Three major voluntary mobile codes were released or hit important milestones last week, adding to the patchwork landscape of recent mobile privacy initiatives. The draft voluntary code of conduct developed during the Department of Commerce’s National Telecommunications and Information Administration’s (NTIA) multi-stakeholder process will now enter a voluntary testing phase, and two online advertising industry groups —the Digital Advertising Alliance (DAA) and Network Advertising Initiative (NAI)—released separate selfregulatory mobile privacy codes for behavioral advertising. The release of these three codes adds more layers —and hence additional competing standards—to the existing patchwork landscape of mobile privacy laws and standards. Perhaps most noticeably, the three codes provide three different sets of guidance on how mobile apps can most clearly and effectively communicate their data collection and use practices to consumers. At the same time, the three codes share a number of important principles and together may facilitate the development of industry consensus on several points, including:
- An emphasis on disclosing behavioral advertising and other third-party, cross-app collection and use of personal data;
- The expansion of covered data beyond core personally identifiable information (PII), to account for the increasingly diverse and sensitive data collected by mobile apps, including precise geolocation, health data and call or text logs.
Although the three codes are voluntary, companies should consider whether they want to attempt to comply with any of the codes or related recommendations. The Federal Trade Commission (FTC) has indicated that it considers a company’s failure to abide by a self-regulatory program the company affirmatively agrees to adopt to be a deceptive trade practice in violation of Section 5 of the FTC Act. Notably, the DAA and NAI codes will be binding on all members of those organizations.
NTIA Multi-Stakeholder Code of Conduct for Mobile App Transparency
On July 25, 2013, a wide group of mobile industry stakeholders reached an important milestone in their 13- month effort to develop a voluntary code of conduct for mobile app transparency under the auspices of the NTIA. A divided group of stakeholders ended—or at least paused—their ongoing drafting efforts and began a new phase in which individual mobile app providers will have an opportunity to test the working draft if they choose. For now, the code is frozen as currently drafted and, though no further meetings are officially scheduled, stakeholders expressed some intention to consider further edits after testing.
The code itself is a voluntary set of guidelines for “short-form” notices that, for any app provider who adopts it, will succinctly convey to users which types of personal information that mobile app collects and with which entities it shares user-specific data. Though no company is obliged to adopt it, industry participants may test the code, incorporating a compliant short-form notice into their mobile apps, and are encouraged to monitor its effects on consumer understanding and privacy awareness.
Broadly speaking, the present code requires participating app providers to offer a summary of their app’s personal information collection and third-party disclosure practices, ideally on a single screen. Its focus is narrow, and it does not touch on other common transparency themes such as data-use disclosure, just-intime notices, or a demarcation of especially sensitive data collection or sharing. Participating providers must make disclosures in text form (though supplemental icons are permitted) and adopt a “nutrition label” format where the relevant categories are tightly defined by the code. Under the current NTIA draft, every one of these categories must be disclosed in the notice, even when the particular app does not collect that type of data or share with that type of entity.
Specifically, the code requires disclosure of data collection in all of the following categories of personal information: biometrics; browser history; phone or text log; contacts; financial information; health, medical, or therapy information; location; and user files. Participating providers must also disclose their app’s nonexempt sharing of any “user-specific data” with the following third parties: ad networks; carriers; consumer data resellers; data analytics providers; government entities; operating systems and platforms; other apps; and social networks. The drafters built flexibility into the presentation and format of the disclosures, but the basic structure of the nutrition label and its categories is mandatory for all participating providers, apart from one narrow exception. That is, a particular provider may, consistent with the code, depart from the nutrition label approach if it conducts its own user testing and finds a “significant and demonstrable improvement in consumer ease of use or understanding” due to that departure.
Some stakeholders hope that the Multi-Stakeholder Code will become a new floor for app privacy disclosures, but its potential for success here is less clear. Widespread adoption depends in part on the results of this testing phase and in part on whether regulators and legislators recognize the code as a method to satisfy existing or planned privacy regimes. Potential adopters seek the reassurances of an enforcement safe harbor from the FTC and Attorneys General. Informal statements from FTC staff expressed support for the multistakeholder process, but suggested that the code itself may not meet the FTC’s ideal for official endorsement or de facto safe harbor status. The FTC itself, however, has yet to make any public statement. Similarly, Representative Hank Johnson recently redrafted his bill – Application Privacy, Protection, and Security Act of 2013 – in a way that removes its formerly clear support for the code and places restrictions that disqualify the code as a safe harbor.
The company testing of the current version of the NTIA code may provide valuable insight into the effectiveness and consumer understanding of the disclosures. A recent Carnegie Mellon University study indicated some consumer confusion and disagreement on the collection terms required to be disclosed.
Ad Industry Coalition Self-Regulatory Data Privacy Principles for Mobile Behavioral Advertising
On July 24, 2013, the DAA—a coalition of leading marketing and advertising trade associations—released guidance for the application of the DAA’s self-regulatory principles to mobile technology. The new guidance confirms that the DAA’s 2009 self-regulatory principles for online behavioral advertising apply to the mobile sphere.
The new guidance follows the recent leads from regulators in several ways, but two of the most significant similarities include (1) divvying up responsibility between first- and third-party data collectors and (2) applying specific transparency and consent principles to the collection and use of “Precise Location Data.”
The DAA guidance sets out how “First Parties” and “Third Parties” engaging in behavioral advertising via mobile devices must notify consumers and obtain their consent when the parties collect and use “Cross-App Data,” Precise Location Data or “Personal Directory Data” in certain ways. Under the principles, First Parties are those that own or have control over the app with which the consumer interacts; Third Parties are those that collect Cross-App Data or Precise Location Data from another’s app or that collect Personal Directory Data from a device. The guidance specifically limits First Parties’ obligations where Third Parties are collecting data without the First Parties’ affirmative authorization. As a corollary to this limitation, First Parties must notify consumers of the Third Parties with which they share data, but not those Third Parties’ uses of the data. Furthermore, the DAA implicitly requires First Parties, Third Parties and, in some cases, platform providers to coordinate in providing “clear, meaningful, and prominent notice” and obtaining consumer consent.
