NTIA Mobile Privacy Stakeholders Discuss Updates to Short-Form Notice Code
Mobile privacy stakeholders met Thursday to talk about the newest discussion draft of a voluntary code of conduct that would require apps to provide short-form notices to users about what data they collect from users and which third parties the apps share that data with (http://1.usa.gov/14HsqCG). Chris Olsen, assistant director of the FTC’s Division of Privacy and Identity Protection, highlighted concerns the agency has about the code. The code may not adequately address the issues of just-in-time notices, how data collection does or doesn’t comport with consumer expectations, and material retroactive changes, Olsen said at the meeting’s end. The meeting -- the twelfth facilitated by NTIA in a process that started last summer -- focused on changes to the draft, including language that addresses open text fields, and outstanding issues.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The code doesn’t seem to address situations where ad networks and other third parties provide coding to app developers and directly collect information from users, said Olsen. “We would like to see elements of the code cover that situation.” Olsen said “it would be useful” for drafters to add the language such as “nothing in the code is intended to supplant, replace, undercut, overrule ... existing obligations” to clarify that the code doesn’t preclude apps from being subject to other mobile privacy regulations, including the Children’s Online Privacy Protection Act. Olsen also highlighted the data elements that the FTC would like to see in the short-form notices, including email addresses, phone numbers, Social Security numbers and device identifiers. “Our expectation has been that the group would eventually come to [the FTC] and ask for a blessing for the code as it’s been developed,” he said. “The timing may not be what everyone in this room might have preferred, but I think providing feedback is better than not providing it."
Stakeholders debated whether short-form notices should list only the listed data elements an app collects, or the data elements the app collects as well as the ones it doesn’t. Application Developers Alliance Vice President-Law, Policy and Government Affairs Tim Sparapani, one of the code’s drafters, called the issue “the quintessential question that is outstanding.” Internet Commerce Coalition General Counsel Jim Halpert and NetChoice Policy Counsel Carl Szabo advocated for user testing of the two approaches. Michelle De Mooy, senior associate-national priorities at Consumer Action and one of the code’s drafters, said she doesn’t trust user testing to choose between the two approaches. “It’s one of those things that would be better worked out in this document, in my opinion,” she said. Sparapani asked that the issue be tabled to the next meeting. “We could spend the bulk of today’s time remaining on this subject alone and not reach a conclusion,” he said. At the last meeting, NTIA stakeholders began the discussion on whether apps should list all data elements or only those collected (CD March 15 p15).
New language that discusses “device-specific data” without delving into how that data are used could create a burden for app developers, Halpert said: “Some of this sharing just happens automatically,” outside the control of the app developers, “because that’s the way the Internet functions.” Association for Competitive Technology Executive Director Morgan Reed pointed to a scenario where an app platform collects device identifiers to determine how up-to-date certain apps are. App developers can’t be responsible for notifying users about data collection practices that are outside of the developers’ control, he said.
De Mooy said consumers should know when the device identifier is “tied to a profile” about an individual user. Susan Grant, director-consumer protection at the Consumer Federation of America, agreed, saying consumer groups want to include device identifiers in the list of data elements in the code of conduct. Drafters were “not intending to reopen the [unique device ID] or any similar unique device identifier,” Sparapani said. The stakeholder group agreed during previous meetings to assume “that it was understood that a UDID ... is necessary for the functioning of the app,” he said.
Drafters addressed the question of fillable text boxes by adding to the draft the language, “Apps shall not be required to disclose incidental collection of the above data elements if the data element is actively submitted by a user through an open field and the user is in no way encouraged to submit the data element.” Adding that language “was an attempt to codify a series of discussions over the past six months” centered on open text fields, including search functionalities, said Sparapani. “We did not intend to make search functionality or open text fields part of the disclosures that were” required to be made under the code of conduct, he said. Szabo, who said he “really appreciate[s] finally addressing the fillable field question,” asked if the language was malleable. He suggested removing the words “incidental” and “no way” from the draft. Dixon said the drafters could be flexible with the language. “This is a challenging little graph, and it could probably be refined,” she said.
The newest draft addressed the de-identification of data by saying developers that “acquire data that they promptly de-identify and use only in a manner that is not reasonably linkable to a consumer, computer or device” don’t need to tell consumers that the apps collect those de-identified data elements. The added language “came almost verbatim from the FTC language,” said Pam Dixon, executive director of the World Privacy Forum and a drafter of the code. “We decided that the FTC had done a great deal of work on this, so we chose to use their definition.” Drafters also added language to make clear to developers that the code of conduct “is a floor, this is not a ceiling” regarding what apps should tell users, Dixon said. “If someone wants to go further and do more, by all means."