Last week, the National Telecommunications & Information Administration (NTIA) convened a meeting of privacy advocates, industry participants and other privacy stakeholders during which stakeholders were presented with a discussion draft of a Code of Conduct for Mobile Application Transparency. The November 7 meeting was the fifth in a series of meetings that NTIA has convened to permit stakeholders to develop a code of conduct to provide transparency in how mobile application and interactive services companies handle personal data on mobile devices. The draft is based on the general principle that a mobile application provider that collects personally identifiable data should give consumers both short notice and comprehensive notice of its data practices.

A “short notice” should disclose whether location data, financial account numbers, Social Security numbers, pharmaceutical prescriptions, or medical records are being collected. It also should provide access to, or a description of how to access, the comprehensive notice.

A “comprehensive notice” should include the following information with respect to data collected through the mobile application:

  • Name and contact information for the mobile application provider;
  • Categories of personally identifiable information collected;
  • Whether information about a consumer’s precise location is collected;
  • Categories of the uses of the data;
  • Categories of non-affiliated third parties that may have access to the data;
  • Choices the consumer has to limit the collection, use or sharing of data;
  • Means by which a consumer may access, correct or delete data about himself or herself;
  • The types of security practices used;
  • Methods for notifying consumers of changes to data policies;
  • A statement that the provider adheres to the code of conduct; and
  • The effective date of the notice.  

The draft also sets forth the methods by which an “app market provider” (i.e., an entity that operates an online location that allows consumers to download mobile applications provided by other entities) should permit mobile application providers to give notice of their data collection practices and otherwise handle notice issues.  Specifically, an app market provider:  (a) should establish a submission process for applications that includes a hyperlink to the notice or an optional data field containing the notice; (b) should provide a means for consumers to report any application that does not include the required notice; (c) should provide a process to respond to reports that an application does not provide notice; and (d) may decline to offer an application that does not provide notice.

The sixth meeting of the stakeholders will take place on November 30, and a stakeholder-organized briefing is taking place on Tuesday, November 13 at 2 p.m. ET.  Dial-in information and other relevant documents for the briefing are available here.