The National Telecommunications and Information Administration (NTIA) led a multi-stakeholder process last year aimed at developing a voluntary code of conduct for mobile app transparency. Some of those who  participated in the process spoke at a Global Privacy Summit preconference session Wednesday on why a multi-stakeholder process was chosen, what the code looks like and whether the process was a success.

The NTIA’s John Verdi led the stakeholder process for the Department of Commerce but was quick to tell the room that the code—now in its final draft after 142 earlier versions, 19 of which became public—is not a government product.

“This is not something NTIA drafted; we are indebted to the very hard work of stakeholders and will continue to be indebted as we debate, negotiate and find creative solutions, especially given the gridlock of Washington.”

Why the Process? Why Transparency?

The NTIA initiated the process, Verdi said, because, well, President Barack Obama asked it to do so. It was clear some guidance on mobile app privacy was needed as the space continues to grow rapidly, and developers, particularly the small ones, continue to bump up against enforcement actions and struggle with how to communicate their privacy practices to users.

“We understood that the app marketplace relies on trust, unlike some other enterprise markets where consumers buy from well-known vendors where they have trust relationships,” Verdi said. “The app marketplace relies in many ways on users visiting a platform store and an app that looks useful and entertaining, regardless of whether they know the company that developed that app. They need to trust that app won’t kill their phone, track their location or upload their contact lists. All those trust factors are needed for apps to thrive.”

But why focus on transparency? Because it was something related to privacy the NTIA felt everyone could agree on as a necessity. And agreement was certainly reached in the end.

“Every single word, down to every comma was negotiated,” World Privacy Forum Executive Director Pam Dixon said of the process.

The NTIA Mobile App Multistakeholder Process—Straight from the Core Drafting Group and the NTIA Facilitator

The ACLU felt good about participating in the group because it wanted to prove “the cats and the dogs could be in the same room without getting in big fights,” said ACLU privacy lobbyist Chris Calabrese.

He added, however, that the ACLU would have hoped that the code would have included all the Fair Information Practice Principles and not just the principle of transparency. It would also have liked to see all platforms included in the talks, but “we’re also in a difficult legislative environment,” he said. “So we looked at this thing and said, ‘What value can we add?’ I think what we decided was the value we could add was giving consumers the ability to compare apps in a standardized way, the way you compare food on the shelf.”

Using that metaphor, consumers can make food comparisons at a glance; they can compare soup ingredients and then pick a different soup, or they can choose to not eat soup at all.

Comparatively, we’re in a time when a variety of apps all do the same thing. A user can buy multiple flashlight apps from various developers, for example.

“So perhaps this creates an opportunity for the first time to compete on privacy,” he said. “I want to be able to compare different apps; I want to be able to compare their practices. At its heart, that was the basic idea. We were trying to operationalize.”

Tim Sparapani of the Application Developers Alliance said he received a lot of flak—namely, being called a heretic—for participating in a process on mobile app transparency. But he saw a huge opportunity rather than a speed bump.

“You all know, because you work with data every day, that consumer trust is always under assault by data breaches, hacking, data brokers selling stuff. Nowhere is the erosion of confidence felt more than in the mobile app space. If you don’t have consumer trust, if you don’t do things to enhance consumers’ understanding of the tools they’re being offered to do what they want them to do, it is likely to lead to a steady deterioration of the mobile app space instead of a broad embrace by the public.”


Intuit’s Amanda Pedigo said the software company is in phase two of implementing the prototype of the code. Phase one indicated some confusion and some design concerns, among users.

The code itself contains eight data points the customer would want to know and should be indicated to consumers, including which data you collect and which data you don’t; consumer tests indicated consumers were “delighted” with knowing the data sets that could potentially be collected and appreciated knowing which data sets were not collected despite that.

Lookout Mobile Security Policy Advisor Deepti Rohatgi showed attendees the short-form privacy notice Lookout has recently released as open source, allowing companies to make their own short-form privacy policy in five steps—or in less than an hour. The notice indicates to users not only the data the app is collecting and using but that which it could collect and does not. Rohatgi echoed testing has indicated users especially appreciate the latter.

But one attendee wanted to know how to communicate to the company the importance of including a short-form notice.

DLA Piper’s Jim Halpert said to simply point to the news. For example, California Attorney General Kamala Harris is expecting firms to do it.

“She has already sued one and is knocking on other doors,” he said, speaking of the suit she recently filed against Delta Airlines for not having a mobile privacy notice.

“We all know you’re gonna have to preach to product people in your companies … What I think might be really compelling here is showing them how lightweight this is to implement,” Sparapani said, speaking of Lookseek and Intuit’s models. “That’s a low resource-intensive means of advancing user privacy.”

If product people are concerned about the notices resulting in additional clicks and losing users offsite, it’s important to show how little friction is involved.

“We’re not talking about a process that forces a consumer to go through multiple clicks,” he said. “It was paramount to our membership that this be low-friction from that perspective.”

Will the Code Succeed? Did the Process?

Dixon said the process was a great opportunity to get beyond the noise and look at the research and see where the patterns pointed.

“Overall, I believe the important incremental step that this code takes is that there is notice of things that never had notice before, including data brokers,” she said.

Sparapani said that at the end of the day, he left the process “quite excited” about the ability of multi-stakeholder processes to move groups toward consensus and bring groups that need to make decisions about their data together in a positive place.

Halpert agreed: “For privacy in America, given the stasis that exists on Capitol Hill, the way to change standards … is actually through running processes like these that can be made usable by small enterprises.”

“I really didn’t think we would get here,” Pedigo said. “It’s been an incredible journey.”

Written By

Angelique Carson, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»