Rep. Ed Markey (D-Mass.) introduced the Mobile Device Privacy Act (H.R. 6377) which would require disclosure of the use of monitoring software on mobile devices; consent to the collection of information, including a user's location, that is collected using monitoring software; and information security policies and procedures to safeguard collected data.
The bill authorizes the FTC to promulgate regulations that would require certain entities to make clear disclosures about the use of monitoring software with the capacity to monitor the use of a mobile device or the location of the user and to transmit the information to another device or system.
The disclosure requirements would apply to sellers of mobile devices that have monitoring software installed on the device, certain providers of commercial mobile or data services, manufacturers of mobile devices or mobile operating systems that install monitoring software on a device after it is sold to a consumer, and operators of websites where consumers can download monitoring software for mobile devices. These entities would be required to make the following disclosures:
- The fact that monitoring software is installed on the mobile device, or the fact that the software the consumer is downloading is monitoring software;
- The types of information the monitoring software is capable of collecting and transmitting;
- The identity of any person who receives such information;
- How such information will be used; and
- Procedures for consumers who have consented to such collection and transmission to opt out of future collection and transmission.
Those subject to the disclosure requirements would be required to obtain the express consent of consumers prior to any data collection by monitoring software and to provide consumers who have consented to the collection and transmission an opportunity to opt out of future collection and transmission.
The Act would also authorize the FTC to require anyone who directly or indirectly receives information transmitted from monitoring software that is subject to the disclosures to establish and implement policies and procedures for safeguarding that information.
The Mobile Device Privacy Act would be enforced by the FTC, FCC, and state Attorneys General. The bill also permits a private right of action whereby consumers could be compensated up to $3,000 per violation if those violations are deemed willful or knowing.
This bill follows the FTC’s publication of a guide to help mobile app developers comply with truth-in-advertising standards and basic privacy principles when marketing new mobile apps.