NTIA Stakeholders Debate Status, Wording of Mobile Privacy Code of Conduct Draft

It might be best to develop two documents: One for consumers and one for developers, stakeholders agreed. “We have to be very aware that we're serving two masters,” Calabrese said. Industry members questioned whether the document’s introduction on guiding principles needed to be included as a part of the code of conduct. While the introduction can be pared down, according to Consumer Federation of America Director of Consumer Protection Susan Grant, “it’s really important that there be something that explains why, in fact, [app developers] are being asked to do these various things."

Some companies worry about the obligations that come with a short-form notice requirement, Cerasale said. “Our members are not uniformly behind even the idea of a short notice,” he said, because of concerns that statements made in the simplified notices may conflict with obligations to other law enforcement agencies, including the California Attorney General’s office. The Internet Commerce Coalition supports the concept of short-form notices but sees “very legitimate concerns that a company could be sued,” said ICC General Counsel Jim Halpert. No entity, government or otherwise, “should be able to use this code to sue a company” for not disclosing enough in a short-form notice, Halpert said. Through the NTIA, stakeholders may be able to work with the FTC and other government entities to ensure that companies are protected, not endangered, by agreeing to the voluntary code of conduct, he suggested.

Stakeholders debated how the code of conduct should deal with third-party information sharing. The draft’s list of third parties included “Data Brokers” and “Other Developers and Networks,” both of which stakeholders took issue with. “I don’t think consumers understand what data brokers are,” said Policy Counsel Carl Szabo of NetChoice, which promotes e-commerce and has members including AOL, eBay and Facebook, News Corp. and Yahoo (http://xrl.us/bn6wwd). Other stakeholders, including advertising and app industry representatives, agreed, saying “data broker” is not a well-enough defined term and suggesting, but not agreeing on, alternative wording. Regardless of problems with the wording, companies that collect user data to build and sell user profiles have “to be here, because it’s such a huge part of data sharing,” Calabrese said.

Stakeholders agreed to come back to a discussion on how the code of conduct should treat “sensitive information,” including financial, health and medical data. “We have a bunch of different laws that now deal with this financial and health information,” said Morgan Reed, executive director of the Association for Competitive Technology. “If there’s existing law on the record, then we just need to make sure” that the code of conduct complies with those laws, he said. Pam Dixon, executive director of the World Privacy Forum and co-author of the App Developer’s Alliance code of conduct draft, disagreed. “We're in a post-[Health Insurance Portability and Accountability Act] world,” she said, and the code of conduct would cover information that is “much broader than HIPAA.” Dixon also argued against the idea presented by some industry representatives that financial, health and medical data could be grouped into one category of “sensitive data.&rdquo

After presenting on privacy mobile app icons (http://bit.ly/Su2KBl), Reed said he would lead a testing initiative. “The consumer groups do not support icons at this time,” Dixon said. “Those differences need to be aired and discussed.” The discussion that had been scheduled for Monday’s meeting over the role of academics was moved to the January meeting.