Key Elements of a Code of Conduct for Mobile Apps Transparency

Key Elements of a Code of Conduct for Mobile Apps Transparency

Guest blog post from Mary J. Culnan, Senior Fellow at the Future of Privacy Forum

In February 2012, the White House issued a Consumer Privacy Bill of Rights.  In the report, the White House proposed legislation based on the privacy principles in the report and called on NTIA to convene stakeholders to develop enforceable codes of conduct implementing these principles for specific industries.  On July 15, 2012, NTIA-convened the first meeting of a multistakeholder process with the goal of developing a code of conduct to provide transparency about how companies providing applications and interactive services for mobile devices handle personal data.  FPF is an active participant in this process.  To date, the NTIA process has focused primarily on developing requirements for disclosure since effective disclosure is central to transparency and building consumer trust.  While workable disclosure standards are essential, they are not sufficient.  The FTC and others have identified additional characteristics of credible self-regulation  including promoting competition and providing for effective accountability and enforcement.  These issues also need to be addressed during NTIA process.  Because a large proportion of mobile apps are created by entrepreneurs or small businesses, it is likely these two issues will need to be considered jointly to ensure that the requirements of the final code of conduct are not anti-competitive.

Promoting Competition

On November 29, 2012, the FTC held an interesting workshop on Enforceable Codes of Conduct:  Protecting Consumers Across Borders.  In a keynote address, former FTC Chairman William Kovacic identified how codes can create barriers to entry by favoring incumbents and the ways they do business.  For example, these could include requirements that assume a privacy infrastructure larger firms already have in place while necessitating that small firms or entrepreneurs build an infrastructure from scratch in order to comply with the code.  Kovacic further argued that stakeholders can mitigate these problems during design and implementation by explicit consideration of competition as the code is developed, and evaluation after the fact to ensure there are no unanticipated consequences.

Effective Accountability and Enforcement

There are common principles for effective self-regulation, independent of the context, and many of these were discussed at the November FTC workshop described above.  In 2011, Dennis Hirsch and Ira Rubenstein published an article where they outlined the design considerations for enforceable codes of conduct to implement a broader set of privacy principles, citing an earlier version of the White House report as an example of this approach.  Organizations following an approved set of rules would enjoy safe harbor under an enforcement regime.  Hirsch and Rubenstein argued that accountability is critical to the credibility and success of any self-regulatory regime, and proposed a mix of monitoring techniques including self-certification, third-party audits and certification to keep costs reasonable.  They also cited the need for procedures to handle complaints and resolve disputes.  Individuals should exhaust their options under these dispute resolution procedures before a complaint is referred to the FTC or the state attorney general for an enforcement action.

Implications for Mobile Apps Transparency

Many of the traditional methods for transparency, accountability and enforcement have the potential to be anti-competitive.  For example, requiring organizations to post an online privacy notice on their website works well for ecommerce because online companies of all size use a website as a platform to do business.  App developers have no such need for a public website when they deliver their apps through an app market.  Very small app developers may not have the resources to create and maintain a public website that is not needed for their business.  Similarly, small app developers may not have the resources to develop programs to handle complaints or hire a third party to process complaints on their behalf.

The recent agreement the California Attorney General negotiated with many of the largest mobile app markets provides a potentially attractive solution for promoting accountability and enforcement while simultaneously promoting competition.  The agreement also will help educate app developers about privacy and their responsibilities.  Under this agreement, the app markets will include in the app submission process data fields for the developer to link to the app’s privacy policy or place to include the text of a privacy statement for that app.  The app markets will either enable the link or display the privacy statement.  Further, the apps markets will implement procedures for users to report complaints, and for investigating and addressing the complaints they receive.  App developers should self-certify that they will comply with their privacy notice and participate in the complaint resolution process.

Finally, other stakeholders in the mobile apps ecosystem can provide additional support for app developers by creating privacy policy generators or other tools that can help even the smallest app developer make their information practices transparent.  As there is likely to be a similar learning curve for app developers as there was for .com firms in the 1990’s, trade associations and other organizations in the ecosystem can help app developers understand that privacy is good for business because transparency is one key to earning and keeping the trust of consumers.

 

Leave a Reply


Privacy Calendar

Apr
22
Tue
10:00 am Privacy Principles in the Era of Massive Data @ Georgetown Law Center
Privacy Principles in the Era of… @ Georgetown Law Center
Apr 22 @ 10:00 am – 12:00 pm
Experts from the public and private sectors will join public policy experts from the Georgetown University McCourt School of Public Policy and privacy law experts [...]
Apr
24
Thu
all-day 6th Biannual International Surveillance & Society Conference
6th Biannual International Surve…
Apr 24 – Apr 25 all-day
The 6th Biannual International Surveillance & Society conference hosted by the University of Barcelona and supported by the Surveillance Studies Network is currently calling for [...]
12:00 pm Data Privacy in Education: Ensuring Student Security while Encouraging Innovation in K-12 Education @ Rayburn House Office Building, Room B-354
Data Privacy in Education: Ensur… @ Rayburn House Office Building, Room B-354
Apr 24 @ 12:00 pm – 1:00 pm
The Congressional E-Learning Caucus in cooperation with Into and the National Coalition for Technology in Education and Training presents a luncheon to discuss “Data Privacy [...]
Apr
29
Tue
all-day IAPP Europe Data Protection Intensive 2014
IAPP Europe Data Protection Inte…
Apr 29 – May 1 all-day
The IAPP Europe Data Protection Intensive features timely programming centred on the top issues impacting the European data protection community, with a focus on addressing [...]
Apr
30
Wed
5:30 pm InSecurity: Race, Surveillance and Privacy in the Digital Age @ New America Foundation
InSecurity: Race, Surveillance a… @ New America Foundation
Apr 30 @ 5:30 pm – 7:30 pm
Now more than ever, digital tools sit at a precarious tipping point, and many question whether they will be used to address pre-existing disparities, [...]
May
7
Wed
all-day IAPP Canada Privacy Symposium 2014
IAPP Canada Privacy Symposium 2014
May 7 – May 9 all-day
The IAPP Canada Privacy Symposium is the leading conference for education, debate and discussion of issues that matter most to Canadian privacy and data protection [...]
Jun
5
Thu
all-day Privacy Law Scholars Conference (7th Annual) @ The George Washington School of Law
Privacy Law Scholars Conference … @ The George Washington School of Law
Jun 5 – Jun 6 all-day
  UC Berkeley School of Law and The George Washington University Law School will be holding the seventh annual Privacy Law Scholars Conference (PLSC) on [...]
Jun
8
Sun
all-day Computers, Freedom, and Privacy 2014 Conference @ Airlie Center
Computers, Freedom, and Privacy … @ Airlie Center
Jun 8 – Jun 10 all-day
Mark your calendars! The 2014 Computers, Freedom, and Privacy Conference will be held June 8-10 at the Airlie Center in Warrenton, Virginia. The Airlie Center [...]

View Calendar