The US government’s National Telecommunications and Information Administration today issued its first draft of what will be a mobile apps code of conduct intended to better protect consumers and their privacy. If made final, policy states that publishers must provide consumers with “short-form” notices in multiple languages informing them of how their data is being used.
After soliciting feedback from privacy, civil liberties, and consumer advocates, along with app developers and publishers, and mobile ecosystem representatives, the NTIA sought to help make mobile apps more transparent to their end users. The idea was spurred on by President Obama’s need to enact an online privacy “bill of rights” (which is somewhat ironic given the NSA’s recently revealed surveillance program).
As listed in the draft code of conducts, the NTIA states that “where practicable, app developers are encouraged to provide consumers with access to the short notice prior to download or purchase of the app.” It stresses that this process is entirely voluntary, but those app developers that comply must list in their short notice four things:
(a) the collection of types of data listed in SectionII.A whether or not consumers know that it is being collected;
(c) the sharing of user-specific data, if any, with third-parties listed in Section II.B as defined below; and
(d) the identity of the entity providing the app.
Just so that there’s no doubt about what “data” means, the government entity specifically says it includes biometrics, browser history, phone or text log, contacts, financial info, health, medical, or therapy info, location, and user files.
However, there is an exception to the short-form notice. If the data is actively submitted by the user through an open field voluntarily, then it appears to be fair game. Also, if an app “as one of its functions” has in-app purchasing and does not otherwise passively collect financial information without advance consumer notice, then the app creator is in the clear — but only if the consumer’s purchase doesn’t constitute a material change from the app’s original short-form notice.
The NTIA goes a bit deeper into exceptions to the rule, saying that short-form notices aren’t needed when collecting or sharing unidentifiable data as long as “reasonable steps” are taken to disassociate it from the owners. What is a “reasonable step”?
- Have reasonable measures been taken to de-identify the data?
- Publishers must not attempt to reassociate the data.
- Publishers are contractually prohibited from having third-party contractors or vendors make the association.
US Assistant Secretary of Commerce for Communications and Information and NTIA Administrator Lawrence Strickling issued a statement after the draft was released, heaping praise on the agency’s success:
NTIA is pleased that today a diverse group of stakeholders reached a seminal milestone in the efforts to enhance consumer privacy on mobile devices. We encourage all the companies that participated in the discussion to move forward to test the code with their consumers.
The American Civil Liberties Union (ACLU) has come out in support of the policy calling it a “modest but important step forward” for consumer privacy. However, it wasn’t all praise, as the organization’s legislative counsel Christopher Calabrese said, “The fact that it took a year to come to agreement on just this single measure, however, makes it clear that we need comprehensive privacy legislation in order to gain meaningful privacy protections for consumers. After all, we should be able to enjoy cool new technologies without giving up our privacy.”
The NTIA has not specified what its next steps are, but it probably wouldn’t be far-fetched to believe it will track developer feedback and consumer reaction for an undetermined period of time. Hopefully it won’t take another year for this to move to the next phase.