NTIA Stakeholders Debate Language of, Ability to Implement Voluntary Code
Mobile privacy stakeholders debated language of a voluntary code of conduct for app developers at a Thursday meeting facilitated by the NTIA. The draft -- written by representatives from the Application Developers Alliance, ACLU, Consumer Action and World Privacy Forum -- was the same version as the one discussed at the NTIA meeting last month. “The absence of another draft should not be seen by other people as the absence of progress,” said one of the draft’s authors, Tim Sparapani, vice president of law, policy and government relations for the Application Developers Alliance.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Stakeholders debated the 13 short-form definitions of third parties with which user data is shared, including “affiliated businesses” and “data brokers.” Those terms will be unclear to users, said Jim Halpert, technology lawyer with DLA Piper and general counsel to the Internet Commerce Coalition. Why would the list include affiliated third parties that don’t neatly fit into one of the other 12 categories, but not include those entities unaffiliated with the app, when the latter is the type of data sharing users are really concerned about, he asked: “It’s worth thinking through a much more streamlined version of this,” if the goal “is to have something that’s actually going to be adopted.” Halpert suggested that the short-form notice only inform users how much their data is shared -- will the app share with a third party, will that third party then share with a different third party -- rather than which types of third parties will get the data.
Listing some third parties but not all of them implies a value judgment, especially when it comes to entities such as “data brokers,” said Association for Competitive Technology Executive Director Morgan Reed. Those implied value judgments seem to tell consumers that sharing user data with certain entities is problematic, and “that’s what worries some of the people” in the industry, he said. Finding out who an app shares user data with “might be the breaking point for some people” to figure out whether or not to download the app, said Jeff Chester, Center for Digital Democracy executive director. “We need to inform them."
A poll of stakeholders indicated that most want “affiliated businesses” removed from the list of third parties, though Chester said many consumer advocate groups either missed the meeting or had to leave before it concluded. Drafters agreed to create new language for the next draft. Michelle De Mooy, one of the code’s drafters and a senior associate at Consumer Action, asked stakeholders to tell the drafters which specific items should be taken out to make the list more implementable. “If there’s something extraneous here … that would be helpful” to know, she said.
Apps which adopt the code would have to use, verbatim, the language in the code to describe the types of user data being collected by the app, the drafters said. Allowing individual apps to rewrite the language as they see fit would keep apps from achieving one of the main goals of the code: uniformity for consumers, said Chris Calabrese, ACLU legislative counsel. “Isn’t the idea to create some certainty and some ability to compare these across apps?"
The drafters should shorten and simplify the language in the definitions to make the code implementable, Halpert said. “This sort of really long list -- consumers just click right past it.” Drafters should create and test alternative, more concise language to be effective, he said. De Mooy said she and the rest of the drafters want to keep the list as short and informative as possible. They want to test and figure out “how does the consumer interact with it, because it’s hard to say exactly how many [data elements] should be [included] unless we have something to plug it into,” she said
Sparapani presented a revised data element definition that will appear in the upcoming revised draft. Health/Medical/Therapy data will now be described as data “including health claims and information used to measure health or wellness,” he told stakeholders. “It’s really great to tighten the language here,” Halpert said about the new definition. The language can’t be tightened so much that app developers can’t effectively communicate to users what kind of data they collect, Reed said. “Don’t make me lie by accident.”
Stakeholders debated the role of blank forms within apps. Do apps have to inform users through the short-form notice that they collect the information users enter into blank forms, such as search fields, asked Carl Szabo, policy counsel at NetChoice. Apps can’t predict what classification of data users will input into what is “just a blank empty box,” he said. Text typed into a blank box “would not, to our understanding, be a part of this code,” said Sparapani. “We did not intend to capture the general search functionality in an app.” There are other cases that would depend on if the app is storing that information, said De Mooy. Ultimately, the group decided to defer the conversation until the next meeting.
Drafters committed to completing by close of business on Monday a new draft, which the NTIA will circulate to stakeholders. Stakeholders agreed to submit a first round of comments to the drafters by Feb. 18, which will give the drafters three days to incorporate the comments and circulate and updated draft before the next round of stakeholder discussions on Feb. 21. De Mooy asked that stakeholders suggest improvements to the draft, indicate whether the stakeholder or its members will adopt the code and identify the deal breakers, if any exist.