NTIA Mobile Apps Privacy Process Moves Forward
Since the summer of 2012, the U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA) has convened a multistakeholder process—involving consumer groups, privacy advocates and a wide range of businesses—aimed at improving transparency in consumer mobile application privacy practices. NTIA launched this multistakeholder process in response to the White House's call for a Consumer Privacy Bill of Rights in early 2012.
Over time, the process focused on developing a model code of conduct for "short notices" in which consumer applications (apps) could inform consumers succinctly of key aspects of their privacy practices. On July 25, 2013, stakeholders agreed—in an action NTIA Administrator Lawrence Strickling called a "seminal milestone"—to move to testing and possible implementation of the consumer notices. The current version of the code is available at the NTIA's website.
Stakeholders and the NTIA hope that by providing more transparency, consumers will become more comfortable with mobile apps and, in time, apps may compete on the basis of their privacy practices. The idea is that the use of common terms and formats by app developers will serve to educate the public and improve transparency within and among apps. A number of stakeholders have already expressed support for the code.
The next step is for app developers, app publishers and other interested entities to work on implementing the "short notice" established in the code. They likely will first test whether the code improves consumer understanding and awareness of mobile app privacy practices before committing to full implementation. Several approaches have already been suggested.
Although the draft code is moving into the testing phase, several important issues remain unresolved. Of course, companies are under no obligation to test or implement the short notices; adherence to the code of conduct is entirely voluntary. In addition, the multistakeholder process may be reconvened if the testing and implementation process shows that consumers do not understand the new short notices called for by the code. However, no meetings are scheduled, and it is uncertain whether any modifications to the code will be made in the future.
Companies that publish consumer apps should consider whether to follow the code. That decision will require a careful assessment of a number of technical, business and legal issues. In particular, companies that publicly pledge to follow the code will be deemed to have made a representation subject to enforcement by the Federal Trade Commission (FTC) under its consumer protection jurisdiction. As a carrot, the Administration's Consumer Privacy Bill of Rights contemplated that the FTC would take adherence to a "strong" code of conduct into account favorably when contemplating enforcement actions. As of this writing, the FTC has not commented on the most recent iteration of the code.
Having participated in the stakeholder process from the beginning, Wiley Rein can assist companies in evaluating the code of conduct.
