{"id":2118,"date":"2013-08-01T16:13:00","date_gmt":"2013-08-01T22:13:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&p=2118"},"modified":"2025-01-03T12:40:15","modified_gmt":"2025-01-03T18:40:15","slug":"whats-next-for-the-ntia-mobile-app-transparency-code","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/whats-next-for-the-ntia-mobile-app-transparency-code\/","title":{"rendered":"What\u2019s Next for the NTIA Mobile App Transparency Code?"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tArticles<\/strong>\n\t\t\t\t\t\t\t\t\t\t

What\u2019s Next for the NTIA Mobile App Transparency Code?<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

The evolution of mobile app transparency: NTIA\u2019s multi-stakeholder journey<\/h2>\n

On July 12, 2012, the Department of Commerce\u2019s NTIA division<\/a> kicked off a multi-stakeholder proceeding<\/a> focused on deciding a standard for mobile app transparency \u2013 the format and elements of a mobile app privacy notice (or as we\u2019ll refer to it, the NTIA code).<\/p>\n

Sitting with the many other attendees in the vast cavernous hall of the Herbert Hoover Auditorium that day and observing the wide range of interests represented in the room, I was admittedly skeptical about whether this group could reach consensus on anything that could provide meaningful guidance to app developers.<\/p>\n

Even for the most Pollyannaish of privacy heads, the possibility that representatives from government, industry and the advocacy community could actually sit down together (let alone decide on a mobile privacy standard together) seemed remote.<\/p>\n

Navigating the NTIA Code: A crucial step towards privacy and transparency<\/h3>\n

Fast forward a little over a year to July 25, 2013. At its 16th (and for now final) meeting, a majority of stakeholders voted to \u201cfreeze\u201d a draft NTIA code and start testing it in the marketplace before finalizing later this year. Issues remain about some of the draft code\u2019s provisions, around user comprehension of terms used in the code, and how these terms should be laid out in a mobile notice.<\/p>\n

For the majority of stakeholders however, the draft NTIA code is a win.<\/p>\n

It\u2019s worth stepping back and thinking about what has<\/em> been decided and agreed upon by the NTIA Multistakeholder group. For the first time, a broad coalition representing consumers and industry has agreed on some basic data elements that should be noticed by mobile apps (for the full story, the current version of the draft code is posted on the NTIA\u2019s site).<\/p>\n

Mobile app developers who want to comply with the NTIA\u2019s self-regulatory standard must notify users about whether they collect and share personal information \u2013 defined broadly to include data generated from a user\u2019s activity on that device (browser and phone history), user uploaded files (contacts, photos) and sensitive data (health, financial, location).<\/p>\n

Providing this type of information to consumers is important; TRUSTe\u2019s research shows that 72% of smartphone users are more concerned about privacy than they were a year ago.<\/p>\n

Having participated in and attended the NTIA meetings, it is clear that there are critical issues around implementation that remain open \u2013 but I also believe that these issues can be resolved by test driving different versions of an NTIA compliant format in the marketplace.<\/p>\n

For instance, an outstanding issue that is key for many stakeholders, including TRUSTe, is whether an app developer should list all data elements (nutrition label) or just the ones collected\/shared by the app (ingredient approach)?<\/p>\n

Clearly this particular issue can be resolved through usability testing \u2013 are users confused by a mobile app\u2019s privacy notice that informs them about the entire universe of data collection that could be happening on their device?<\/p>\n

In this regard, TRUSTe is working with ACT, the Innovators Network and companies like AT&T, Apple, Facebook, Microsoft and Verizon, to conduct a program of consumer and developer testing that determines the answers to the remaining open issues and ensures that an NTIA compliant notice effectively communicates with consumers.<\/p>\n

In fact, ACT is already testing this version of an NTIA compliant notice<\/a> with a few of its developers. The Future of Privacy forum also worked on some UI mockups of an NTIA compliant notice<\/a>.<\/p>\n

In the next few months, we hope to share the results of these consumer tests with you and roll TRUSTe\u2019s own version of an NTIA compliant mobile short notice.<\/p>\n

In the end, is the NTIA code a win for consumers and the app developer community? Absolutely.<\/p>\n

The current draft of the NTIA code builds on the \u201cTransparency\u201d principle in the Obama Administration\u2019s Consumer Privacy Bill of Rights<\/a>, which gives consumers the right to access \u201ceasily understandable information about privacy and security practices.\u201d The mobile notices being contemplated by the NTIA code will not only inform, but also educate consumers about they types of data being collected by a mobile application, and with whom that data is being shared. That\u2019s why testing will be such an integral part of this process.<\/p>\n

The NTIA code will also provide much needed guidance to the app developer community, by establishing a self-regulatory standard that this community can build and improve upon. The fact that the NTIA code was developed through the Multistakeholder process gives it credibility with a wide range of audiences \u2013 academic, advocacy and industry \u2013 all of who actively contributed to and participated in the process that resulted in the current version of the NTIA code.<\/p>\n

App Developer Requirements<\/h2>\n

In closing, I thought I would provide a quick rundown on what\u2019s currently required of app developers who want to provide consumers with an NTIA-compliant mobile short form notice.<\/p>\n

The mobile app\u2019s short form privacy policy should inform the consumer whether or not the app collects the following types of data:<\/p>\n