FTC Won’t Commit to Safe Harbor for Apps that Sign Privacy Code
The FTC won’t commit to giving a safe harbor to mobile-device apps that sign a privacy code of conduct, agency officials said Tuesday. Staffers attended the meeting of NTIA mobile privacy stakeholders to repeat their concerns (CD April 30 p6) about the short-form notice code of conduct being drafted (http://1.usa.gov/18aWeIh) and clarify that the FTC won’t grant safe-harbor status to apps that sign on to the code. During the meeting, stakeholders debated changes made to the code made in response to stakeholder input and FTC concerns brought up at the last meeting.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Though the FTC “is extremely supportive of this process” and will “look favorably” on a “strong” code, the agency is not committing to providing safe harbor to apps that sign the code, Maneesha Mithal, associate director of the FTC’s Division of Privacy and Identity Protection, told stakeholders. If the group produces a strong code, FTC staff will “recommend statements at the commission level talking about how this is a great code,” she said: “We are interested in seeing this code move towards finalization.”
Companies may need more of an incentive to take on the obligations that come with signing on to the code, said Jim Halpert, general counsel to the Internet Commerce Coalition. “I'm concerned that there isn’t enough incentive to get the business community” to make the “compromises embodied in this draft ... because they are very significant changes,” he told Mithal. “It would be helpful if you offered more than an informal statement about feeling good about the document."
Just-in-time notice is “a very important issue to the commission,” Mithal said. In its Mobile Privacy Disclosures report, the FTC encouraged creators of apps and app platforms to give users notice that data will be collected “at the point in time when it matters to consumers.” Pam Dixon, executive director of the World Privacy Forum and one of the code’s drafters, said just-in-time notice is tied to the app platform, which is outside the scope of the stakeholder process as defined by the NTIA. “I think we have to get away from those kinds of specifications that are very technology specific,” she said.
Mithal also cited FTC staff concerns about how the code treats long-form privacy policies. The short-form notices should be required to provide users with a link to the app’s long-form privacy policy, she said. Long-form policies “serve an important accountability function,” even if they're not frequently read by consumers, she continued. In the past, the FTC has taken actions against Internet companies that violate their own privacy policies under the authority given to the agency under Section 5 of the FTC Act. By requiring app developers to think through their long-form privacy policies, the policies encourage a sense of privacy by design, she said.
The stakeholders debated to what extent the code should encourage or require apps to have a long-form privacy policy. “Long form should be required,” said Joseph Hall, senior staff technologist at the Center for Democracy and Technology. Dona Fraser, vice president-online privacy at the Entertainment Software Rating Board, agreed. “If we're going to have provisions in the short form that would send somebody to read another document,” then the stakeholders are necessarily requiring a long-form privacy policy, she said.
Practically, the code requires long-form privacy policies, said Michelle De Mooy, one of the code’s drafters and Consumer Action senior associate-national priorities. “It actually does require it, it just doesn’t use the word ‘require.'” The discussion “is a moot point,” NetChoice Policy Counsel Carl Szabo said. The California Online Privacy Protection Act requires apps that have California-based users to provide a long-form privacy policy. This voluntary code “doesn’t supersede California state law,” he said.
Apps must notify users when they collect the data elements listed in the code using the code’s words to describe those data categories, De Mooy said. However, apps can select words other than those listed in the code to further specify what information is actually being collected, she continued. For instance, the code requires that apps notify users if they collect “Biometrics” and must explain to users that “Biometrics” includes “information about your body, including fingerprints, facial recognition, signatures and/or voice print.” If an app only collects a user’s fingerprints, it need not list the other biometric data elements, the drafters said. “Either you use the parenthetical text” listed in the draft, “or you can make it more specific. Those are the two options,” De Mooy said. This reduces the amount of information users have to read through in the short-form notices, Halpert said. “You don’t want to give consumers irrelevant information.”