By Jedidiah Bracy, CIPP/E, CIPP/US

Never has the mobile app ecosystem been as popular and dynamic as it is now. Smartphones and the use of mobile apps are practically ubiquitous and are giving the economy a needed boost. With that boost, though, come very unique privacy concerns and challenges.

And privacy regulators have taken notice.

In a two-month span between January and February of this year, the California attorney general and the U.S. Federal Trade Commission (FTC) both released mobile privacy guidelines, while the EU’s Article 29 Working Party (WP29) issued an opinion on apps on smart devices. Before that, in 2012, the U.S. Department of Commerce initiated an ongoing National Telecommunications and Information Agency (NTIA) multi-stakeholder process to issue specific codes of conduct for mobile short-form notices. Other private-sector groups have also released mobile guidelines, including those issued by the Future of Privacy Forum in conjunction with the Center for Democracy & Technology and the GSMA's Mobile Privacy Principles. Additionally, industry groups such as the Digital Advertising Alliance and Network Advertising Initiative are all rumored to be working on their own versions.

So, in the face of myriad guidelines, what’s an app developer to do? Will this fragment the mobile ecosystem? In which direction can a developer turn? And will these guidelines ultimately help or hurt the consumer?

“Despite the flurry of mobile guidelines,” notes Jules Polonetsky, CIPP/US, co-chair of the Future of Privacy Forum, “they’ve all emphasized the same core points.” 

The Common Denominators

In January, California Attorney General (AG) Kamala Harris and the AG’s Privacy Enforcement and Protection Unit published mobile privacy guidelines, the first regulator to do so. In fact, Privacy On the Go: Recommendations for the Mobile Ecosystem was part of a “larger initiative” by Harris to “bring industry in line with California law requiring mobile apps that collect personal information to have a privacy policy.” In 2012, the AG led an agreement with major app platform businesses, including Amazon, Apple, Google, Hewlett-Packard, Microsoft, Research in Motion and Facebook.

“That agreement (with the platform providers), we believe, improved transparency in privacy policies for consumers across the nation,” says outgoing Special Assistant Attorney General Travis LeBlanc. “However, privacy policies don’t resolve all concerns.”

LeBlanc says the AG’s office realized they needed to do more.

“We wanted to ultimately put together a document with the hope of giving developers a toolkit—a short document they could use at the start to assess their privacy practices, prepare a policy and aim for best practices,” he notes.

The guidelines are clear that developers should be considering privacy at the start of the design process—something seen in other mobile guidelines, particularly the FTC’s. Developers should also think about data collection, data minimization, a clear privacy policy and other “enhanced measures”—or “surprise minimization”—to alert and supply users with control over data practices.

A month after the California AG, the FTC released Mobile Privacy Disclosures: Building Trust Through Transparency, providing best practice suggestions not only for developers but for platform providers, ad networks and other trade associations. They also call for clear, easy-to-access privacy policies and just-in-time disclosures, and they recommend that developers improve coordination with ad networks and other third parties.

Under the current European Data Protection Directive, according to a WP29 opinion released in late February, “lack of transparency and awareness of the types of processing” topped the list of concerns for the EU-based regulators. And although the WP29 writes that data protection risks stem “from the degree of fragmentation between the many players in the app development landscape,” the opinion notes that “most conclusions” are “aimed at app developers.” The opinion focuses on consent mechanisms, data minimization, adequate security, obligations for informing the end user, reasonable retention limits and fair processing of children’s data.

“The WP29 opinion attempts to clarify complex legal questions, but I’m not sure it’s done that,” says GSMA Director of Privacy Pat Walshe. He notes the Working Party doesn’t need to collaborate with industry, something he finds strange. Walshe says it’s important for stakeholders to come together and that there’s a role for a code of conduct to guide industry best practices. Walsh also points out that the GSMA's Mobile Privacy Principles, which were built into the California AG's guidelines, are the only guidelines being implemented via an accountability framework.

The NTIA Multi-Stakeholder Process

Among the many guidelines issued thus far, perhaps the one with the most potential impact is the NTIA multi-stakeholder framework. The FPF’s Polonetsky has said many app developers want clear guidelines, and what the NTIA is attempting to hammer out provides that clear and quick standard.

“The NTIA process is the best process for consumers and app developers,” says Tim Sparapani, App Developers Alliance vice president of law, policy and government affairs. “It seeks simplicity, harmonization and ease of implementation.”

