Rep. Ed Markey (D-MA) today introduced in the U.S. House of Representatives the “Mobile Device Privacy Act”, which was numbered H.R. 6377 and will be referred to the House Energy & Commerce Committee for further consideration. Congressman Markey serves as a member of the committee and Co-Chair of the Bi-Partisan Congressional Privacy Caucus. In his released statement, the Congressman remarked, “Consumers should be in control of their personal information, including if and when their mobile devices are transmitting data to third parties.”
The bill would authorize the FTC to create regulations to require a range of businesses offering mobile apps which meet the definition of “monitoring software” to provide notice to, and obtain opt-in consent from, consumers who download that app. Notice would be required at the time of the mobile app’s installation and consent must be obtained prior to the time the monitoring software “begins collecting and transmitting information.” For purposes of the act, “monitoring software” is defined as “software that has the capability to monitor the usage of a mobile device or the location of the user and to transmit the information collected to another device or system, whether or not such capability is the primary function of the software or the purpose for which the software is marketed.”
In addition to applying to mobile device platforms, the regulations would apply to any business that “operates a website or other online service from which a consumer downloads monitoring software for installation on a mobile device”, thereby potentially implicating many businesses that have their own mobile apps and offer those downloads. In addition to disclosure and consent obligations on providers of apps, the bill also authorizes the FTC to create regulations to ensure that a business that “receives, directly or indirectly, information that is transmitted from monitoring software” maintains proper information security practices for the “treatment and protection of such information.” These include processes for identifying, preventing and correcting “foreseeable vulnerabilities” and disposing of the information in specified ways.
The FTC would be authorized and required to create these new regulations under Administrative Procedures Act (APA) rulemaking authority within one year of enactment of the legislation. Enforcement of the regulations would be multi-tiered and include the Federal Trade Commission, Federal Communications Commission, State Attorneys General or other officials or agencies of a State. Consumers would also be permitted to bring private rights of action in State or Federal courts and entitled to receive the greater of actual damages or statutory damages in the amount of $1,000 for each violation. Damages could be trebled by a court for willful or knowing violations.