Mobile privacy stakeholders disagreed over the status of a voluntary code of conduct for mobile app developers, as the NTIA praised the industry representatives and advocacy groups for agreeing to begin user testing of the code. NTIA Administrator Larry Strickling applauded the group for having “reached a seminal milestone in the efforts to enhance consumer privacy on mobile devices,” in a statement after our deadline Thursday. As the process moves into testing, NTIA is likely to turn its attention to facial recognition technologies for its next privacy process, stakeholders told us the next day.


Stakeholders voted Thursday to begin testing the code — which would require signatories to inform users of an app’s data collection and sharing practices through short-form notices. They disagreed over what status the code should have as it moves into user testing (WID July 26 p1). The code’s drafters and proponents argued that the code should be “finalized” before app developers begin testing how well consumers understand it, while the code’s opponents voted for the code to undergo “further consideration” before finalization. The final vote was 20 stakeholders supporting the current version of the draft and 17 supporting further consideration, though stakeholders said during the meeting that some organizations had multiple representatives vote. Two groups “endorsed” — or announced their intention to commit to implementing — the code, and one stakeholder objected to the code.


Outstanding issues remain for stakeholders, including whether the draft should require the “nutrition label” approach or the “ingredient list” approach. Under the nutrition label approach, apps would be required to list every data element outlined in the code and specify whether it collects that element. Under the ingredient list approach, apps would be required to list only the data elements that are collected. Industry representatives have favored the ingredient list approach because they say it’s easier for users to understand, while privacy advocates favor the nutrition label approach because they say it allows users to compare data collection policies across apps. The code allows for implementers to conduct user testing and reevaluate the nutrition label approach based on the results of that testing.


The code’s advocates and opponents agreed it needs to move out of the drafting phase and into the testing phase. “It’s time for lawyers to put down their pens and for coders to pick up their keyboards,” said Jonathan Zuck, Association for Competitive Technology president, during Thursday’s meeting. The privacy-advancing principles, not the document itself, have to be the priority, he said. “Testing them and making sure they’re right … has to be our number one priority.” NTIA Director-Privacy Initiatives John Verdi told us he’s “happy that the group is transitioning from drafting to testing and implementation.”
User testing was initially going to occur within the NTIA process, but the potential for testing diminished when the user testing working group couldn’t agree on how to conduct and incorporate the results of the testing, stakeholders told us.


The finality of the current draft of the code continues to be debated by stakeholders as testing begins. Drafters and supporters of the code see the document as being finished, they told us. “I think the document is finalized,” and it will be evaluated after user testing, said Pam Dixon, a drafter and World Privacy Forum executive director. Dixon pointed to the support from multiple privacy advocates as well as industry groups, including the Online Publishers Association, as an “amazing outcome” and sign of the code’s success. “We had a consensus” to stop reworking the language until after testing, she said. “There’s nothing more to talk about. Everyone’s positions are clear.” The group’s “agreement that the model notices are ready for introduction and consumer testing is a win for both consumers and app developers,” said Jon Potter, president of the Application Developers Alliance, in a statement. ADA Vice President-Government Relations Tim Sparapani was a member of the drafting group. Michelle DeMooy, a drafter and Consumer Action senior associate-national priorities, said during the meeting that the group feels “like this is a finished, for now, code of conduct.” Representatives from the online ad industry are trying to be obstructionist and drag out the process, she said. If the group had voted to continue working on the code’s language, consumers groups — including hers — were likely to walk away from the process, she said.


Those who voted for “further consideration” think the draft isn’t finished. “How can you finalize something before you’ve tested it?” asked Direct Marketing Association (DMA) Vice PresidentGovernment Affairs Rachel Thomas after the meeting. “If there are things that need to be changed, there needs to be space for that to happen,” she told us. Groups like the DMA need to be able to take the code and the results of the code’s testing to their members before they can agree to sign on, she said. “There was no consensus reached on the final document,” Carl Szabo, NetChoice policy counsel, told us. The group “might have been too quick to go to the writing” without conducting the research and testing, he said. The drafters were surprised by the opposition in the room during Thursday’s meeting, “but they shouldn’t have been because there were 17 outstanding issues,” he said.


Examining the results of user testing will likely lead to changes in the code, Szabo said: The stakeholders that are pushing for user testing prior to finalizing the code “have an idea of what consumers expect to see” and anticipate that users will understand the ingredient list better than the nutrition label. “I am confident that if we let consumers decide … the results will show what many of us have been advocating,” he said. By keeping the code open, more developers can benefit from the results of the user testing, he said, “rather than limiting it to only the companies that can afford the testing.”


Other stakeholders told us they don’t expect testing to change the requirements in the draft. Though some stakeholders are likely to come back in a few months after testing “with certain perspectives that will not have changed,” Software and Information Industry Association Senior Director-Public Policy David LeDuc said he doesn’t anticipate “significant changes.” Computer and Communications Industry Association Public Policy Counsel Ross Schulman said he doesn’t anticipate that “a whole lot of massive change will come out of testing.” The two groups support the code of conduct.


Facial recognition will likely be the topic for the next NTIA multistakeholder privacy process, stakeholders told us. If facial recognition is the next topic, discussions will likely focus on what sensitive data can be gleaned from facial recognition devices, how to give consumers notice and the chance to opt out of data collection and other issues discussed in an FTC staff report about the technology from last year (WID Oct 23 p1). NTIA Associate Administrator and Director-Internet Policy John Morris said during Thursday’s meeting that the agency will be holding a meeting for the purpose of “talking about how to improve the entire process” as it continues to facilitate privacy initiatives. NTIA hasn’t announced the new topic and declined to comment when asked if it would be facial recognition. — Kate Tummarello


“Reproduced by permission of Warren Communications News, Inc., 800-771-9202,”