NTIA Mobile Privacy Stakeholders Applaud Code of Conduct Progress
Stakeholders in the mobile privacy debate expressed a willingness to sign on to the newest voluntary mobile privacy code of conduct before delving into differing opinions over recent changes to the draft’s language, during Thursday’s stakeholder meeting, facilitated by NTIA. It focused on the most recent version of the code drafted by the Application Developers Alliance, American Civil Liberties Union (ACLU), Consumer Federation of America (CFA) and the World Privacy Forum. Amanda Pedigo, representing Intuit, said she’s “pleased with the progress that we're making” and feels “as though the drafters have made a lot of concessions.”
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
"This commitment from a key stakeholder is a major milestone for NTIA’s privacy multistakeholder process; however, there is more work to be done,” said NTIA Administrator Lawrence Strickling, in a statement encouraging stakeholders to “move swiftly to finalize and adopt a code.” He said “genuine disagreements remain among stakeholders on a few issues, and NTIA anticipates that as compromises are reached, more stakeholders will commit to adopting the code."
The stakeholder support “is a sign that we're on the right path,” said Tim Sparapani, vice president-law, policy and government relations for the developers group and a drafter of the code. “I am cautiously optimistic that we can get this thing over the finish line,” he said, outlining the changes he and the drafters made to arrive at the most recent draft. The changes that the drafters viewed as concessions to other stakeholders include removing “Age of User” from the list of data elements collected and “affiliated businesses” from the list of third parties with whom user data are shared in short-form notices, Sparapani said. “Tough choices were made given the real estate” available on smartphone screens. Information about affiliated businesses that receive user data should be included in an app’s comprehensive privacy policy, he continued. Additionally, drafters “tried to shorten the preamble” in response to stakeholders’ comments, though some would like it shortened more, he said. “We tried to take out some of the language that people found incendiary."
Privacy advocates said they wanted “affiliated businesses” to be added back into the draft. “We think that’s a huge concession,” said Chris Calabrese, ACLU legislative counsel and a drafter. Susan Grant, consumer protection director at the CFA, said her group would have to reconsider supporting the draft if “affiliated businesses” were not included. “This code is going to be promoted as improving transparency, but unless that change is made, it will do so only marginally, and consumers will be given only partial information,” she said.
Eliminating “affiliated businesses” gives big, vertically integrated companies an advantage over small companies that have to outsource advertisers, said Morgan Reed, executive director of the Association for Competitive Technology. Without that type of third party included, small companies will have to disclose to users that they share user data with ad networks, analytics firms and others, while big companies that complete those functions in-house will not have to disclose that information about data sharing to users, he said. This could be confusing to users attempting to compare data collection and sharing practices across apps and would be unfair to app developers, he said. “The audience of this document is not consumers. The audience of this document is developers who will have to adopt it.” That could create a “fundamentally unfair comparison,” Calabrese said, saying he hadn’t considered “affiliated businesses” in that context before.
Stakeholders debated whether the code should require apps to translate the short-form notices into other languages. The newest draft says short form notices “should include multiple languages, if possible.” The drafters wrote that “we believe it is necessary to provide notice in multiple languages, and anticipate that some developers will pursue this option.” The “if possible” language is “so open ended that it really doesn’t work very well in a code,” said Jim Halpert, lawyer with DLA Piper and general counsel to the Internet Commerce Coalition. “Our concern was very much on the operational” front, Reed said. “There are technical questions on rolling this out,” including when an app should provide the short-form notice in a different language and what dictionary an app should use to translate the notice to preserve the exact wording in the code, he said.
"App publisher” should be taken out of the third-party list, said Stu Ingis, Venable lawyer and general counsel to the Interactive Advertising Bureau, pointing to a redline draft that he'd submitted to the NTIA (http://1.usa.gov/YFcHOh). Instead, the short-form notice should include information about who’s providing the app, if that’s really the intention of the drafters, he continued. Ingis’ suggestion “to disclose who’s really running the show may be better and may take some of the pressure off the developer,” Halpert said, and “would be a major contribution to transparency.” Pam Dixon, executive director of the World Privacy Forum and a drafter, said she was “quite intrigued” by Ingis’ proposal. “I think it has a lot of merit,” she said, asking to see specific language that could potentially be worked into the code.