Newest NTIA Mobile Privacy Draft Includes Shortened Preamble, No Platform Requirements

The draft encourages developers “to provide consumers with access to the short notice prior to the download or purchase of the app” where “practicable.” At the last meeting, Maneesha Mithal, associate director of the FTC’s Division of Privacy and Identity Protection, told stakeholders that agency staff would like to see the code address “just-in-time notice,” or notice that’s delivered when it would be most relevant to users, such as when an app is initially being downloaded. The new language is the most the drafters could do to address the just-in-time notice concerns raised by the FTC without broadening the code to address platforms, which are outside the scope of the process as defined by the NTIA, Dixon said. “We added things to the draft that take into account the platforms.” But “the platforms are not really in the draft” themselves, she said. Dixon said she thinks the draft’s language addresses the concerns raised by Mithal at the last meeting, which took place April 30.

The code also doesn’t explicitly require apps to have a long-form privacy policy, though the code requires apps to link to such a policy in the short-form notice if they have one. The California Online Privacy Protection Act requires that apps that count California residents among their users must have a long-form privacy policy. Some stakeholders -- including the FTC, according to Mithal at the last meeting -- wanted the code to require a long form policy, while some were hesitant about requiring the short-form policy to link to a long form policy if one exists, Dixon said. The decision to require the short-form privacy policy to link to the long-form policy if it exists took “a long time to reach and a lot of discussion,” she continued. “I don’t think it went as far as the FTC wanted it to go, but I think we've found middle ground.” Mithal told us that the draft indicates that drafters “made progress and worked to address the concerns we raised, but these issues will probably continue to be discussed at the coming meetings."

After receiving comments from “quite a few stakeholders” who “were upset with the length of the preamble,” drafters shortened the preamble of the code, Dixon said. The new language has a “reduced reference” to state, federal and international regulations -- such as the FTC’s Children’s Online Privacy Protection Act rule. The COPPA rule mentioned in the last draft, which said the code’s signatories must comply with the rule outside of agreeing to the code but tells signatories that adoption of the code “does not guarantee compliance with any specific state, federal or international law or suggested practices.” Dixon said the language change came about in an effort to condense the preamble without diluting it. “We feel like we've cut it down to the bone,” she said.

Dixon also pointed to new language that exempts data “when it remains local to the device” as a significant change in the code. The language change was the result of “a whole bunch of stakeholder requests over time,” she said. “It takes care of a lot of problems” raised by stakeholders, she continued. “We're actually really proud of that."

"It’s just too late to reorient the draft” to accommodate all of the FTC staff’s concerns, said Jim Halpert, privacy lawyer with DLA Piper and counsel to the Internet Commerce Coalition. The timing makes it “unlikely that all of the FTC staff’s requests will be included in the final draft.” By offering a staff statement commending a draft at the process’s successful conclusion -- as opposed to safe-harbor protection for apps that sign on to the draft -- the agency isn’t providing the incentives to encourage the stakeholders to make significant changes, he said. “The FTC suggestions are very good ones.” But the agency would need “a very clear reward” to convince stakeholders to make the changes, as the process is “running to its end,” he continued.