IAPP-GDPR Web Banners-300x250-FINAL

By Angelique Carson, CIPP/US

While many members of the National Telecommunications and Information Administration’s (NTIA) multi-stakeholder group on mobile app transparency will tell you they laud the NTIA’s efforts to bring together opposing forces to compromise on a self-regulatory code of conduct for mobile apps, not everyone is hot on the newly released code as it stands, and one consumer group says the NTIA isn’t the body that should lead the effort. Period.

The code, which took a year of meetings between industry, consumer advocates and government representatives in Washington, DC, to draft, requires app developers who voluntarily subscribe to it to adopt a short-form notice that describes the types of data they collect, provide users the ability to access a long-form policy and disclose both the sharing of user-specific data and the identity of the entity providing the app, among other requirements.

Boiled down, it aims to give consumers persistent, transparent notice about the data a mobile app is collecting and using about them and allows them to make decisions based on that information. See a breakdown of the standard here.

The Department of Commerce’s (DoC) Cam Kerry told The Privacy Advisor he was pleased with the multi-stakeholder process, though he did not confirm if the model would be used for future collaborations. Given the struggles to create a Do-Not-Track standard, for example, will this structure be effective in the future?

“We are delighted with the outcome here,” he said. “This is an important milestone in implementing the White House blueprint and really working through, successfully, the multi-stakeholder process.”

Can Industry and Advocacy Cooperate?

Pam Dixon of the World Privacy Forum, who is historically critical of self-regulatory efforts in general, participated in the process and said it changed her perspective. Rather than being industry-driven, consumer input was considered and compromises were reached.

“For me personally, it was kind of a put-your-money-where-your-mouth-is moment,” she said. “I had to either walk away because it wasn’t perfect or sit there and craft something that was a heavily negotiated document … Every single word in that document pretty much was negotiated. I was getting calls over commas and conjunctions.”

Not every bullet point on Dixon’s wish list was included in the final code, but that’s what negotiations are about, she said: “I don’t think full 100-percent consensus is ever going to be possible in a multi-stakeholder proceeding … There are just polarities in this space. There were some consumer groups who really just hated this. And then there were industry groups that hated it. But I think a rough consensus was there for sure.”

Not everyone has been so enthusiastic. The Direct Marketing Association’s Stu Ingis, for example, recently said the code is “not a consensus and not done.”

But disagreement is a part of the nature of the process, said the NTIA’s John Verdi, who facilitated the process.

“With that many diverse groups working together,” Verdi said, “certainly there are bound to be people who are not satisfied with particular outcomes, but that’s part of the nature of compromise.”

A little disagreement is one thing, but the Center for Digital Democracy (CDD) last week published a 34-page report calling the NTIA process “flawed from the outset” and claiming the process failed to examine the big picture. Mobile apps are only a part of the services collecting real-time data and operating targeting services, CDD argues.

The CDD’s Jeff Chester told The Privacy Advisor that the Obama administration—which called for the code—risks strengthening “the perception held by the EU and others that it doesn't support a robust consumer protection regime. The last year was a wasted effort, with a lack of commitment by the Commerce Department to seriously address privacy threats from mobile applications.”

Morgan Reed of the Association for Competitive Technology was more measured, saying any multi-stakeholder effort is simply “managed chaos,” and while the NTIA did a good job managing it as best it could, the problem in the end was a lack of real, usable knowledge.

“We’re voting on things we don’t even know about,” Reed said at an August 29 “lessons learned” meeting, adding that a greater focus should have been placed on education of how things are done “in the wild” before drafting rules.

Chester, however, seemed to think the NTIA process as a whole was a waste of time and called for the Obama administration to release its long-awaited privacy legislation proposal.

Susan Grant of the Consumer Federation of America agrees with Chester that the code won’t cut it.

“What we really need is a basic privacy law that creates a framework under which the stakeholders could conceivably fill in some things,” she said. “I don’t know if it’s possible to do anything useful and meaningful in absence of that.”

Asked whether a privacy bill from the White House can be expected, Kerry told The Privacy Advisor, “We have continued to look at legislation to implement the consumer privacy bill of rights mechanism and to strengthen multi-stakeholder processes. We have been in discussions with a number of members of Congress. We are certainly encouraged by the news that the House Subcommittee is going to have a privacy taskforce, and we look forward to working with them on a bipartisan basis.”

