CFA on the NTIA Short Form Notice Code of Conduct to Promote Transparency in Mobile Applications

Washington D.C. — Consumer Federation of America (CFA) does not support the code of conduct for mobile applications that emerged from the National Telecommunications and Information Administration’s (NTIA) multistakeholder process yesterday. Both the code and the process are seriously flawed.

While the idea of short form notices is appealing, the information that they would provide under this code falls far short of what is needed to tell mobile application users what is really happening with their data. It does not explain how their data will be used beyond what is necessary for the function of the app. Moreover, the information about what kind of data is collected and with whom it is shared is very limited. Most disturbingly, while the code calls for mobile app developers to disclose whether users’ data will be shared with certain types of third parties, such as social networks and ad networks, no disclosure is required when the data is shared with the very same types of entities if they are part of the same corporate structure as the app developer. This means that app users will be misled, in some cases, into thinking that their data will not be shared with certain types of entities when in fact it will be. There are other problems with the code as well, such as the lack of any definitions of the terms that are used.

It is not surprising that the product is so flawed given the problems with the process itself. There was never any clear procedure for how it would work and what would constitute success.  There was no legal framework on which the code could be built, so that even terms such as “user data” are not clear and universally understood. The last meeting of the stakeholder group yesterday was as confusing as the process has been all along, with a “vote” being taken that allowed multiple attendees from the same companies or organizations to vote and resulted in no clear consensus. The groups that drafted the code, a small subset of the stakeholders, simply declared victory and the process ended.

There are big stakes involved here beyond this particular code.  The multistakeholder process will be held up by U.S. negotiators in the Transatlantic Trade and Investment Partnership as a shining example of how the United States can address privacy issues without the need for actually enacting laws that give consumers privacy rights. What we need is the privacy legislation that the Administration has promised, but not put forward. Using a baseline privacy law as a foundation, it might make sense to convene stakeholders to try to come to a common understanding on how best to put the law into practice.

Contact: Susan Grant (202) 939-1003

Consumer Federation of America is an association of nearly 300 non-profit consumer organizations that was established in 1968 to advance the consumer interest through research, education and advocacy