Representative Hank Johnson (D-GA) introduced two bills on February 10 targeting digital information privacy. The first, the “Application Privacy, Protection, and Security Act of 2016” (H.R. 4517) (the “Apps Act”), would establish minimum requirements for mobile applications’ privacy and security practices. The second, the “Data Broker Accountability and Transparency Act of 2016” (H.R. 4516) (the “Data Act”), would give consumers the right to review and correct information associated with them that is held by commercial data aggregators. Both bills would authorize new rulemaking by the Federal Trade Commission (“FTC”). While neither bill is likely to become law in the current Congress, a major new data breach or similar event could rally support for their ideas.
The Apps Act would require mobile app developers to disclose their privacy policies and permit users who cease using the app to request that the developer not only cease to collect new information from the user, but also stop sharing and (if practicable) delete any personal information already collected. Moreover, developers would be required to take “reasonable and appropriate measures” to safeguard the data they collect from users. The Apps Act authorizes the FTC to enforce these requirements under its existing unfair and deceptive trade practices authority codified in Section 5 of the FTC Act and permits state enforcement actions as well. Interestingly, the Apps Act provides a safe harbor as to all of its obligations for developers who adopt and comply with privacy policies approved by the FTC.
The Data Act requires that covered data brokers take practical steps to ensure the accuracy of the data they collect and prohibits obtaining or disclosing information under false pretenses. As with the Apps Act, the Data Act would permit individuals to review and correct this stored information and to indicate their preference not to have their identifying information shared for marketing purposes. The Data Act further requires that covered brokers take steps to permit audits of any access to or sharing of this data. The bill would also permit the FTC to release new rules regarding specific exceptions and procedures for the individual access it mandates.
The Data Act applies to “covered data brokers,” defined as any commercial entity that collects personal information from individuals other than its employees or customers in order to provide it to third parties, except as the FTC may exclude by future rulemaking. As such, the Data Act puts significant authority into the hands of the FTC to determine the practical scope of these new requirements. In the FTC’s own 2014 report on data brokers, it noted that American consumers were often unaware of the extent, or even the existence, of this industry. The exact contours of any exceptions promulgated by the FTC will be very important to those to whom third-party data is an important asset.
Both bills have now been referred to the House Energy and Commerce Committee. Although the Apps Act has attracted early bipartisan support, and the Data Act joins a companion bill introduced in the Senate last year (S. 668), neither is likely to be enacted in the waning months of the 114th Congress. However, individuals’ privacy on mobile devices and cloud services is an increasingly salient issue among the public. If another significant data breach takes place, whether this year or later, these bills could be well-placed to influence the shape of any new legislation that ultimately results.
Reporter, Daniel Ray, Silicon Valley, +1 650 422 6715, firstname.lastname@example.org.