The DAA defines Precise Location Data as “data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device.” The DAA’s commentary specifically recognizes cell tower or Wi-Fi triangulation and latitude-longitude coordinates as potential sources of Precise Location Data. The DAA further refines this definition to exclude “location data that has been or will be rendered not precise within a reasonable period of time from collection,” five-digit ZIP codes, city names or “information that does not necessarily reflect the actual location of a device such as . . . a billing address associated with an account.” The precision required by the DAA is consistent with the broader trend of providing special treatment for location data, which is condoned in the NTIA and NAI codes as well (and referenced in the recommendations from the FTC and California Attorney General). As discussed below, however, the DAA’s purpose limitations significantly narrow the scope of Precise Location Data.
The DAA’s guidance differs from some of the recent regulatory guidelines in several significant respects. First, the DAA’s principles do not require or encourage the availability of notices prior to download or the use of just-in-time notices. Rather, the earliest suggested notice is “as part of the process of downloading an application to a device.” Second, and more broadly, the DAA notice and consent principles include fairly substantial exceptions depending on the purpose of the data collection and its use. “Transparency and control” need not be provided for various data used “[f]or operations and system management purposes” (including “improving customer experience”), for market research or product development, or where the data has or will be de-identified. While the DAA defines market research and product development, it does not delineate what activities constitute improvement of customers’ experiences.
Once finalized, the DAA’s guidance is expected to be enforced against participating entities by the Council for Better Business Bureaus and the Direct Marketing Association, both of which help to enforce the DAA’s 2009 principles against participants.
NAI’s Mobile Application Code
On July 24, 2013—the same day that DAA released its self-regulatory guidance—the NAI published its 2013 Mobile Application Code. The Mobile Application Code follows NAI’s existing Code of Conduct—a selfregulatory code governing data collection and use in online advertising—and applies many of the Code of Conduct’s principles to address the unique privacy challenges of the mobile landscape, such as the smaller displays on mobile devices.
Both the scope and reach of the NAI’s Mobile Application Code are more limited than the NTIA or DAA codes. As to scope, the NAI code does not apply to all mobile data collection and use, but rather only to “Cross-App Advertising” and “Ad Delivery and Reporting” practices. The code explicitly exempts first-party data collection, meaning that it does not govern where companies collect data solely for their own use via their own apps and sites. Rather, the code is focused on the third-party collection and use of data across multiple entities’ apps and sites. As to reach, the code applies only to members of NAI—a small trade organization of online advertising companies.
Despite these constraints, the NAI Mobile Application Code could have a significant effect on data collection and use by mobile advertisers. The code will become binding on the more than 90 members of NAI. Members will be required to publicly represent that they comply with the code and must complete annual NAI compliance reviews. Violations of the code could result in enforcement actions by the NAI and referrals to the FTC .
As noted, the NAI mobile code applies only to Cross-App Advertising and Ad Delivery and Reporting. Under the code, Cross-App Advertising refers to third-party mobile ad delivery—showing an ad to a mobile user based at least partially on data collected through applications owned by another entity. Using Cross-App Advertising, advertisers analyze users’ activity across multiple sites and apps to determine the users’ preferences and interests. The code defines Ad Delivery and Reporting as “the collection of information about a device for the purpose of delivering ads or providing advertising-related services . . . .” The code provides several examples of Ad Delivery and Reporting, including “statistical reporting in connection with the activity in an application,” “optimization of location of ad placement,” “reach and frequency metrics” and “logging the number and type of ads served on a particular day to a particular application or device.”
NAI members engaging in either Cross-App Advertising or Ad Delivery and Reporting must abide by two general rules: (1) they must provide notices at various points to inform users about their data collection and use practices; and (2) they must provide users with a mechanism by which they can choose not to be subject to those practices.
While the NAI code generally requires that users be provided with an opt-out mechanism for Cross-App Advertising and Ad Delivery and Reporting, the code imposes an opt-in requirement for certain kinds of information. Whereas an opt-out generally suffices for collection of standard PII, the code requires that users be asked to opt-in for Cross-App Advertising of Precise Location Data and “Sensitive Data.” The code defines Precise Location Data as “information that describes the precise real-time geographic location” using technology such as a GPS, and Sensitive Data as including Social Security numbers, insurance plan numbers, financial account numbers, health data and sexual orientation.
These three voluntary codes exemplify and expand on several themes in the developing mobile terrain that will be important for businesses to monitor in assessing their own mobile practices. First, data privacy and security practices are moving beyond initial privacy policies, often focusing on tailoring consumer notice and consent to different technologies—with much more limited screen real estate and consumer usage patterns— as well as different types of data and data usage. Second, two of the codes reinforce the practical reality that multiple entities are involved in mobile data collection through a single app. Thus, responsibility for consumer notice and consent must be shared among all entities in the mobile sphere, and the division of that responsibility remains an important and debated issue. Third, each of these codes recognizes precise geolocation as sensitive information to be accorded special attention and protections. As a corollary to that point, implicit in these codes’ provisions is the acknowledgement that not all data is created equal—in addition to the traditional categories of PII, particularly sensitive data may require heightened consumer protection. Each contributor to the recent mobile developments has different responses to these concerns. However, these major themes are a common refrain for mobile privacy and likely will shape future regimes and expectations. Businesses should be mindful of these distinctions as they consider their own data practices and as they consider whether to participate in any voluntary mobile practices code.