Privacy Is Now A Priority

Date: March 4, 2014

This article was originally published in AM&P's Signature magazine, November/December 2013.

A new privacy code for apps tries to help consumers understand what is really happening with their data.

The National Telecommunications and Information Administration of the U.S. Department of Commerce announced a new Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices this summer, and industry groups are busy commenting on pros and cons. The code is voluntary, but would be applicable to apps that associations and nonprofits develop.

The code was developed by a stakeholder group of privacy, civil liberties, and consumer advocates, as well as app developers and publishers. It is intended to provide consumers with a standard form of privacy notice identifying at the point of purchase what information is collected and what is not.

The new code provides for a short-form privacy notice, though notes that some states, such as California, require app developers to post a full privacy notice for apps that are distributed into the state. Such long-form notices are encouraged under the code. According to the code, the short-form notice should state whether information in the following categories is collected by the app:

  • Biometrics (physical information, such a finger prints, facial recognition, signatures, etc.)
  • Browser history
  • Phone or text log
  • Contacts
  • Financial information
  • Health
  • Medical or therapy history
  • Location
  • User files

The code also provides for advising whether the app shares user-specific data with any third party in the following categories: ad networks, carriers, consumer data resellers, data analytics providers, government entities, operating systems and platforms, other apps, or social networks.

Certain exceptions are noted for collection and sharing of information. For example, the short-form notice is not called for if the app developers take reasonable steps to de-identify data and contractually prohibit further distribution. Also exempt are activities necessary to maintain, improve, or analyze the app functions, perform network communications, authenticate users, protect the security of the app, facilitate legal compliance, or allow the app to be made available on the user's device.

The Online Publishers Association supported the new code as enhancing transparency for app use. The Consumers Union and Consumer Federation of America criticized the code, saying that the code and the process were flawed. The CFA said the information on a short form does not provide enough information for the consumer to be adequately informed as to “what is really happening with their data.” Also, the CFA said there was no requirement for disclosure if the entity receiving shared data is part of the same corporate structure as the app developer.

Associations that develop apps should, of course, be familiar with the code and other federal and state guidelines, but should also clearly understand that the voluntary nature of such app privacy notices may be an illusion. Since privacy has been identified as a priority issue in Congress, California, and other states, it would not be surprising to see some of the mobile app privacy guidelines become law in the future.

Also, in 2012, California initiated legal action against Delta Airlines for the failure to post a privacy policy that covers Delta's mobile app, indicating that not only app developers but distributers will be targeted. Although this action was dismissed in May 2013, associations should consider these rules carefully when developing apps and working with vendors.