You know those short notices that pop up right before you install a mobile app? That’s the splash screen that provides some information about what functions are being accessed and, in general terms, what information is being collected from users. After studying this matter for about a year and getting input from the usual stakeholders (industry, privacy groups), the US Department of Commerce just issuedvoluntary guidelines covering the information app publishers should include in these notices. While this code of conductwill not satisfy everyone, it’s clear that personally identifiable information or PII will now be getting higher billing.
If you install an app on your Android or iPhone, you might be told the software will “Read contact data, read your profile data” and perhaps that it has access to “fine GPS location”. At least that is what the mobile version of Twitter informed me, right before I decided against using it. But if an app publisher were to follow the new Commerce Department guidelines, they would need to explicitly state the PIIs and user content being collected from the following set:
- Biometrics (information about your body, including fingerprints, facial recognition, signatures and/or voiceprint.)
- Browser History(a list of websites visited)
- Phone or Text Log (a list of the calls or texts made or received.)
- Contacts (including list of contacts, social networking connections or their rphone numbers, postal, email and text addresses)
- Financial Info (includes credit, bank and consumer-specific financial information such as transaction data.)
- Health, Medical or Therapy Info (including health claims and other information used to measure health or wellness.)
- Location (precise past or current location of where a user has gone.)
- User Files (files stored on the device that contain your content, such as calendar, photos, text, or video.)
We have had previous clues from other agencies, but it’s becoming more likely that the US regulators will be taking a more expansive view of PII in the coming years. The inclusion of biometrics, browser history, and geo-location means that quasi-identifiers are now on equal footing with traditional or classic PII—phone number, name and financial data.
If you’ve been following our HIPAA posts, this list shouldn’t be too surprising. The healthcare sector has had to deal with a far longer list in the form of the Safe Harbor rule, which includes most of the above items and quasi-identifiers for a grand total of 18 PII (or PHI as it’s referred to in HIPAA). Hospitals and other health networks have additional obligations, of course, to protect these medical PIIs through a series of mandated data security and privacy controls.
Unlike healthcare and financial companies, the Internet economy has mostly escaped—if you exclude COPPA—US data regulations. In other words, under the current model, even with these new guidelines, mobile app makers have no legal requirements to protect private consumer data. They would likely want to for obvious business reasons, and you can read the specific terms of service of your favorite mobile software to see what they’ll try to do.
Where is all this heading? A “Consumer Privacy Bill of Rights” has been talked about in Washington for years. And you can read the latest iteration of this policy idea here. Even if a comprehensive data privacy law covering all companies doesn’t become law, regulators will be enforcing existing rules more tightly and consumer expectations for data security, especially in light of recent events, will only head upwards.
For organizations that want to stay ahead of the consumer data privacy curve, the above PII list from the Commerce Department is actually a good starting point: can your IT department guarantee that this small list of identifiers are secured from hackers and protected against unauthorized use?