Stakeholders Discuss Progress, Obstacles in Developing Mobile Privacy Standards at NTIA
Stakeholders met Wednesday to discuss developing a voluntary code of conduct on mobile privacy practices at a meeting convened by NTIA on “mobile application transparency.” They presented a discussion draft of the code (http://xrl.us/bnyh4e), which includes requirements for privacy policies, data retention and deletion policies and information on the process to get data deleted. App developers who don’t collect user data “shouldn’t be stuck with a whole set of rules that will send them fleeing the market,” said Future of Privacy Forum Director Jules Polonetsky, but some apps collect massive amounts of data, and they should be subject to those rules.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Attendees stressed the need for this code to be understandable. “I don’t know that people sitting in their garage are going to know what they need to be doing” if the code is written in technical and legal language, said technology and privacy lawyer Jim Halpert of DLA Piper.
There is a “general, high level consensus” around the potential for short-form notices, said Polonetsky. While there is agreement that “a big chunk of this agreement could hang on doing short notices right,” he said, stakeholders will have to figure out the content and placement requirements of the notices. Notices need to be “available enough that consumers can do some kind of comparison shopping,” he said. Short-form notices wouldn’t replace traditional, comprehensive privacy policies, Polonetsky said, and there would still be a need for education and, occasionally, express consent. “There’s going to need to be education ... to broaden the understanding,” he said. Participants will have to figure out what kinds of consumer testing the prototypes should be subject to, he said: “We need consumer voices feeling that this is a credible process.”
Morgan Reed, executive director of the Association for Competitive Technology (ACT), offered his group’s recently designed privacy information icon system as an example. Reed asked participants to focus not on the design of ACT’s labeling system, but on the creation and testing process that ACT used. “It’s about making sure there is that sound, methodological” process, he said.
Stakeholders should be careful that short-form notices aren’t too simple or too broad that apps are forced to claim that they collect more data than they do to avoid potential deceptive practice investigations, said TechFreedom President Berin Szoka. “The FTC has taken an exceedingly demanding” approach to investigating unfair and deceptive practices, he said, and companies could find themselves in trouble if they describe their data practices in broad and simple terms in short-form notices that are inaccurate.
Developing a code of conduct for privacy shouldn’t be a multiyear process, said Venable Internet and privacy lawyer Stuart Ingis, who represents the Interactive Advertising Bureau and Digital Advertising Alliance. He repeatedly expressed frustration that more concrete progress had not been accomplished since the process began four months ago (CD July 13 p1). “I don’t hear anything expedient about this testing process,” he said, and businesses that will have to work with these voluntary regulations aren’t happy about that. Stakeholders shouldn’t rush the process, which could result in fast but inadequate results, said Susan Grant, director of consumer protection at the Consumer Federation of America: “We should do the work, and it will take as long as it takes.”
Before adjourning, stakeholders agreed on actions to be completed before the Nov. 30 stakeholder discussions. That includes a subcommittee meeting to combine the two code drafts -- the one presented at Wednesday’s discussion and another from the Center for Democracy and Technology and the Future of Privacy Forum (http://xrl.us/bnyiff) -- based on received comments and preparing presentations of three label prototypes.