Mobile Privacy Stakeholders Debate Language as NTIA Praises Progress
NTIA mobile privacy stakeholders debated the remaining contentious issues in the newest draft of a voluntary code of conduct that would require apps, via short-form notice, to inform users what data they collect and with which third parties they share that data (http://1.usa.gov/16WmiIO). Those issues include the implications of the document’s preamble and the requirements of the short-form notice’s format. During the Thursday meeting, NTIA Administrator Larry Strickling and NTIA Director of Privacy John Verdi praised the group’s progress and encouraged stakeholders to see the process through to its end.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Stakeholders agreed to create a new working group to discuss the format of the short-form notices, specifically the wording options available to apps to inform users which data elements are collected. The code requires apps to tell users if they collect seven categories of data elements -- Biometrics, Browser/Phone/Text Log, Contacts, Financial Info, Health/Medical/Therapy Info, Location and User Files -- and requires apps to provide additional explanatory information about those data categories. The current code provides language for each data element’s additional explanatory information but allows apps to alter that language if new language would be more specific about the data being collected. The names of the seven categories of data elements cannot be altered in short-form notices, under the code.
Apps should be able to alter the names of the seven data element categories if alternate wording would provide more specificity, said Sarah Hudgins, Interactive Advertising Bureau director-public policy. Apps should have more flexibility to provide specific information about what data are collected, said Cory Fox, general counsel to the Entertainment Software Association (ESA). For instance, an app should be able to tell users it collects “Your Photos” instead of saying it collects “User Files” and then getting more specific in the additional explanatory information, some industry stakeholders argued.
The language in the code’s preamble is not operational and does not create any obligations for signatories, the code’s drafters said. Apps that choose to sign on to the code have to adopt the code as a whole, including the preamble, but “I don’t think that means you need to put this in some sort of operational place in your code of ethics,” said Michelle De Mooy, Consumer Action senior associate-national priorities. Consumer Watchdog Advocate John Simpson said he wants the preamble to be operational.
Stakeholders also debated the newest language of the code’s preamble. In a redline document submitted by the ESA, Direct Marketing Association and NetChoice (http://1.usa.gov/11fLs28), the groups suggested the drafters trim down the preamble by eliminating the sentence that reads, “The purpose of the short form notices is to provide consumers enhanced transparency about the data collection and sharing practices of apps with which consumers choose to interact.” Fox said the edit was suggested to “cut the fat” of the preamble. Pam Dixon, executive director of the World Privacy Forum and a drafter, objected to further shortening the preamble, calling the language “a heavily negotiated sentence.” The process to shorten the preamble has been “contentious,” she said. “It polarizes the drafting, and I'd really like to leave [the preamble] alone.” Stakeholders voted on whether to retain the preamble without implementing the suggested edit, and representatives of ESA, DMA and NetChoice were the only ones to oppose.
The fact that the code no longer requires apps to inform users if they share collected data with “Affiliated Businesses,” as previous drafts did, will be a sticking point for the Consumer Federation of America, said Director of Consumer Protection Susan Grant, calling the decision to remove the requirement “regrettable.” “If that can be changed, we would endorse this draft,” she said. Sharing with affiliated businesses is a core issue for consumer groups, De Mooy said, asking that the issue be reconsidered. “Because there’s so few of them” participating in the NTIA process, “compared to industry, it warrants another look at this issue,” she said. Verdi said it would be on the agenda for the next meeting.
At the beginning of the meeting, Strickling urged “everybody to get this over the finish line as quickly and as promptly as we can.” While the process has gone on longer than some think necessary, the work warrants “taking the time to get it right and to make sure that it was being done truly by you, the stakeholders,” he said. Strickling said he hopes the stakeholders will provide feedback once the process concludes, as it is “the first of what we hope will be many such endeavors.” Participants “have been part of a really interesting ... landmark process,” he said.
NTIA is not going to determine what level of consensus will be necessary to consider the process closed, Verdi said. “What consensus means for this group, I think, is going to be fuzzy” and somewhere between a small majority and unanimity, he said. “The objection of one stakeholder or two stakeholders is not necessarily something that will preclude consensus in this process.” Verdi pointed stakeholders to a list of outstanding issues in the meeting’s agenda (http://1.usa.gov/14DOpsb), some of which were resolved prior to or during the meeting. “When those issues are all resolved, I think we're done,” he said.