Newest NTIA Mobile Privacy Draft Includes Shortened Data Elements, Third-Party Lists
Mobile privacy stakeholders received a proposed updated code of conduct for short-form notices, which would require apps that agree to the voluntary code to disclose to users what information they collect and with which entities they share the information. The code was authored by representatives from the Application Developers Alliance, ACLU, Consumer Federation of America and World Privacy Forum, and is being discussed through a multistakeholder process facilitated by NTIA. The newest version includes shortened “Data Elements Collected” and “Data Shared” lists that must be included in short-form notices telling users if an app collects certain data or shares user data with certain third parties. NTIA Director-Privacy Initiatives John Verdi sent the discussion draft to stakeholders last week (http://xrl.us/bogyqj).
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The list of data elements no longer includes “Age of User,” which stakeholders voted to remove at a previous meeting (CD Jan 18 p12). The list of third parties no longer includes “Affiliated Businesses,” a term some stakeholders said would confuse users. Drafters also combined two third-party definitions to create “App publisher or Other Apps (The company that built, owns, or controls the app, or other apps that you may or may not have a relationship with).” The new draft includes “Information Broker” instead of “Data Broker,” which drew concern from some stakeholders at their last meeting (CD Feb 1 p9). Information brokers are defined as “companies that buy, sell, or share your personally identifiable information to other companies.” Additionally, drafters clarified that icons may not replace the required text in the short-form notices, though they “may be added to the standardized text listed,” according to the draft.
Stakeholders were asked to provide comments to NTIA by Monday, with feedback specifically encouraged from apps that are considering adopting the code. The next stakeholder meeting is scheduled for Feb. 21. In his email circulating the new draft, Verdi asks stakeholders to submit suggestions on how the draft should handle “blank boxes,” or fields where users can submit any text they choose, such as search fields.
The drafters “have made a serious good faith effort to narrow the range of data elements” that need to be in the short-form notice, said Jim Halpert, lawyer at DLA Piper and general counsel to the Internet Commerce Coalition. The shortened list of data elements leads to a “significantly refined draft” that will make users more likely to read the short-form notices, and “has moved the discussion forward,” he said. Additionally, shortening the list of third parties will help advance the discussions over the draft, he said. “Certainly taking out ‘Affiliated Businesses’ was an olive branch to the business community."
The draft “still needs a lot of work,” said Stu Ingis, a privacy lawyer with Venable and counsel to the Direct Marketing Association. The draft incorrectly focuses on which third parties get the data rather than how the data are used, Ingis said. Despite the fact that consumers worry about how their data are used, discussion of use is “absent from the draft, which I find surprising,” Ingis said. The same problem applies to the information-broker term in the list of third parties that get user data, he said. “The vast majority of companies are either receiving data from or providing data to other companies,” making it hard to define what a broker is, he said, a point he brought up at the last stakeholder meeting.
The short-form notices should tell the users what non-obvious data are being collected, Ingis said. Consumers know that when they provide certain information to apps, such as financial information, the apps are collecting that information, he said: It’s more important to tell consumers when apps are collecting data that consumers might not expect will be collected. In the past, the code’s drafters have said short-form notices should include all data elements that consumers might want to know about, even the obvious ones, because it is difficult for app developers to accurately predict which data elements users expect to be collected. Ingis said it’s also “premature” for the drafters to decide that icons cannot replace text in short-form notices: “A well-understood icon is a lot more powerful and easier to use” than a long list of text.
The draft’s preamble has “a bunch of unsubstantiated assertions that I don’t think are particularly useful in this context,” Ingis said. Although the stakeholder discussions have focused mostly on the text of the code itself rather than the text of the preamble, Ingis said the preamble is something he hopes to discuss with stakeholders in the near future.