Do published policy and actual behaviour agree?
The report seems to focus on what the companies say they'll do. However, I don't think they looked for evidence that they do that in all cases. That may be nearly impossible to obtain, but the "inform user" gold star could very easily be made of fools gold if the companies don't follow through with their commitment.
They also need to add a star explicitly for not holding data longer than needed. A lot of companies will fall foul of this, which just gives law enforcement even more data to pick through when they send their NSLs to sidestep all the pesky due process issues.
e.g. Apple isn't really clear on how long they keep iMessage data from what I can see.
While I can understand the lure of doing otherwise, I wish companies would segregate data to jurisdiction specific silos. e.g. EU customer data was retained in the EU and under the laws of the EU and not shared with other countries unless necessary (e.g. send an iMessage to someone outside the EU)