In the three-legged stool of privacy protection, consumer notice starts it all. If consumers aren’t reasonably advised what is going on, all the rest of your work is irrelevant. Mobile developers have struggled with this. The limited screen real estate has given them an easy excuse for throwing up their hands and telling regulators, “you tell us what to do.”
Last week, the National Telecommunications and Information Administration, an agency within the US Department of Commerce, released a draft Code of Conduct for short form notices on mobile. On its face, actually the title, it aims to ‘promote transparency.’ Unfortunately, I think it misses the mark. This is the problem when you leave consumer protection to a group that ensures “that the Internet remains an engine for continued innovation and economic growth.” Even when they talk about online privacy on their About page, it is an issue related to the Internet economy. Your information, your privacy, and your data are just scheckels to be exchanged in this internet economy. If you are a hen, and the fox walks up to guard the henhouse, you need to be afraid.
Enough hyperbole. If you are developing for mobile and pay any attention to privacy requirements, you have been faced with a spider web of regulation and responsible agencies. It is frightening, actually. Okay, maybe not enough hyperbole, just yet.
Let’s look at this Code of Conduct in a bit more detail and see some aspects of it that do hit the mark, and highlight some issues with it.
The Code lays out a laundry list of categories of data you might collect. This is actually a pretty decent list for audit purposes when you are building your app. I note the lack of personal data as a category. The Code only requires the developer to say they collect data in any one category, not the exact data collected. If the user wants to know more, you are only required to link to the parenthetical definition.
Folks, that makes no sense. If your app collects location information from a user’s interaction with your app, tell them what exactly you are collecting, and also why. The Contacts category is even broader, and could include postal addresses of your contacts, but also social networking connections. If you are a lawyer, this Code of Conduct is nice. Just check the box and move on, you did your thing. But you didn’t do the right thing for the user. This Code needs to go further.
Again, the Code merely requires you to notify the user whether you are sharing data and then which third party entity type you are sharing it with. NOT ENOUGH. Think like a user. If you used an app that complied with this Code of Conduct and you were told that it shared data with a social network, would you be satisfied with that, and nothing more. Be honest with yourself.
Again, there is no requirement that the short form notice go any further than providing a link to the definition (“shall enable consumers ready access to … “parentheticals””). You don’t have to go any further, though you “may display more information.” Don’t do the minimum. Do more. Do what your consumers want you to do.
Exceptions Open Wide Holes, Very Wide Holes
I have my problems with what the Code requires, granted. My biggest issue, though, are the exceptions. I could argue a Carrier Battle Group through the holes that they open.
Data Collection Exception
Incidental collection of data if that data is actively submitted and the user is not encouraged to submit it. Argument – if I give you an open data field, don’t make it a requirement to proceed and you give me your mother’s maiden name, I don’t need to tell you I am collecting that data.
Non-passive financial information collection does not require notice. I guess the thought is that if they are purchasing through your app, the user should know that you could collect that information, right. Probably. However, I don’t see anything that prevents you from using that information for purposes other than the transaction.
Requires transmission off the device. Your app can collect all the data it wants from your user, without ANY NOTICE, as long as it doesn’t transmit it off the device. At first glance, this may appear to be ok. But think about all the analytics you can do that use that information on the device within your app. They should have said “data is deemed to be collected if it is non-transiently stored on the device.” Yes, I made up a word. If your app stores information that persists after a session, you should tell your users that you are collecting data. Do not take the easy out.
Data Sharing Exceptions
This gets really fun … and scary. You can share data indiscriminately with any third party, WITHOUT NOTICE, as long as a contract limits the use of that data to provide a service, and prohibits the sharing with another third party. The argument is that the third party is merely an extension of your company, so no big deal right. Think about your consumers. Would they care? Yes, they would. Especially when that third party has a breach.
Aggregate, de-identify, and then dance a happy jig. If you aggregate data or de-identify data, you don’t need to say anything to the user about data sharing. How many times do we need to be told that aggregate, de-identified can yield personal information:
I don’t care what you do with the data collected. Tell your users. If you aggregate it and de-identify it, TELL THEM. Don’t hide behind this convenient cover. It just feels wrong given history.
What Should You Do?
If you are a mobile app developer, you do need to at least comply with this Code of Conduct. It will be seen as a minimal duty of care. Don’t stop at the minimum.
I like the idea of a short form notice in the app itself, so bravo for that. I like the idea of doing it by data element type, and allowing it to be machine-readable. This would allow a meta-app to investigate all the other apps on a device and give a report. Perhaps the mobile OS itself.
I can’t seem to get away from privacy issues. Both on mobile and social. I will spend some more time this week looking at mobile privacy and examining some of the other missives that have been published. It is a many-headed hydra, but no one ever promised it would be easy, did they?