NTIA Code Requires Disclosure of Information Collection Practices Before App Downloads
By Ryan Chiachiere
On July 25, 2013, the National Telecommunications and Information Administration released a draft document entitled the “
Section II constitutes the substantive core of the Code, requiring app publishers to provide an easy-to-understand short form notice to consumers prior to download or purchase of an app that discloses, where applicable, the app’s collection of certain types of data and the sharing of these “user-specified data” with certain third parties. Data are “collected” if “transmitted off of the device,” and user specified data do not include aggregated or de-identified information.
The notice requirement is triggered when data are shared with ad networks, mobile carriers, consumer data resellers, data analytics providers, government entities, operating systems and platforms, other apps or social networks.
There are, of course, exceptions to these requirements. Those exceptions largely track exclusions familiar to those used to U.S. GLB (financial services) privacy requirements. For example, if the app facilitates purchases but does not otherwise collect financial information, the requirement is not triggered. Furthermore, where the third party and the app have explicitly contracted (i) to limit the use of the data provided to the provision of a service on behalf of the app and (ii) to prohibit the data from being shared with additional parties, notice is not required. The Code also exempts the “most common app collection and sharing activities for operational purposes” from the notice requirement, including, for example, activities necessary to “maintain, improve, or analyze the functioning of the app” and to “authenticate users.”
Interestingly – and without any analog in GLB – apps in which the user actively submits the data and the app itself does not encourage that submission also need not provide notice.
Section III of the Code discusses design elements that must be included in the notice, but notes that implementation may vary and “allows and encourages flexibility and innovation.”
Some consumer advocates have expressed
The FTC will work with the Department of Commerce and stakeholders to develop industry-specific codes of conduct. To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts. If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions.
Whether the Code proves an enduring answer to the question of app privacy notices may depend largely on how broadly it ultimately is adopted.
Caveat Vendor is Paul Hastings' Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.