Newest NTIA Mobile Privacy Draft More Flexible, Drafters Optimistic About Industry Response
App developers have much more flexibility for how they communicate to users what data are and aren’t being collected, as well as with which entities those data are being shared, Dixon said. One of the persistent outstanding issues between stakeholders is how apps must display their data collection and sharing practices. Privacy advocates want apps to use a uniform set of words to describe the entities with which it shares user data and the eight types of data categories -- biometrics, browser history, phone/text log, contacts, financial information, health/medical/therapy, location and user files -- in its entirety and then elaborate with more specific language. Industry representatives want apps to be able to list only the specific data they collect and entities with which they share to avoid giving users the impression an app is collecting and sharing more data than it actually is. At the last meeting, Future of Privacy Forum Executive Director Jules Polonetsky presented a short-form prototype that featured the specific type of data more prominently than the data category. Dixon said the drafters revised the code to make user interfaces like that permissible.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Under the new draft, apps may list the specific data collected “in larger or smaller font than the font of the data element of entity categories.” If an app does not collect data that falls into one of the eight categories, it can list those categories separately from the categories of data it does collect, according to the new draft. “You can really do a lot” with the short-form design elements “that you couldn’t before,” Dixon said. Apps can minimize the eight data category terms to the point of being “almost invisible and still have it work,” she continued, and the ability to separately list elsewhere on the screen data elements that are not collected is “a very important thing for anyone trying to have an app."
Adopters can do user testing and reevaluate their short-form notices under the new draft, which codifies suggestions made by drafters at the last meeting. If app developers find “significant and demonstrable improvement in consumer ease of use or understanding when the short form notice lists only” the specific types of data being collected and not the data categories, “then those endorsers shall have the option to comply with the Code by displaying only the data elements that are collected, and only the entities with which data elements are shared,” the draft said. Requiring apps to find “significant and demonstrable improvement” sets a subjective and “very high bar” on companies that want to engage in user testing, Szabo said. Additionally, the current draft would only open this option to companies that have already signed onto the code, meaning companies that sign on later would not be able to configure their short-form notices based on the best practices early adopters develop through user testing. Dixon said that determination will come later. “We haven’t gotten there yet,” she said. “The testing part really has to come first.” Adopters who engage in user testing and then want to change the code’s requirements must show “a good faith testing effort,” she said.
Dixon said she’s optimistic industry representatives will respond well to the new draft. “The feedback I'm getting is that this is a greatly improved draft,” she said. “I think this document finds a balance” between concerns of stakeholders on all sides of the issues, she said. In “moving to the center,” both the industry stakeholders and the privacy advocates have had to make compromises, she continued. Jim Halpert, DLA Piper privacy lawyer and Internet Commerce Coalition general counsel, told us the new draft has “a lot of things that are more flexible and will make it more palatable to the business community.” The flexibility around short-form design means “it’s not a standard template that needs to be followed,” which “gives businesses much more varied choices,” he said.
Other industry concerns remain in addition to the potential limitations on who can benefit from adopters’ user testing, Szabo said. Szabo said the new draft is too restrictive in requiring apps to list all of the data categories and use the code’s language to do so. Additionally, the code’s exceptions to data uses that don’t require an app to inform a user when it’s collecting that data are not broad enough, he said. When crafting the exceptions -- adapted from language in the updated Children’s Online Privacy Protection Act (COPPA) rule -- “drafters selectively deleted important segments,” he said. Dixon told us that drafters only used the COPPA language as a starting point and changed it as they saw fit.
The linguistic requirements in the code may be confusing to users and app developers, said a new report from Lorrie Cranor, director of Carnegie Mellon University’s CyLab Usable Privacy and Security Laboratory (http://bit.ly/15S3SGo). Cranor found “a lot of uncertainty” among participants about what each data category includes, even when users received additional, more specific language, she told us. App developers may have difficulty knowing what each data category includes, she said. The code of conduct -- which would have benefitted from user testing -- is “going to need examples” to help app developers, she said. NTIA stakeholders are not scheduled to discuss the study’s findings, according to the agenda.