Short-Form Policy Format, Inclusiveness Remain Sticking Points for NTIA Stakeholders
Mobile privacy stakeholders debated the remaining outstanding issues in the voluntary code of conduct that would require apps to disclose to users via short-form notice what information they collect from users and what entities they share that information with, in a meeting Tuesday. The remaining issues include requirements of the short-form user interfaces and whether apps need to list every data element listed in the code. Tuesday’s meeting had been the last scheduled stakeholder meeting in the process facilitated by the NTIA, but prior to the meeting, NTIA Director of Privacy Initiatives John Verdi scheduled a final meeting for July 9.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Stakeholders debated how data collection must be described to users in short-form notices. Privacy advocates have said they want apps to have to use the code’s language to describe what has become a list of eight data elements -- Biometrics, Browser History, Phone or Text Log, Contacts, Financial Info, Health, Medical or Therapy Info, Location and User Files -- while industry stakeholders have argued for the code to allow apps to provide more specific language out of fear that the eight data element categories are overly broad and potentially misleading to users.
Stakeholders considered a user interface template put forward by Jules Polonetsky, director of the Future of Privacy Forum. Polonetsky’s template included space on the screen for each of the eight data elements. In the space for each data element, each of the eight category terms was shown in a small font, while words describing the data being collected was given more prominence in a larger font. For instance, the space for “User Files” showed “User Files” in a smaller font in the corner, while the word “Photos” was presented in the middle of the space in a larger font.
NetChoice Policy Counsel Carl Szabo suggested a format in which the code would provide developers with a list of more specific words to describe the collected data elements that could be displayed in place of the eight data element categories. Michelle De Mooy, senior associate-national priorities at Consumer Action and a drafter of the code, said she would not support Szabo’s proposal.
Jim Halpert, DLA Piper privacy lawyer and general counsel to the Internet Commerce Coalition, said Polonetsky’s template would provide more flexibility than Szabo’s because it would allow developers to come up with their own language to describe their data collection while maintaining consistency across apps by requiring developers to present the same eight data element categories. Saira Nayak, TRUSTe director of policy, commended Szabo’s approach. If a developer has to show the word “Biometrics” to consumers but is not actually collecting biometric data outside of shoe size, “it is going to confuse the hell out of the consumer, and that is not what we're aiming for,” she said.
Whether an app needs to list every data element in the code and signify which it collects or list only those that it collects has remained a sticking point for stakeholders over the last several months; industry stakeholders have said presenting users with terms that are irrelevant to the app’s data collection practices will overwhelm the user, while consumer advocates have said requiring apps to use the entire, identical set of terms -- referred to as the “nutrition label” approach -- will allow users to more easily compare data collection practices across apps. ACLU Legislative Counsel Chris Calabrese, one of the code’s drafters, said the language in the code -- requiring that apps list “all applicable data elements as described” in the code -- could be interpreted in both ways. The consistent language to compare collection across app is a priority for the ACLU, Calabrese said. “It remains very important to us that we have something that lists everything in some way.”
Calabrese suggested that apps list the categories of data they don’t collect at the bottom of the screen, separate from the list of categories and descriptions of data that the apps do collect. “I believe that’s something that would meet the code as I envision it,” he said. As it’s written, the code provides “a fair amount of flexibility in how the bolded terms appear on the page,” he said. Pam Dixon, executive director of the World Privacy Forum, said that approach “allows businesses to get rid of those scary terms” that may be broad and misleading and “make crystal clear that these items are not being collected.”
Presenting terms to users that are not relevant to an app’s data collection practices can be unhelpful to users, industry stakeholders said. “Consumers get really confused when you put a lot of different terms on a notice that aren’t relevant to that notice,” Nayak said. Nayak said TRUSTe has research to support claims that presenting more than the relevant information can be unhelpful to users. The code should consider whether “you have enough real estate on the screen” to put all of the data categories in front of consumers, she said.
Calabrese said he would be open to revisiting the code after adopters do user testing to evaluate how to most effectively implement the nutrition label approach. “I recognize that companies are going to test this,” he said. “If after this testing goes forward with this nutrition label” approach, and consumers are confused, “there will be the opportunity to potentially revisit the code, on this very narrow issue of whether [all] the elements appear or not,” he said. Tim Sparapani, Application Developers Alliance vice president-law, policy and government relations and one of the code’s drafters, called this “the last state of negotiation” on this issue. “This is as big an olive branch as you're going to see in this process, and I'm speaking to my industry friends here,” he said. The ability of this stakeholder process to succeed “rests on your ability to recognize a really good deal that’s been given to you here,” he continued.
Stakeholders from the advertising industry said they appreciated the idea that Calabrese put forward and would need to bring it to their members for consideration. “This is a huge issue for the [online advertising associations] because it’s a huge issue for [their] members,” said Julia Tama, Venable lawyer and counsel to the Digital Advertising Alliance. Chris Pedigo, vice president-government affairs at the Online Publishers Association, said he thinks “this document is heading in a really good place” but said the apps and mobile devices space “is constantly evolving” and “is not going to wait for us to meet again.” Stakeholders that support the current code asked that those stakeholders not currently on board come to the next meeting with a list of changes that they need made to the draft before they can sign on to the code. At the meeting’s conclusion, Verdi asked stakeholders to submit to him a list of outstanding issues before the July meeting.