Caveat Vendor

NTIA Code Requires Disclosure of Information Collection Practices Before App Downloads

August 01, 2013

Ryan Chiachiere

On July 25, 2013, the National Telecommunications and Information Administration released a draft document entitled the “Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices” (“the Code”), designed “to provide consumers enhanced transparency about the data collection and sharing practices of apps that consumers use.”  The Code incorporates feedback and guidance based on a yearlong negotiation process involving privacy, civil liberties and consumer advocates, in addition to app developers and publishers, among others, and is designed to “help consumers compare and contrast data practices of apps.”
Section II constitutes the substantive core of the Code, requiring app publishers to provide an easy-to-understand short form notice to consumers prior to download or purchase of an app that discloses, where applicable, the app’s collection of certain types of data and the sharing of these “user-specified data” with certain third parties.  Data are “collected” if “transmitted off of the device,” and user specified data do not include aggregated or de-identified information.
The notice requirement is triggered when data are shared with ad networks, mobile carriers, consumer data resellers, data analytics providers, government entities, operating systems and platforms, other apps or social networks.
There are, of course, exceptions to these requirements.  Those exceptions largely track exclusions familiar to those used to U.S. GLB (financial services) privacy requirements.  For example, if the app facilitates purchases but does not otherwise collect financial information, the requirement is not triggered.  Furthermore, where the third party and the app have explicitly contracted (i) to limit the use of the data provided to the provision of a service on behalf of the app and (ii) to prohibit the data from being shared with additional parties, notice is not required.  The Code also exempts the “most common app collection and sharing activities for operational purposes” from the notice requirement, including, for example, activities necessary to “maintain, improve, or analyze the functioning of the app” and to “authenticate users.”
Interestingly – and without any analog in GLB – apps in which the user actively submits the data and the app itself does not encourage that submission also need not provide notice.

The notice must also include a way for the consumer to access a more detailed privacy policy and the identity of the app’s provider.  Additionally, the Code encourages developers to post a long form privacy policy as well, noting that other state laws, including the California Online Privacy Protection Act, may require it.  (For more on CalOPPA, click here.)

Section III of the Code discusses design elements that must be included in the notice, but notes that implementation may vary and “allows and encourages flexibility and innovation.”
Some consumer advocates have expressed frustration that companies can support the code without binding themselves to it.  If, however, companies endorse the code and agree to abide by it, they may be subject to enforcement actions by the Federal Trade Commission if they fail to adhere to it.  In a release last year regarding self-regulatory codes, the FTC asserted:

The FTC will work with the Department of Commerce and stakeholders to develop industry-specific codes of conduct. To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts. If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions.

The Consumer Federation of America did not support the Code, calling it “seriously flawed.”  The Center for Digital Democracy abstained from voting, citing its “many concerns about the process” that lead to the Code.  The document was publicly supported by others, however, including the ACLU, the Center for Democracy and Technology, and the Online Publishers Association, an industry group whose board members include executives from broadcast and cable companies.  As reported by Law360, 20 of the participants in the process voted to support the proposal – without necessarily endorsing it – while two participants voted to endorse it.  17 voted for further consideration.
Whether the Code proves an enduring answer to the question of app privacy notices may depend largely on how broadly it ultimately is adopted.

Caveat Vendor is Paul Hastings' Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.