On July 27, 2016, the Italian Data Protection Authority launched investigation into privacy policy of Change.org, the world’s platform for change, in order to assess how this web site are collecting and processing data of its Italian end users, which promote or subscribe petitions for social and political reasons.

The investigation of the Authority aims at verifying if data of Italian subscribers are processed according to the Italian data protection regulatory frameworks, because those data may be used for profiling end users or transferred to third parties.

In this regard, the Authority required Change.org to provide each element - even technical - useful to assess the privacy measures taken.

Change.Org shall have to clarify how data are collected and the data subject’s consent is obtained, taking into account that the sensitive nature of the information collected and processed  may reveal political opinions, religious or sexual orientation of subscribers. In addition, Change.org shall have to indicate whether Italian end users are informed about the purposes and modalities of the processing for which the data are intended; specify which security measures are taken, including appropriate anonymization  of personal data; and describe where databases are located, stored and maintained .