The CDD is also calling for the FTC to replace the NTIA in facilitating the process moving forward.

“The NTIA is incapable of leading an effort to protect consumer privacy,” Chester said. “Its job is to help expand data collection by U.S. companies all across the world.”

Chris Olsen of the Division of Privacy, Identity Protection at the FTC said at the meeting that that wouldn’t fly, though.

“We view ourselves as enforcers. Our job would be to enforce what comes out of the multi-stakeholder group,” he said. “Because of that, we’re less well-suited to serve a convener role and think the NTIA should continue that role.”

The Code Itself

“I know there are some consumer groups who detest the code. I like it,” WPF’s Dixon said. “I think it offers incremental but important information for consumers, and there are a couple of really important firsts for us. For the first time, we have data brokers included in a privacy notice regime and we also have the definitions of health and medical data, and they’ve been greatly expanded from previous self-regulatory regimes.”

That said, the code itself may not be ready to roll.

“Not all of us think that it’s totally there yet,” said Rachel Thomas of the Direct Marketing Association (DMA). “The goal of the NTIA process is to reach an outcome that is both technically feasible and widely adoptable by industry while at the same time providing a significant increase in transparency for consumers.”

Thomas said it’s important that the code is vetted before finalized, adding that DMA companies are reviewing it now.

Kerry agrees that there’s room for improvements.

“I think one of the great virtues of the multi-stakeholder code of conduct is that it is an iterative process,” he said. “This does not need to be the last word on the subject, and compared to rules and regulations, it’s far easier to come back as people learn from experience and as technology evolves and do another version.”

Verdi points to the 39 out of 40 stakeholders at the group’s July 25 meeting who voted to move toward testing and implementation, a plan Verdi said he’s comfortable with.

“We said from the beginning that consensus does not mean unanimity,” Verdi said. “No single person can stop the group from moving forward and improving privacy protections for consumers. If anyone suggests that there is more work to be done, I wholeheartedly agree. But I am really looking forward to seeing the enhanced privacy disclosures companies will roll out based on the work of this group.”

Dixon said she’s hearing the “busy sounds” of brands getting to work on testing and implementation, but it’s too early for a verdict.

On Implementation

Verdi said he’s optimistic that implementation and testing will be widespread, even among small developers. But both Verdi and Kerry acknowledge there may be a slow progression toward success, and it may be tough to reach small developers.

“That is exactly the challenge. When it comes to small developers, the challenge is translating a code of conduct into computer code. There are ways to encourage that, and there are tools that trade associations and others can provide to facilitate that process,” Verdi said.

The Association for Competitive Technology’s Reed reported that Apple, BlackBerry and TRUSTe are all conducting independent testing reviews, and between 25 and 30 app developers have indicated their willingness to put the short form on their apps for A/B testing.

“They’re willing to lead with their chin and see if they get a difference,” Reed said.

Kerry told The Privacy Advisor associations will be useful in encouraging members to develop tools to make it easier for small developers to write privacy protections in the absence of chief privacy officers or lawyers.

Verdi said that while the FTC has indicated it will look favorably upon companies adhering to the code when it comes to enforcement actions, enforcement in general will look more like a carrot than a stick.

“Trust is a critical foundation for the mobile app marketplace in particular,” Verdi said. “One reason the DoC decided to focus on the mobile space is that small app developers, with whom consumers may not have any previous relationship, rely on trust when it comes to ensuring an even playing field in the app marketplace. The stakeholder group focused on ensuring that companies be honest, upfront, transparent and concise about the most important privacy practices.”

Dixon said the fact that companies are starting to test is a good sign that this thing may be successful in the end: “I think that’s really positive and that’s the outcome we wanted.”

For now, it’s a waiting game. If the code doesn’t pass the test, the stakeholders may find themselves back together, red pens in hand.

Read More by Angelique Carson:
The Campaign for a Universal Declaration of Digital Rights
Former FTC Staffer Hired as FPF’s First Policy Director
Where Domestic Violence and Technology Collide
Warning Bells for an Enforcement Tsunami? Regulators and CPOs Weigh In


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»