IAPP-GDPR Web Banners-300x250-FINAL

The National Telecommunications and Information Administration (NTIA) led a multi-stakeholder process last year aimed at developing a voluntary code of conduct for mobile app transparency. Some of those who  participated in the process spoke at a Global Privacy Summit preconference session Wednesday on why a multi-stakeholder process was chosen, what the code looks like and whether the process was a success.

The NTIA’s John Verdi led the stakeholder process for the Department of Commerce but was quick to tell the room that the code—now in its final draft after 142 earlier versions, 19 of which became public—is not a government product.

“This is not something NTIA drafted; we are indebted to the very hard work of stakeholders and will continue to be indebted as we debate, negotiate and find creative solutions, especially given the gridlock of Washington.”

Why the Process? Why Transparency?

The NTIA initiated the process, Verdi said, because, well, President Barack Obama asked it to do so. It was clear some guidance on mobile app privacy was needed as the space continues to grow rapidly, and developers, particularly the small ones, continue to bump up against enforcement actions and struggle with how to communicate their privacy practices to users.

“We understood that the app marketplace relies on trust, unlike some other enterprise markets where consumers buy from well-known vendors where they have trust relationships,” Verdi said. “The app marketplace relies in many ways on users visiting a platform store and an app that looks useful and entertaining, regardless of whether they know the company that developed that app. They need to trust that app won’t kill their phone, track their location or upload their contact lists. All those trust factors are needed for apps to thrive.”

But why focus on transparency? Because it was something related to privacy the NTIA felt everyone could agree on as a necessity. And agreement was certainly reached in the end.

“Every single word, down to every comma was negotiated,” World Privacy Forum Executive Director Pam Dixon said of the process.

The NTIA Mobile App Multistakeholder Process—Straight from the Core Drafting Group and the NTIA Facilitator

The ACLU felt good about participating in the group because it wanted to prove “the cats and the dogs could be in the same room without getting in big fights,” said ACLU privacy lobbyist Chris Calabrese.

He added, however, that the ACLU would have hoped that the code would have included all the Fair Information Practice Principles and not just the principle of transparency. It would also have liked to see all platforms included in the talks, but “we’re also in a difficult legislative environment,” he said. “So we looked at this thing and said, ‘What value can we add?’ I think what we decided was the value we could add was giving consumers the ability to compare apps in a standardized way, the way you compare food on the shelf.”

Using that metaphor, consumers can make food comparisons at a glance; they can compare soup ingredients and then pick a different soup, or they can choose to not eat soup at all.

Comparatively, we’re in a time when a variety of apps all do the same thing. A user can buy multiple flashlight apps from various developers, for example.

“So perhaps this creates an opportunity for the first time to compete on privacy,” he said. “I want to be able to compare different apps; I want to be able to compare their practices. At its heart, that was the basic idea. We were trying to operationalize.”

Tim Sparapani of the Application Developers Alliance said he received a lot of flak—namely, being called a heretic—for participating in a process on mobile app transparency. But he saw a huge opportunity rather than a speed bump.

“You all know, because you work with data every day, that consumer trust is always under assault by data breaches, hacking, data brokers selling stuff. Nowhere is the erosion of confidence felt more than in the mobile app space. If you don’t have consumer trust, if you don’t do things to enhance consumers’ understanding of the tools they’re being offered to do what they want them to do, it is likely to lead to a steady deterioration of the mobile app space instead of a broad embrace by the public.”


Intuit’s Amanda Pedigo said the software company is in phase two of implementing the prototype of the code. Phase one indicated some confusion and some design concerns, among users.

The code itself contains eight data points the customer would want to know and should be indicated to consumers, including which data you collect and which data you don’t; consumer tests indicated consumers were “delighted” with knowing the data sets that could potentially be collected and appreciated knowing which data sets were not collected despite that.

Lookout Mobile Security Policy Advisor Deepti Rohatgi showed attendees the short-form privacy notice Lookout has recently released as open source, allowing companies to make their own short-form privacy policy in five steps—or in less than an hour. The notice indicates to users not only the data the app is collecting and using but that which it could collect and does not. Rohatgi echoed testing has indicated users especially appreciate the latter.

But one attendee wanted to know how to communicate to the company the importance of including a short-form notice.

DLA Piper’s Jim Halpert said to simply point to the news. For example, California Attorney General Kamala Harris is expecting firms to do it.

“She has already sued one and is knocking on other doors,” he said, speaking of the suit she recently filed against Delta Airlines for not having a mobile privacy notice.

“We all know you’re gonna have to preach to product people in your companies … What I think might be really compelling here is showing them how lightweight this is to implement,” Sparapani said, speaking of Lookseek and Intuit’s models. “That’s a low resource-intensive means of advancing user privacy.”

If product people are concerned about the notices resulting in additional clicks and losing users offsite, it’s important to show how little friction is involved.

“We’re not talking about a process that forces a consumer to go through multiple clicks,” he said. “It was paramount to our membership that this be low-friction from that perspective.”

Will the Code Succeed? Did the Process?

Dixon said the process was a great opportunity to get beyond the noise and look at the research and see where the patterns pointed.

“Overall, I believe the important incremental step that this code takes is that there is notice of things that never had notice before, including data brokers,” she said.

Sparapani said that at the end of the day, he left the process “quite excited” about the ability of multi-stakeholder processes to move groups toward consensus and bring groups that need to make decisions about their data together in a positive place.

Halpert agreed: “For privacy in America, given the stasis that exists on Capitol Hill, the way to change standards … is actually through running processes like these that can be made usable by small enterprises.”

“I really didn’t think we would get here,” Pedigo said. “It’s been an incredible journey.”

Written By

Angelique Carson, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»