NTIA Mobile Privacy Stakeholders Consider FTC Concerns in New Code of Conduct Draft
Mobile privacy stakeholders drafting a voluntary code of conduct on how mobile apps use short-form notices to tell users about data collection and use are working to address potential FTC concerns, Pam Dixon, executive director of the World Privacy Forum and one of the draft’s authors, told us ahead of Tuesday’s stakeholder meeting. At the previous meeting of the process, being facilitated by NTIA, Chris Olsen, assistant director of the FTC’s Division of Privacy and Identity Protection, laid out potential concerns the agency might have with the draft code, including how the code requires apps to gain consent from users when making material retroactive changes and the extent to which the code deals with app platforms (CD April 5 p7).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Stakeholders have “had multiple meetings with the FTC” since the last meeting, Dixon said. “There’s definitely a clear and open dialogue” between the stakeholders and the agency, she said. “I'm encouraged by the progress we made.” Dixon said the newest draft for Tuesday’s meeting -- which was not distributed by our deadline -- “incorporates many of [the FTC’s] suggestions."
Stakeholders told us the newest draft does not address the agency’s concerns about app platforms, such as Apple’s App Store. App platforms are “out of the scope of the proceeding as given by the NTIA,” Dixon said. Olsen, who hadn’t seen the latest draft, told us his presentation at the previous meeting was not meant to indicate that the code must address platforms. Instead, the FTC -- which released a report on mobile privacy and app platforms earlier this year (CD Feb 4 p3) -- wants the stakeholders to be cognizant of the ways in which platforms provide disclosure mechanisms, he said. “We certainly hope that the group continued to work on implementing the changes we discussed."
Drafters have addressed the concerns about material retroactive changes that Olsen discussed at the last meeting, Dixon said. At the meeting in early April, Olsen said the FTC could be concerned with the way the code discussed what an app must do if it makes material retroactive changes regarding how it collects or shares a user’s information. Dixon said the drafters thought they had preemptively addressed these concerns, as the old draft required apps to inform users if they “materially change their data collection or data sharing practices.” The new language requires that apps “that materially change their data collection or data sharing practices in a way that results in expanded or unexpected collection or disclosure of data shall inform consumers and may be required to obtain consent under Section 5 of the FTC Act.” Drafters expanded and provided more information about the requirement, Dixon said. “It was not a problem to expand it."
The new code also incorporates Olsen’s suggestions about clarifying that following the code of conduct does not diminish an app’s responsibility to follow other privacy regulations, according to Dixon. “App developers should be aware that sector-specific laws and state-level regulations may apply to their notices,” Dixon said. She pointed to the California Online Privacy Protection Act, which requires that apps make available their long-form privacy notice. The law “may require the app developers to also post a long-form privacy policy,” which is not preempted by the code of conduct, Dixon said. Additional regulations that are not preempted by the code include the Children’s Online Privacy Protection Act rule, the Fair Credit Reporting Act and the Health Insurance Portability and Accountability Act.
The draft has also changed to reflect input from stakeholders, including concerns about apps that need access to device data to function and might be forced to misrepresent their practices under the previous meeting’s draft, Dixon said. At that meeting, stakeholders discussed apps that need access to a device’s phone functionality, such as an app that plays white noise and needs access to a device’s incoming-call function to determine when to shut off the white noise. Under the draft from the last meeting, an app would have to tell users it’s accessing their phone calls, which might unduly raise privacy concerns, Association for Competitive Technology Executive Director Morgan Reed told stakeholders. Dixon said the drafters are “adding some language to exclude those deeper application layers.” The language is likely to change, she said Monday. “We're going to take a first stab at it tomorrow, but it’s not going to be perfect.”