U.S. Government Releases Draft Self-Regulatory Code of Conduct for Mobile App Privacy Notices

more+
less-

The National Telecommunications and Information Administration (NTIA) has published a draft of self-regulatory guidelines for privacy notices for mobile apps. This version is for companies that participated in the process of developing the guidelines to test with their consumers.

Unlike the recently introduced mobile privacy guidelines provided by the Digital Advertising Alliance (DAA), the NTIA’s “Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices” addresses only notice of privacy practices and does not address the issues of consent or data security.

The NTIA Short Form Notice Code of Conduct is intended to provide consumers with information about the data collection and sharing practices of mobile apps in a consistent manner so that consumers can compare and contrast data practices of apps.

App developers and publishers that voluntarily elect to use a short form notice as provided in the Code of Conduct must describe in the notice:

(a) the collection of certain types of data, whether or not consumers know that it is being collected;
(b) a means of accessing a long form privacy policy, if any exists;
(c) the sharing of user-specific data, if any, with certain third parties; and
(d) the identity of the entity providing the app.

Where practicable, app developers are encouraged (but not required) to provide consumers with access to the short form notice prior to download or purchase of the app. However, the notice “shall be readily available from the application.”

The short form notice must also state which of the following data categories the app collects:
• Biometrics (information about one’s body, including fingerprints, facial recognition, signatures and/or voice print)
• Browser History (a list of websites visited)
• Phone or Text Log (a list of the calls or texts made or received)
• Contacts (including list of contacts; social networking connections or their phone numbers; postal, email and text addresses)
• Financial Info (including credit, bank and consumer-specific financial information such as transaction data)
• Health, Medical or Therapy Info (including health claims and other information used to measure health or wellness)
• Location (precise past or current location of where a user has gone)
• User Files (files stored on the device that contain your content, such as calendar, photos, text or video)

Data is deemed to be collected only if transmitted off the device. A short form notice is not required for sharing consumer data with third-party service providers where a contract between the app and the third party explicitly (i) limits the uses of the data provided by the app to the third party solely to provide a service to or on behalf of the app; and (ii) prohibits the sharing of the consumer data with subsequent third parties.

A notice is not required for the collection and sharing of data that is necessary to:
(a) maintain, improve or analyze the functioning of the app;
(b) perform network communications;
(c) authenticate users;
(d) cap the frequency of advertising;
(e) protect the security or integrity of the user or app;
(f) facilitate legal or regulatory compliance; or
(g) allow an app to be made available to the user on the user’s device.

The Short Form Notice Code of Conduct acknowledges that different devices will use different methods for displaying the notice. The Code states that, where practicable, the short form notice should display the pertinent information in a single screen, and the text and font should be distinct so as to easily stand out from the page background.

The DAA and the Network Advertising Initiative released more comprehensive mobile privacy guidelines that spell out when and how first and third parties should obtain consent. Earlier this year, the California Attorney General released a set of mobile privacy guidelines, noticeably stricter than guidelines provided by the industry groups. The FTC has also issued two sets of mobile privacy guidelines, and its recently revised COPPA Rule, which applies to mobile apps, took effect July 1, 2013. All these developments signal that the data collection and sharing practices of mobile apps and mobile platforms are under scrutiny. App and platform developers should pay particular attention to these privacy best practices when designing their products.

Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.