Named Third Parties
Identify third-party recipients by name, not generic terms like "partners" or "service providers".
Design Guidelines
Name specific third-party companies that will receive user data, such as "Google Analytics," "Facebook Advertising," or "Stripe Payments," rather than using abstract categories.
Explain the relationship with each third party and clarify what data they receive and for what purpose.
Provide direct links to third parties' own privacy policies so users can investigate further if desired.
Distinguish clearly between necessary service providers that enable core functionality and optional partners used for advertising or analytics, allowing users to understand which third-party relationships are essential versus discretionary.
Do's and Don'ts
Don’t
Use vague terms: "We share data with trusted partners"
Group all recipients under generic categories like "service providers"
Hide third-party relationships or make them difficult to find
Omit information about what data each third party receives
Do
Name companies explicitly: "Google Analytics, Stripe, Mailchimp"
List each third party with purpose: "Stripe (payment processing)"
Provide dedicated section showing all third parties with data access
Specify data scope: "Google Analytics (anonymized usage data only)"
Research Foundation
Users expressed deep distrust of third-party data sharing, with participants declaring:
"As for third party sharing it's a big NO!" (P04)
"I don't know the third parties so I'm not comfortable. At least not yet". (P06)
Vague language like "trusted partners" or "service providers" heightened suspicion rather than building confidence. Research on privacy calculus shows that users evaluate disclosure decisions based on known risks and benefits, so without knowing specific recipients, they cannot perform this calculation (Dinev & Hart, 2006).