United States: Nothing Personal: Multiple Mobile Best Practices, And The Many Changing Faces Of Personal Information

Steven Roosa is a Partner in our New York office and Christopher Cwalina a Partner in our Washington D.C. office

We recently wrote about "Privacy on the Go - Recommendations for the Mobile Ecosystem issued by the California Attorney General" and will be writing some more about the CA recommendations in the near future. However, one of the issues we highlighted is that industry already has a long list of best practices to choose from and some still in the works. The question for companies though, is the question of what criteria they should use to choose among the increasingly large number of alternative best practices. Should a company even pick one?

At first glance, it may not seem like much of an issue. After all, there are some similarities in terms of emphasizing clear disclosures, transparency, providing clear choice for certain data uses, and the like. But when these respected organizations can't agree on something as fundamental and potentially heavy-laden with liability as the definition of "Personal Information," all of a sudden there's a lot more riding on these competing regimes. This is especially true since the real risk companies face is making unwitting misrepresentations and then being brought to task by the plaintiffs' class action bar or regulators.

Let's take a look at how some of the existing best practices define "Personal Information."

1. Mobile Privacy Principles (March 2012) from GSMA

In its Mobile Privacy Principles, GSMA states:

Personal information can mean many things to many people in the 'online' world, and has various meanings defined in law. This document does not seek to reinterpret the law. But when we use the term personal information in these principles, we intend it to include (but not limit to) the following types of information. This information relates to a mobile user and their use of mobile applications and services and information which may be considered private by users even though it may not be strictly protected in law:

1. Any data that is collected directly from a user (e.g. entered by the user via an application's user interface and which may include name and address, credit card details)
2. Any data about a user that is gathered indirectly (e.g. mobile phone number, email address, name, gender, birth data, location data, IP address, IMEI, unique phone ID)
3. Any data about a user's behaviour (e.g. location data, service and product use data, website visits)
4. Any user-generated data held on a user's device (call logs, messages, user-generated images, contact lists or address books, notes, and security credentials).

2. Mobile User Privacy Bill of Rights (March 2012) from The EFF

The Electronic Frontier Foundation (EFF) does not provide a definition of Personal Information in its Mobile User Privacy Bill of Rights. Rather, EFF focuses on principles of: individual control; focused data collection; transparency; respect for context; security; and accountability. The EFF also recommends "best technical practices" relating to: anonymizing and obfuscation; secure data transit; secure data storage; internal security; penetration testing; and Do Not Track. With respect to "focused data collection" the Bill of Rights states:

3. Best Practices for Mobile Applications Developers (December 2011) from the Center for Democracy and Technology (CDT) and the Future of Privacy Forum (FPF)

The CDT and FPF do not provide a formal definition of Personal Information but generally refer to it broadly as data tied to a real name (see page 4). In the context of providing "enhanced notice," the CDT and FPF point out that the definition of "sensitive data" varies from jurisdiction to jurisdiction, but often includes data related to health, finances, race, religion, political affiliation, political party membership, and sexuality (see page 6).

The CDT and FPF also point out that already there are many laws that cover the use of Personal Information, including COPPA, FCRA, HIPAA, VPPA, GLBA, and international laws such as Directive 95/46.

4. Web Application Privacy Best Practices (July 2012) from the World Wide Web Consortium

The W3C does not provide definition of Personal Information but espouses as a best practice to "minimize collection and transmission of personal data."

5. The NTIA

The NTIA process is still a work in progress. But if you've attended any of the several meetings and working groups, you know that reaching consensus is not easy with these stakeholders. That isn't a criticism; in fact, it's a strong suit of that particular process and reflects the importance of these issues to various groups. One draft document that has been produced defines "Personally Identifiable Data" as "information about a consumer that is collected online from that individual, maintained in an accessible form, and used to identify a specific individual consumer, including name, address, telephone number and email address. A "consumer" is any individual acting in a personal, family, or household capacity." See http://www.ntia.doc.gov/files/ntia/publications/combined_draft-mobile_transparency_code_of_conduct_11-29-12.pdf

What this brief survey hopefully illustrates is that there is no clear guidance on exactly what information we are talking about when we use the term "Personal Information." It really depends on who you ask. With each Johnny-come-lately, the problem gets worse. This is not a situation involving "moving goalposts," but rather a proliferation of them, with no idea of which ones, if any, actually mean anything. Until a gold standard emerges—which is nowhere near on the horizon—the growing number of "best practices" is sure to confound developers and the other players in the mobile app industry.

www.hklaw.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.