[authors: Bob Scott, Ronnie London]
On September 12, 2012, Congressman Markey (D-Mass.) introduced the Mobile Device Privacy Act, H.R. 6377, which requires the FTC to regulate all mobile applications and devices, as well as mobile phone manufacturers and sellers, and mobile app developers. Representative Markey introduced this bill despite ongoing mobile privacy stakeholder negotiations conducted by NTIA, the process favored by the Administration and adopted by the FTC itself in its Final Report on consumer privacy. The bill’s exclusion of all non-mobile technology likewise rejects the stated intention of the Administration and the FTC for technology-neutral privacy protection. Moreover, the bill is not limited to practices affecting “personal” information: all information potentially collected via mobile phones or mobile apps, no matter how benign or technical, is treated as if it is personal data.
The bill empowers the FTC, in consultation with the FCC, to require that mobile phone manufacturers, service providers, operating systems, and application developers make disclosures at the point of sale or download to users about any “monitoring software” the entity installs on a mobile device. The legislation’s definition of “monitoring software” sweeps in all software that “has the capability to monitor the usage” of the mobile device or the location of its user, and to transmit that information to another device or system. Likewise, the bill requires device sellers and app developers to obtain the user’s “express consent” before monitoring or transmitting any information collected, leaving the FTC to define express consent as opt-in, opt-out, or some variation of either approach. Consumers must be allowed to terminate the collection and transmission of data at any time.
The Markey bill presumes that all information collected through any mobile device or app must be treated as if it is personal information. It goes beyond existing law and other pending privacy bills that emphasize protection of personal information by requiring disclosures of all potential information the software is capable of collecting. Likewise, sellers and app developers must disclose the identity of all persons to whom any information collected by the software will be transmitted.
The bill compels all entities (first- and third-parties) who obtain information from monitoring software to implement policies ensuring the security of the information while maintained, and its ultimate destruction. The bill allows the FTC to exempt monitoring software used for a particular purpose that is consistent with the reasonable expectations of consumers, to mandate additional disclosures, and to define how disclosures must be presented in order to be “clear and conspicuous.”
The bill would require all third party agreements for the transmission of collected information to be filed with the FTC and/or FCC. The bill does not limit agency review or disapproval of such agreements. Thus, the filing of these agreements could lead to action under the bill’s broad enforcement provisions, which give the FTC authority to pursue violations of its rules under the Act as unfair trade practices. It also bestows enforcement authority on state Attorneys General or similar officials or agencies, and on the FCC with respect to violations by mobile service providers and mobile device manufacturers.
The bill’s dispersal of enforcement authority among two federal agencies undermines the certainty and predictability in privacy regulation from FTC enforcement that has been urged by the Administration. Moreover, the bill incentivizes class action and other “for profit” litigation by granting a private right of action for individuals harmed by violations of the rules, in which they could obtain injunctive relief, statutory damages, treble damages for “willful and knowing” violations, costs and attorney’s fees.
Predictably, consumer groups and privacy advocates responded favorably to the bill, while industry representatives criticized it as an unnecessary imposition of additional rules that threatens all mobile marketing as it exists today. In any event, the bill has little chance of action in this session of Congress given the limited number of days on the legislative calendar and the upcoming elections.