Since the summer of 2012, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) has hosted a multistakeholder process—involving consumer groups, privacy advocates, and a wide range of businesses—aimed at making consumer mobile application (app) privacy practices more transparent. This process, launched in response to the White House’s call for a Consumer Privacy Bill of Rights in early 2012, eventually morphed into devising a model code of conduct for “short notices” in which consumer apps could inform consumers succinctly of key aspects their privacy practices.
On July 25, 2013, stakeholders agreed—in an action NTIA Administrator Lawrence E. Strickling called a “seminal milestone”—to move the process from negotiating the text of the code of conduct to testing and possible implementation of the consumer notices. The current version of the code is available at the NTIA’s website: http://www.ntia.doc.gov/other-publication/2013/privacy-multistakeholder-process-mobile-application-transparency.
The Voluntary Code
The stakeholders hope that, by providing more transparency, consumers will become more comfortable with mobile apps and, in time, apps may compete on the basis of their privacy practices. The idea is that the code will encourage developers to use a common, standard terminology to describe important types of personal data that their apps collect, and to describe certain types of entities to which that personal data may be disclosed. Proponents of the new code of conduct hope that the use of a common set of terms by many apps will, over time, educate the public and improve transparency in their practices within and among apps. A number of privacy and business groups have already expressed support for the code and will encourage app developers to consider testing and implementing the short notices in their consumer apps.
Testing Short Notices
The next step is for app developers, app publishers, and other interested entities to work on implementing the “short notices” established in the code. This will necessitate testing to see whether the code in practice will improve consumer understanding and awareness of mobile app privacy practices.
Although the draft code is moving into the testing phase, several important issues remain unresolved to everyone’s satisfaction. In particular, one contentious issue is whether apps should follow a “nutrition label” model (in which data elements are listed whether collected or not) or an “ingredients list” approach (in which only data elements actually collected are disclosed). For now, the code takes the “nutrition label” approach, although it carves out some room for flexibility by apps that can demonstrate that a different approach leads to significantly improved results.
Companies that do not like the short notices described by the code are free to ignore it, as adherence to the code is entirely voluntary. The stakeholder group also left open the possibility of reconvening the multistakeholder process if the testing and implementation process showed that consumers do not understand the new short notices that will be developed under the code. However, no meetings are scheduled, and it is uncertain whether any modifications to the code will be made in the future.
Implications for Business
Companies that publish consumer apps should consider whether to follow the code. That decision will require a careful assessment of a number of technical, business, and legal issues. In particular, companies that publicly pledge to follow the code will be deemed to have made a representation subject to enforcement by the Federal Trade Commission (FTC) under its consumer protection jurisdiction. As a carrot, the Administration’s Consumer Privacy Bill of Rights contemplated that the FTC would take adherence to a “strong” code of conduct into account favorably when contemplating enforcement actions. As of this writing, the FTC has not commented on the most recent iteration of the code.