With privacy for consumers in dealing with their mobile applications (“apps”) all the rage in policy circles, what will survey, opinion and marketing research need to watch?
On February 1, the Federal Trade Commission (FTC) released a report with their “recommendations” on protecting mobile users’ privacy and providing greater transparency in mobile data privacy and security practices – including survey, opinion and marketing research. The FTC report, “Mobile Privacy Disclosures: Building Trust Through Transparency,” arrived a couple weeks after a similar report from the Attorney General (AG) of California, Kamala Harris (D) and several weeks after Rep. Hank Johnson (D-GA) circulated a draft of his Application Privacy, Protection and Security Act (the APPS Act). In the same vein, the Senate Judiciary Committee in mid-December approved the “Location Privacy Protection Act” from Senator Al Franken (D-MN).
However, what really concerned MRA in the timing was that the FTC report was released the morning after the most recent meeting in the White House’s multistakeholder process for mobile apps privacy. Those meetings may provide tangible and useful advancements in consumer privacy by bringing together a wide variety of interested parties to come up with actionable privacy solutions that won’t ruin business.
Ultimately, any one of these regulators’ or legislators’ endeavors could up-end the process and scuttle the chance at success. Let’s look at all of them in context.
The Location Privacy Protection Act
Senator Franken’s “Location Privacy Protection Act” (S. 1223) would require express prior consent to collect, receive, record, obtain or disclose the geolocation information from an individual’s mobile device without their express authorization.
Applying the opt-in requirement to survey, opinion and marketing research could be problematic. MRA’s Government Affairs Committee believes that location privacy in the research context demands an opt-in with a fair and appropriate transparency of any tracking activity. While the Committee recommends opt-in as the best practice for the research profession, we are concerned about government regulation shutting down technological innovation in its infancy, while new uses may be within reach to provide better research results and more protection and consideration for consumers.
Before passage by the Senate Judiciary Committee in December, the Act was amended so that parties who get geolocation information, but weren’t the original data collector, would have limited liability. While this would protect some of the expected use of such data by third party researchers, MRA’s concerns with the bill would still apply when the first party is the researcher.
MRA expressed concerns to the Judiciary Committee about the Act’s enforcement mechanisms, such as: vesting significant power in state AGs to enforce and likely expand the Act in court (since one or two activist AGs will likely be able to alter the Act dramatically in case law); and allowing private rights of action (since costly unrestrained individual lawsuits could result in a cottage industry for “ambulance-chasing” attorneys seeking to assert claims under the law, even when no harm or damage has actually occurred).
We expect Senator Franken’s legislation to be considered by the Senate again soon.
The APPS Act
Concerned about data collection on mobile devices, Congressman Johnson introduced the APPS Act to “require that app developers provide transparency through consented terms and conditions, reasonable data security of collected data, and users with control to cease data collection by opting out of the service or deleting the user’s personal data to the greatest extent possible.”
While we were concerned with some of the technical details, such as leaving it to the FTC to determine what constitutes “personal data,” MRA found the draft APPS Act relatively reasonable overall.
Unfortunately, as with Senator Franken’s bill, our larger concern is Congress moving forward before the multistakeholder process has been given enough time and room to produce results.
The FTC and California AG
The “recommendations” for mobile privacy from the FTC, in many respects, might be just as enforceable as specific regulatory rules, given the FTC’s broad enforcement powers against unfair or deceptive practices under Section 5 of the FTC Act. Survey, opinion and marketing research companies need to be especially wary, given the FTC’s recent settlement with research company Compete.
Similarly, the California AG’s office has traditionally been an activist one, and has not been shy about enforcement against companies big and small in the mobile space. The AG’s “recommendations” should be reviewed carefully.
The White House’s Multistakeholder Process for Mobile Apps Privacy
The multistakeholder process for mobile apps privacy – proposed by the White House in the President’s Consumer Privacy Bill of Rights, and run by the National Telecommunications and Information Administration (NTIA) – aims to develop a voluntary code of conduct that can function in the real world for mobile app consumers and businesses and be acceptable to the broad range of stakeholders, including: activists, academics, industry, regulators, and legislators. The stakeholders are currently focused on sometimes granular issues of transparency in the mobile apps space, but we’re working towards usability testing, in search of tangible privacy disclosures that consumers can actually understand and, if they are interested, act upon.
Moving regulations or legislation impacting mobile apps privacy before the multistakeholder process can coalesce around such a workable code of conduct could easily derail the process and foil a key pillar of the White House’s Consumer Privacy Bill of Rights initiative. Some forces involved in the multistakeholder process might be just as happy to see it fail. Failure means that forces in support of unleashing the FTC and Congress to pounce on data privacy concerns will be able to point to that failure and say that government must step in because the stakeholders couldn’t work it out themselves. MRA finds that possible outcome disturbing, which is one of many reasons we have been actively participating in the multistakeholder process and want to see it succeed. MRA does not think (most of) these legislators and regulators want to short-circuit the advances in practical consumer privacy that are within reach and will try to ensure that they do not.
Howard Fienberg, PLC, is MRA’s Director of Government Affairs. He lobbies for the survey, opinion and marketing research profession in the U.S. on behalf of MRA’s members.