Last week, Rep. Ed Markey (D-MA), co-chair of the Congressional Privacy Caucus, introduced broad legislation to require multiple actors in the mobile communications ecosystem to disclose and obtain express prior consent for the installation of “monitoring software” and to adopt and disclose detailed information security requirements to be promulgated by the FTC. The bill grew out of reports last year that Carrier IQ software installed on millions of mobile devices was tracking users keystroke entries without their knowledge.
Markey’s Mobile Device Privacy Act, H.R. 6377, would apply to:
- Sellers of mobile devices
- Providers of commercial mobile service and mobile data service
- Manufacturers of mobile devices and operating systems
- Website or other online service operators (i.e. app developers)
“Monitoring software” is defined as “software that has the capability to monitor the usage of a mobile device or the location of the user and to transmit the information collected to another device or system, whether or not such capability is the primary function of the software or the purpose for which the software is marketed.” “Usage” is not further defined and thus would encompass everything from taking photos to checking football scores, regardless of the type of activity monitored or information collected. Disclosure to the consumer includes detail on information collection, transmission, usage, sharing (identity of any person with whom info will be shared), security, and how to revoke consent.
Two caveats are provided: (1) FTC has discretion to exempt from disclosure (other than security policies and procedures) use of monitoring software “for a particular purpose…consistent with the reasonable expectations of consumers.” (2) FTC may deem compliance with other federal information security laws as satisfying the security policies and procedures requirements.
Recipients of information from monitoring software also have to file their agreements governing receipt with the FTC or FCC. Both agencies would share enforcement responsibilities, supplemented by state AGs and private rights of action, with penalties for the latter of at least $1,000 per violation, trebled for willful or knowing violations.
While Markey’s press release references “personal information,” the bill contains no such distinction and thus covers all manner of analytics or anonymized information that may have little or no privacy implications. The required disclosures also apply to anything that is “capable” of being collected and transmitted, not information that is actually collected and transmitted. Without doubt, this is a broad bill and as might be expected, it has not been warmly received by groups such as the Software & Information Industry Alliance, which would rather see the NTIA-led stakeholder collaboration on developing codes of conduct for mobile transparency continue despite contention and directional drift in those talks.
With Congress set to adjourn later this week until a post-election lame duck session in November focused on impending budget cuts and expiring tax cuts, Markey’s bill isn’t heading anywhere soon. This is no doubt welcome news to the “nascent” app industry, a bright spot in the economy, as touted at a House hearing last week, the upshot of which was that Congress should tread carefully vis-à-vis regulation, but act boldly to promote infrastructure development: make more spectrum available, promote broadband adoption, and facilitate capital formation – both financial and human.