Mobile Privacy Stakeholders Debate Data Definitions
NTIA mobile privacy stakeholders met Thursday to discuss a voluntary code of conduct regarding how apps inform users what information they collect and how they use and share that information. The voluntary set of best practices, once adopted, would create an obligation for adopters, said John Verdi, NTIA director-privacy initiatives. “Once [apps] adopt, it is enforceable” by regulators including the FTC and state attorneys general, he said. Stakeholders discussed how the draft’s wording affects that obligation: “'Shall’ and must are mandatory. ‘Should’ is recommended,” Verdi summarized.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Stakeholders debated the draft’s descriptions of the data categories, which would pop up when users hover over the category title in short form notices. The descriptions “are well drafted,” said Jim Halpert, technology lawyer at DLA Piper and general counsel to the Internet Commerce Coalition. While the definitions were drafted with the goal of explaining to consumers what data is being collected, he continued, they're going “to be functionally like definitions” so app developers know what to include in the short form notices. Halpert suggested the formation of a working group to “figure out how to best explain this to consumers.”
Users need to have information on the complex ways their sensitive data are collected and used, said Jeff Chester, executive director of the Center of Digital Democracy. According to Thursday’s discussion draft, apps would have to notify users via short form when they collect financial information -- described as “credit, bank and other customer-specific financial information including purchase history other than information collected for a purchase either within the or through the app” -- and health, medical or therapy information -- described as “health and disease management, diagnoses, insurance company information such as past and present claims, and information collected by the app that measures your health or wellness.”
This doesn’t cover the ways that apps can use information such as web searches to make determinations about users, Chester said. Pam Dixon, executive director of the World Privacy Forum and one of the draft’s authors, said these broader descriptions were the easiest way to communicate these categories of data to users. “Because this area is so complex, really the only way through it is to go very high level,” and users can find more specific information in the long form privacy policies if they are interested, she said.
Stakeholders debated whether apps needed to notify users via short form notice if they collect information on the age of users. The discussion draft presented at Thursday’s meeting included “age of user” in the list of data categories that would require short form notice. Sparapani said that entry was added because the drafters “were thinking, in part, about [the Children’s Online Privacy Protection Act] and responsibilities."
Apps could notify users if the app collects age information only if the app’s targeted audience is one of two “categories of vulnerable users,” which are children under the age of 17 and senior citizens over the age of 70, according to Halpert, who put forward the proposal. “That sort of info collection is pretty trivial” to most apps that don’t target these categories of vulnerable users, Halpert said. By limiting age collection notification to the “small subsets” of apps that target these specific audiences, the code could avoid forcing all apps to litter their short form notices “with what’s essentially a meaningless data element,” he said.
While consumer and privacy advocates generally supported including age in the list of information that requires short form notice, many stakeholders said they wanted it removed from the list entirely. A user would have to enter their age information, including date of birth, for an app to be able to collect that information, said Ellen Blackler, Walt Disney Company vice president-global public policy. At the same time, Halpert’s age bracketing system would be “overly complex,” she said. Susan Grant, director-consumer protection at the Consumer Federation of America, said apps should notify users when they collect age information because technology could advance to the point where apps could collect that information without user input. “I worry about taking it out if in fact there is the potential for them to get it from third parties,” she said. Ultimately, the majority of stakeholders voted to remove age from the list. The code’s drafters acknowledged that while they are not bound to honor the vote in revising the draft, they are committed to crafting the draft to reflect the common goals of the stakeholders.