Agreement calls for mobile app privacy disclosures

screens (1)
Sample screens disclose what is collected and how it is shared (Source: NTIA)

A new voluntary code has been tentatively established to assure greater transparency in the types of information apps collect and how the information is used, but it’s not entirely clear whether the code will be implemented and, if so, who will abide by it. Yet, according to Future of Privacy Forum Director Jules Polonetsky, it can serve as a road map for app developers “who want to do the right thing but don’t have a budget for lawyers.” While the new code is not binding, it represents a “compromise effort that could be called a consensus,” according to Polonetsky who said that it was supported by a divese group of companies, trade associations and advocacy groups.

This  “voluntary Code of Conduct for mobile applications” resulted from a series of meetings convened by the Department of Commerce’s National Telecommunications and Information Administration. Over the course of seeral meetings, a large number of stakeholders participated including major Internet companies, small app developers and advocacy groups like the Center for Democracy and Technology, the ACLU and others.

The NTIA convened the process in response to White House pressure to get stakeholders from industry and consumer groups to help develop guidelines. Polonetsky expects that the Obama administration will eventually propose legislation but that it will be “high level,” in that it won’t mandate specific steps. This code does provide specifics on how app developers can comply.

The Draft Code of Conduct (it’s still a draft because not all parties have signed on) would require app developers who agree to abide by it to display information about application practices in a consistent way, to help consumers “compare and contrast data practices of apps.” The idea is to present consumers with “short notices” to “enhance consumer trust” without “discouraging innovation in mobile app notice or interfering with or undermining the consumer’s experience. ”

If implemented, the notices will state which, if any, of the following categories of information is being collected:

  • Biometrics (information about your body, including fingerprints, facial recognition, signatures and/or voice print)
  • Browser History (a list of websites visited)
  • Phone or Text Log (a list of the calls or texts made or received)
  • Contacts (including list of contacts, social networking connections or their phone numbers, postal, email and text addresses)
  • Financial Info (includes credit, bank and consumer-specific financial information such as transaction data)
  • Health, Medical or Therapy Info (including health claims and other information used to measure health or wellness)
  • Location (precise past or current location of where a user has gone)
  • User Files (files stored on the device that contain your content, such as calendar, photos, text, or video)

And it will also indicate who the data is being shared with:

  • Ad Networks (Companies that display ads to you through apps.)
  • Carriers (Companies that provide mobile connections.)
  • Consumer Data Resellers (Companies that sell consumer information to other companies for multiple purposes including offering products and services that may interest you.)
  • Data Analytics Providers (Companies that collect and analyze your data.)
  • Government Entities (Any sharing with the government except where required by law or expressly permitted in an emergency.)
  • Operating Systems and Platforms (Software companies that power your device, app stores, and companies that provide common tools and information for apps about app consumers.)
  • Other Apps (Other apps of companies that the consumer may not have a relationship with.)
  • Social Networks (Companies that connect individuals around common interests and facilitate sharing.)

In a statement, NTIA Administrator Lawrence Sticking said that his agency “is pleased that today a diverse group of stakeholders reached a seminal milestone in the efforts to enhance consumer privacy on mobile devices” He said that he encourages companies who participated “to move forward to test the code with their consumers.”

The operative word in Strickling’s comment is “test.” This is not yet a true code of conduct. It hasn’t been officially adopted and it isn’t even clear that companies that say they support it will ultimately implement it.

Future of Privacy Forum director Jules Polonetsky supports the agreement
Future of Privacy Forum director Jules Polonetsky supports the agreement

Polonetsky characterized the tentative agreement as “an emerging a consumer friendly but practical center where a number of groups, in the interest of getting something done for consumers worked hard to come up with efforts that moved the ball forward but could be acceptable to industry and a number of trade groups.”

In a statement, the American Civil Liberties Union (ACLU) legislative counsel Christopher Calabrese said his organization “supports this code as a modest but important step forward for consumer privacy,”‘ adding that “it allows applications to compete on privacy and gives consumers a tool to pick the most privacy friendly applications.” However, the ACLU continues to support comprehensive privacy legislation”in order to gain meaningful privacy protections for consumers.”

Not everyone involved with the process supported the outcome.  Consumer Watchdog privacy director John Simpson pointed out that guideline supporters aren’t saying that they will actually adopt or abide by the code.  Simpson said that  his group doesn’t support the proposed guidelines, arguing that “ the multi-stakeholder process that they are trying to  use doesn’t didn’t get us anywhere. It’s a mess.”  Consumer Watchdog is calling for privacy legislation.

Who are the signers?

I noticed that there was no list of companies on any of the materials distributed by NTIA nor is it clear from the documents how each stakeholder voted.  ”During the meeting they polled the stakeholders as to whether to record the names of the voters,” said Simpson “and there was no consensus to do that.  AdWeek’s Katy Bachman wrote that “20 groups, including the American Civil Liberties Union, the World Privacy Forum and the Electronic Frontier Foundation, supported it, but the vote carried no obligation for recommending or adopting the code. Seventeen participants voted for more consideration, and one objected.”

Enforceable if a company agrees to follow it

While Simpson is correct that supporting the code isn’t a commitment to abide it, any company that publicly does say it’s implementing the code can be held legally responsible by the Federal Trade Commission and other enforcement agencies for adhering to its commitment.

This post first appeared on Forbes.com