The process is a rare one. It’s essentially a collaboration between privacy advocates and businesses. The American Civil Liberties Union, Consumer Action, the World Privacy Forum (WPF) and the FPF are all among the stakeholders.

Sparapani says the NTIA process has “engaged developers in deep conversation, made distinctions between big and small developers and vertically integrated companies” to hopefully help inform a pragmatic but effective outcome.

The specific goal in the process is to create guidelines for short-form notices to help bolster app transparency.

“We’re in a bold new world with the short-form notice,” says World Privacy Forum Founder and Executive Director Pam Dixon.

Dixon has been heavily involved in the NTIA negotiations. “We’ve got to make it as simple as possible for app developers and as clear as possible for consumers,” she says. One of the biggest challenges with transparency is clear notice. Dixon explains, “Notice on a mobile screen is different” and conveying privacy disclosures on a small screen is a real challenge.

“What has been burdensome is what you do with details in the data infrastructure,” she says. “For example, many apps have search boxes; what happens when someone looks for health information within that app? How do you handle this complexity? That’s where the rubber meets the road.”

But will the NTIA process be enough for the global market?

“The challenge with the NTIA approach is that it’s very U.S.-centric,” says GSMA’s Walshe. The focus on transparency is a good thing, he notes, “but it’s not clear that it will engage more broadly.” There are many players residing outside the U.S.—including, most notably, mobile operators and device makers—that would not be covered by the guidelines.

Walshe says that the app ecosystem is a global phenomenon, so stakeholders need to think about global interoperability. If a Japanese developer in the U.S. creates an app for Japanese users in Japan, under whose jurisdiction would any privacy infringements reside? Plus, with myriad data exchanges between ad networks and third parties, consumers must not be burdened by six or seven separate privacy policies mandated by different regulators around the globe. Walshe supports a more “holistic” view.

“What is it we’re trying to achieve?” he asks. “What are the harms? What are the experiences we’re trying to create?” Walshe says stakeholders should strive for consistent privacy experiences and backs the use of icons to warn and educate users.

The lack of consumer and app developer education about privacy issues is an obstacle that all interested parties—from privacy advocate to industry representative to regulator—are striving to overcome. One clear step in education has been these guidelines—particularly for app developers.

Among other obstacles, however, the App Developers Alliance’s Sparapani says regulators “have not been very helpful,” adding, “They should be willing and able to endorse a good outcome even when they didn’t mandate it.”

He adds, “Regulators need to bring more carrots and less sticks.”

Yet, the California AG’s LeBlanc says that office “would look positively on companies” that put forth good faith efforts to protect consumer privacy and that, on the whole, regulators around the globe are communicating with one another. He also says that it’s become increasingly apparent over the past year that regulators across the country—most notably the FTC and the state attorneys general—have started paying more attention to mobile apps and how they affect consumers, particularly children.

There’s enough data, he warns, to see a trend toward more regulatory activity. 

Predictions?

Walshe points out that people around the world are becoming much more concerned about privacy and they overwhelmingly want to express personal choice and preference. For him, that’s where industry needs to innovate. He also notes that HTML 5, the latest W3C recommendation, may provide developers with new opportunities to embed privacy into operating systems.

“Is this a fragmented landscape?” asks Sparapani. “No question.” But, he says, “App developers will be seen as privacy leaders for brand new short-form privacy notices.” It’s a major signal in app transparency, he argues.

For Polonetsky, the outcome of the NTIA process goes beyond the issue of mobile transparency. “It’s very rare in Privacy Land that we actually have cooperation and collaboration between business and advocacy.”

If successful, the process could pave the way for other collaborations between industry and advocacy.

Polonetsky notes that President Barack Obama’s Consumer Privacy Bill of Rights rests upon the notion of the multi-stakeholder approach. And after months of wrangling, Polonetsky says the process “portends well for taking on many other privacy challenges,” including conducting a process around the Smart Grid.

Dixon is optimistic that a finalized version of the NTIA framework will be out before the end of the year, saying, “I am hopeful about all of this…It’s a positive process for consumers and app developers.”

The NTIA process “is too important to fail,” says Sparapani. “Without it, industry and consumers would be damaged.”

“The short-form notice is not the cure for cancer,” he opines, “but it could be a real game changer.”

Read more by Jedidiah Bracy:
FTC, Irish DPA Release Mutual Enforcement Agreement
Privacy Board To Host Workshop on NSA Surveillance Programs
Privacy Front-and-Center: Rounding Up the NSA Fallout