Working Group to Present Formatting Proposals; NTIA Schedules Another Meeting for Mobile Privacy Stakeholders
During Tuesday’s meeting mobile privacy stakeholders are scheduled to hear three proposals from a recently formed working group (CD May 24 p7) regarding the format of short form privacy policies that must be presented to users by apps that sign on to the voluntary code, said members of the working group. In an email to stakeholders sent prior to Tuesday’s meeting, NTIA Director-Privacy Initiatives John Verdi said he had scheduled another meeting for the group on July 9.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
In previous meetings, stakeholders debated whether app developers should have the flexibility to deviate from the code’s terminology when describing the data elements collected by the app. Currently, the code requires apps to use specific language -- coined the “bold terms” -- when describing the seven categories of data being collected -- “Biometric,” “Browser, Phone or Text Log,” “Contacts,” “Financial Info,” “Health, Medical or Therapy Info,” “Location” and “User Files” -- and then allows the code to select among more sets of more specific language -- referred to as “the parentheticals” -- to show to users who indicate they are looking for more information. For instance, an app that accesses users’ photos would have to say in the short form policy that it collects “User Files” and then tell users in a different space on the screen that it collects “Photos."
Industry members have said these language requirements would force apps to be overly broad and potentially misleading in short form disclosures to users. “Having to disclose more than you collect is confusing for the consumers,” Sarah Hudgins, Interactive Advertising Bureau (IAB) director-public policy, told us. At the last meeting, the Direct Marketing Association (DMA), the Entertainment Software Association (ESA) and NetChoice submitted a discussion draft that would allow developers to replace the bolded terms with more specific language. Under the DMA/ESA/NetChoice proposal, app developers could choose the more specific language to use in place of the bolded terms. For instance, an app that accesses users’ photos could tell users in the short form policy that it collects “Photos” or “Pictures."
The DMA/ESA/NetChoice proposal is one that will group will consider Tuesday, NetChoice Policy Counsel and member of the working group Carl Szabo, told us. Additionally, the stakeholder group will consider two other options. Under the first, developers can display to users the more specific “parenthetical” term first and then display the broader “bold” term in an extension of the short form notice. For instance, an app that accesses users’ photos would tell users in the short form policy that it collects “Photos” and then classify that data element as “User Files” in a separate place.
Under the second proposal, the code would provide a list of more-specific terms -- to be approved by stakeholders -- that developers can use in place of the bolded terms. For instance, an app that accesses users’ photos would only need to say it collects “Photos,” while an app that accesses social media check-ins would only need to say it collects “Check-ins.” Under the current draft, those apps would first need to tell users they collect “User Files” and “Location,” respectively.
Szabo called the proposal involving a stakeholder-approved data element list a “very balanced approach.” The proposal “achieves the consistency” across app disclosures “that the drafters are looking for … by using a limited list,” he said. Szabo said NetChoice supports all three proposals to be discussed at the meeting but sees this one as one of the most viable. “I am hopeful that the drafters will see the need for compromise to reach consensus,” he said. Michelle De Mooy, senior associate-national priorities at Consumer Action and one of the code’s drafters, told us “there is at least one proposal for flexibility on the table that I consider a possibility. … I support the draft as is but am considering this one proposal."
Hudgins said the IAB is not prepared to endorse the code of conduct as it is currently written. “Hopefully we can get to a point where we can,” she said. While resolving the formatting questions will be a step in the right direction -- the IAB hasn’t voiced support for a particular proposal laid out by the working group but supported the option proposed by the ESA, DMA and NetChoice at the last meeting -- “for us, it’s not a silver bullet,” she said.
"We're looking at about five overarching issues,” including the code’s data use exceptions. At the last meeting, the drafters told stakeholder the language for those exceptions came from the FTC’s new Children’s Online Privacy Protect Act (COPPA) rule, which is set to take effect July 1. Szabo said that the language is missing significant exceptions outlined in the COPPA rule, including the collection of data to serve personalized content or contextual advertising. “The drafters decided to strike out certain aspects of the new COPPA rule, certain very important aspects,” he said. “At a minimum, we're looking for the same standards as the COPPA rule,” Hudgins said.