NTIA Process Yields Privacy Code Seen As Unfinished Product in Need of Testing

The Telecommunications Law Resource Center is the most comprehensive reference and news platform for communications law, covering broadcasting, cable, broadband, telephony and wireless;...

By Alexei Alexis  


After a year, an effort by the National Telecommunications and Information Administration to facilitate the development of a voluntary code of conduct on mobile privacy has resulted in what is viewed as an unfinished product that is moving into the testing phase with the support of several leading industry and consumer organizations.

The process has produced a document that calls for mobile application developers to be more transparent, through the use of “short form notices,” about their collection and sharing of consumer data, such as financial, health, biometric, and location information. However, significant work remains, some stakeholders told BNA July 26.

“The document is not yet finalized, as there are still a number of outstanding issues,” Carl Szabo, policy council for NetChoice, a Washington trade association of e-commerce businesses, said in a BNA interview. “With user testing, we can finally get real data on what consumers want. We must all be willing to change the draft based on what we learn.”

The code is the result of multistakeholder meetings that have been convened and facilitated by NTIA under the direction of the White House. Some stakeholders pushed to finalize the code at a July 25 meeting, but others felt that the document was not yet ready, according to Szabo. He noted that an “outstanding issues” list published by NTIA before the meeting contains a number of thorny items that have been put on hold until after the testing phase has been completed.

Code 'Frozen' to Allow Testing

Rachel Thomas, vice president of government affairs at the Direct Marketing Association, told BNA that her organization was not yet ready to endorse the code, although it supports the NTIA process and is hopeful that it will result in a positive outcome.

“This code is not final,” Thomas said. “There was a strong consensus [at the meeting] to freeze the code for the purpose of testing.”

Stu Ingis, an attorney in the Washington office of Venable LLP and a counsel for the Digital Advertising Alliance, a consortium of leading U.S. marketing trade groups, agreed that stakeholders still have work to do.

“There has been a lot of good work and progress done here, but it is not a finished consensus product,” he told BNA. “Efforts to just declare consensus ultimately will undercut the process and adoption.”

The effort is part of a larger campaign launched by the White House in response to growing concerns about whether current U.S. consumer privacy protections are adequate for the digital age. NTIA, a division of the Department of Commerce, was charged with facilitating the development of voluntary privacy codes of conduct to advance principles such as transparency.

FTC Enforcement Possible

A company that makes a commitment to comply with a code but fails to do so could face an enforcement action from the Federal Trade Commission, through the agency's authority to prohibit unfair or deceptive practices, according to the White House plan.

NTIA kicked off a series of meetings on mobile transparency in July 2012. At the time, NTIA Administrator Larry Strickling explained that mobile transparency was chosen as an initial topic for stakeholders to tackle because it is a privacy challenge that affects many consumers “yet is discrete enough to be addressed in a reasonable period of time.” However, despite a number of meetings, stakeholders have struggled to finalize a mobile transparency code.

Work on the code that has been produced was largely spearheaded by a team of stakeholders that includes the Application Developers Alliance (ADA). After the latest meeting, the ADA issued a statement touting the success of the effort.

“Today's agreement that the model notices are ready for introduction and consumer testing is a win for both consumers and app developers,” ADA President Jon Potter said. “The voluntary, at-a-glance notice is meant to quickly and easily inform consumers what sensitive personal information the apps collect and if that information is shared.”

The statement cited support from various stakeholders, including CTIA-The Wireless Association, Intuit, Verizon, AT&T, the American Civil Liberties Union, Consumer Action, the World Privacy Forum, the Future of Privacy Forum, Consumers Union, the Center for Democracy and Technology, the Electronic Frontier Foundation, and the National Consumers League.

Strickling issued a statement saying the agency was pleased that stakeholders had reached a “seminal milestone” in the process.

“We encourage all the companies that participated in the discussion to move forward to test the code with their consumers,” he said. “I want to congratulate all of the participants, who through their commitment and dedication have demonstrated the promise and importance of the multistakeholder policy-making process.”

Critics Cite Flaws in Code, NTIA Process

The Consumer Federation of America (CFA) issued a statement that was critical of both the code and the NTIA process that produced it.

“While the idea of short form notices is appealing, the information that they would provide under this code falls far short of what is needed to tell mobile application users what is really happening with their data,” the group said. “…Most disturbingly, while the code calls for mobile app developers to disclose whether users' data will be shared with certain types of third parties, such as social networks and ad networks, no disclosure is required when the data is shared with the very same types of entities if they are part of the same corporate structure as the app developer. This means that app users will be misled, in some cases, into thinking that their data will not be shared with certain types of entities when in fact it will be.”

In addition, the CFA said there was never any clear procedure for how the process would work and what would constitute success. The latest meeting “was as confusing as the process has been all along, with a 'vote' being taken that allowed multiple attendees from the same companies or organizations to vote and resulted in no clear consensus,” the group added. “The groups that drafted the code, a small subset of the stakeholders, simply declared victory and the process ended.”

Consumer Watchdog issued a statement saying that the NTIA year-long effort demonstrates the futility of crafting codes of conduct through a voluntary multistakeholder process and underscores the need for legislative action.

The NTIA process “simply has not worked,” said John Simpson, Consumer Watchdog's privacy project director. “The first effort was supposed to be the simplest--a Transparency Code for mobile apps. That morphed into short-form transparency notices that at best provide marginal improvements in privacy protection that companies can say they support, but will be allowed to ignore.”

Full text of the privacy code is available at http://www.ntia.doc.gov/files/ntia/publications/july_25_code_draft.pdf.