First-party (inter-db) data use

[secretrobotron]

In our "Data Use" section, we say "The company clearly discloses what user information it shares.", but the rest of the section implies this is about third-party sharing. But, when large companies purchase one another and combine data sets, or when a company has multiple potential sources of personal data (e.g. Facebook & Instagram; Microsoft & LinkedIn; Yahoo! & Tumblr), should the rules or expectations of data use be disclosed?

For example, Facebook's Data Policy has a section titled, "How do the Facebook Companies work together?"

Facebook and Instagram share infrastructure, systems and technology with other Facebook Companies (which include WhatsApp and Oculus) to provide an innovative, relevant, consistent and safe experience across all Facebook Company Products you use. We also process information about you across the Facebook Companies for these purposes, as permitted by applicable law and in accordance with their terms and policies. For example, we process information from WhatsApp about accounts sending spam on its service so we can take appropriate action against those accounts on Facebook, Instagram or Messenger. We also work to understand how people use and interact with Facebook Company Products, such as understanding the number of unique users on different Facebook Company Products.

It's possible that the "Data Collection" section covers this, since it seeks to ask where companies get all of their data, but for very large/broad data policies, that is perhaps not enough detail to do a reasonable evaluation.

@j-br0 @KatieMcInnis @TatevSarg thoughts?

[KatieMcInnis]

So lets see, how would this look in the Standard itself? "The company clearly discloses the categories of information is shares or receives from affiliates, parent company, or subsidiaries and whether any anonymization techniques are used."