On the heels of the release of the Digital Advertising Alliance’s self-regulatory guidelines for the mobile app industry, the National Telecommunications and Information Administration (“NTIA”) recently published a draft Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices (“Mobile App Code of Conduct”).   The Mobile App Code of Conduct provides guidance to app developers and publishers regarding the display of certain application practices information.  The Mobile App Code of Conduct is voluntary and, NITA adds, the adoption of its principles does not guarantee compliance with specific state, federal or international laws or best practices.

The Mobile App Code of Conduct addresses short form notices about the collection and sharing of consumer information with third parties. The goal is to provide consumers with information about whether the app that they are downloading on their mobile devices is collecting and transmitting their personal data to third parties – and what manner of personal data that entails.  Ideally, the short form notice will be presented to consumers prior to installation or use of the app, but the Code of Conduct does not make this a requirement.

What the Short Form Notices Must Contain

  1. The categoriesof data the app collects (meaning that such data will be transmitted off of the device), regardless of whether the user knows that it is being collected:
  1. Biometrics (information about one’s body, including fingerprints, facial recognition, signatures and/or voice print);
  2. Browser History (a list of websites visited);
  3. Phone or Text Log (a list of the calls or texts made or received);
  4. Contacts (including list of contacts, social networking connections or their phone numbers, postal, email and text addresses) ;
  5. Financial Information (including credit, bank and consumer-specific financial information such as transaction data);
  6. Health, Medical or Therapy Information (including health claims and other information used to measure health or wellness);
  7. Location (precise past or current location of where a user has gone); and
  8. User Files (files stored on the device that contain user content, such as calendar, photos, text and video).
  1. The categories of third parties with which the app shares user-specific data:
  1. Ad Networks (companies that display ads through apps);
  2. Carriers (mobile phone service companies);
  3. Consumer Data Resellers (companies that sell consumer information to other companies for multiple purposes, including offering products and services that may interest the user);
  4.  Data Analytics Providers (companies that collect and analyze the user’s data);
  5. Government Entities (any sharing with the government except where required by law or expressly permitted in an emergency);
  6. Operating Systems and Platforms (software companies that power the device, app stores, and companies that provide common tools and information for apps about app consumers);
  7. Other Apps (apps of companies that the consumer may not have a relationship with); and
  8. Social Networks (companies that connect individuals around common interests and facilitate sharing).
  1. A means of accessing a long form privacy policy, if any exists.  Privacy laws, such as California’s Online Privacy Protection Act, may separately require a long form privacy policy to be posted.  In any event, since this is generally accepted best practices, NTIA encourages all app developers to post a long form privacy policy.
  2. The identity of the entity providing the app.

The Mobile App Code of Conduct indicates that short form notice is not required for sharing consumer data with third party service providers where a contract between the app and the third party explicitly: (i) limits the uses of the data provided by the app to the third party solely to provide a service to or on behalf of the app; and (ii) prohibits the sharing of the consumer data with subsequent third parties.

The Mobile App Code of Conduct provides certain exceptions, including for what it deems the most common app collection and sharing activities for operational purposes, such as those activities necessary to:

  1. maintain, improve or analyze the functioning of the app;
  2. perform network communications;
  3. authenticate users;
  4. cap the frequency of advertising;
  5. protect the security or integrity of the user or app;
  6. facilitate legal or regulatory compliance; or
  7. allow an app to be made available to the user on the user’s device.

With the evolution of the mobile app industry and devices’ ability to collect (and transfer) a tremendous amount of personal information collected from its users, there is increasing regulatory scrutiny focused on protecting consumers’ privacy.  For example, as we recently reported, on June 27, 2013, the FCC issued its first Declaratory Ruling in the mobile telephone context clarifying precisely what information must be protected on mobile devices.  As this and the Mobile App Code of Conduct reveal, app developers and publishers must keep updated on the numerous and ever-evolving policies and best practices governing data collection and sharing in order to remain in compliance and stay on the “right side of the law.”