamp.

The interplay between Kiva's Privacy Policy and its Terms of Use is getting more convoluted.  If they are to remain as two separate documents, the attorneys need to carefully cross-check the provisions which overlap.

My own preference is to somehow integrate them together, with clear section headings and an index or table of contents for finding appropriate provisions.

Dan

[JohnAtKiva]

The interplay between Kiva's Privacy Policy and its Terms of Use is getting more convoluted.  If they are to remain as two separate documents, the attorneys need to carefully cross-check the provisions which overlap.

Thanks for the feedback Dan!  Anything specific that I should call out when bringing this to the attention of our in house counsel?

My own preference is to somehow integrate them together, with clear section headings and an index or table of contents for finding appropriate provisions.

As the Privacy Policy gets longer, we will almost certainly add section headings and a table of contents.

Are there large internet sites that combine the TOU and Privacy Policy?  I've usually seen the two as separate documents, but am definitely open to alternatives.  Please let me know.

Thanks Dan!

John

[Peter S]

. . .
Are there large internet sites that combine the TOU and Privacy Policy?  I've usually seen the two as separate documents, but am definitely open to alternatives.  Please let me know.

My understanding (subject to the usual disclaimer about not being a lawyer...) is that there's a quite specific legal requirement for websites based in the USA to have on display a stand-alone Privacy Policy that specifically addresses how users' personal details are protected - what's collected, how it's collected, for what purposes it's used, under what circumstances it's shared with third parties, and what mechanisms are in place to secure the data from unauthorized distribution.  That's why all the major players, and most of the lesser ones, have a Privacy Policy available on the website, all structured in pretty much the same logical way, to spell out the what, how, with whom, and why, in relation to users' personal data.

Because almost every online business wherever situated in the USA has users in California, the de facto applicable law (and obviously it applies to Kiva) is The California Online Privacy Protection Act of 2003.  Which can be read here.  (As mentioned in my post from 2008 which John kindly quoted when he started this thread...)

Anyway, to cut a long story short, the Terms of Use and Privacy Policy do alas have to be separate documents, because that's what the (California) law says, there has to be a Privacy Policy.

I do agree by the way with Dan, about there being an element of confusion of the two documents at present.  There's material in the present incarnation of the Privacy Policy that probably would be more at home in the Terms of Use, but since Kiva's lawyers will be looking at both documents in tandem when they produce the new even more improved Privacy Policy that John mentioned was in the works, I'd suggest that it might make sense for that to wait until the lawyers get on it, as it probably does need a lawyer's touch to separate things out.  (I see that Kiva plans to hire a second Counsel - between the two of them they should be able to figure it out)

The new version of the Privacy Policy strikes me as a major improvement on the old one, and a useful interim measure before the better one from the lawyers hits the site.

~ Peter

[AccountAbility]

Even as I expressed my preference, I realized that there are legal reasons for each--although I don't know that there is any prohibition against making one document having a part one and a part two.  One part can clearly be labeled Privacy Policy and the second part can be labeled Terms of Use.

Alternatively, if they literally have to be stand alone documents, then it would really help to have at least some form of index for finding various aspects of importance. 

Even now (and these documents are undoubtedly going to get longer) it takes a fair amount of time to go through the whole thing to see if they/it say(s) anything about (____??)

Dan

[YowieFreak]

I just looked up how Google Analytics works, and it looks like they've built in a series of safeguards here: Additionally, Google Analytics uses only first-party cookies. This means that all cookies set by Google Analytics for your domain send data only to the servers for your domain. This effectively makes Google Analytics cookies the personal property of your website domain, and the data cannot be altered or retrieved by any service on another domain.

http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html#HowGAUsesCookies

From the Functional Overview page:
Analytics also sets and reads first-party cookies on your visitors' browsers in order to obtain visitor session and any ad campaign information from the page request. When all this information is collected, it is sent to the Analytics servers in the form of a long list of parameters attached to a single-pixel GIF image request.

So the information might be collated on the user's computer using cookies which aren't accessible to anyone but Kiva (and obviously Google), but it is then sent to Google for them to do various things with it.  One of them, as we have seen, is to serve up Kiva ads when we visit other sites after having been at Kiva.  But what other usage do you permit Google to use that info for?

[JohnAtKiva]

So the information might be collated on the user's computer using cookies which aren't accessible to anyone but Kiva (and obviously Google), but it is then sent to Google for them to do various things with it.  One of them, as we have seen, is to serve up Kiva ads when we visit other sites after having been at Kiva.  But what other usage do you permit Google to use that info for?

We did some small ad buys earlier this year with Retargeter.com (not Google), which showed Kiva ads to people who had visited Kiva previously.  But we are winding those down and just to clarify: the small amount of retargeting we did was achieved through a totally separate cookie than Google's.

My understanding is that Google Analytics cookies are just for analytics.  Google Analytics are used by 57% of the top 10k most popular websites (according to Alexa), so it's been vetted by a lot of top sites.  I'lll dig into this a bit more though!

Thanks,
John

[Ali]

Hi everyone,

I hope you're all enjoying the holidays! Some of you may have noticed that we updated our privacy policy again, and the new version went live last week on 12/21. 

Our main goals in revising the privacy policy were twofold:  1) To bring it more in line with industry standards, which as you know, will continue to be an ongoing process as regulations in the web space change so frequently; and 2) To make the policy more user friendly by including category headings, and providing more complete and detailed information around how we use our data. 

Although overall the changes are relatively minor, I wanted to highlight a few examples on how we added details and went a step further in explaining how data is stored, used and/or accessed. 

- We included more detailed information about third parties who might access your data with your permission (most specifically in section 5e). 
- We added a section on disclosure of non-personally identifiable data (Section 11)
- We added more clarity around how we use your information (Section 13). 
- We added a new section about how we keep your data secure (Section 16). 
- We added a section about the location of your data (Section 17) to explain where your data is accessed and used. 
- We added a section about how long we retain your personal information (Section 18)

If you have any questions about this, please let me know, and I will do my best to answer them for you.

Ali

[Peter S]

I see that Kiva yesterday published a major update to its Privacy Policy...  http://www.kiva.org/legal/privacy  - now including independent compliance verification by TRUSTe.

P

[Amy-in-PHX]

There is also an updated Terms of Use, dated March 2, 2012.  The primary changes appear to be (1) Kiva is offering, or is about to offer, a Free Trial Loan to new users, and (2) Kiva put in a new paragraph about third-party applications developed using Kiva's API.

[Ali]

Peter and Amy,

We highlighted all of the additions to the privacy policy, so you should be able to pull out the changes easily (although the highlighting is really light and hardly shows up on my screen!). Most of the changes were made as recommended by TRUSTe to be more in line with industry standards.

Amy, you're right about the updates to the Terms to include information about Free Trial (which we just launched) and API standards.

If either of you has any specific questions about the changes, just let me know and I'll be happy to talk through it with you.

Ali