Rep. Markey’s assertion is that a handheld personal device does not equate to personal information being handled by third parties without permission. The intention of the legislation is to provide greater transparency regarding data an application may gather and transmit, with the user’s permission.
In a nutshell, the act will require the following:
- Disclosure of mobile telephone monitoring when a consumer buys a mobile phone; after sale, if the carrier, manufacturer, or operating system later installs monitoring software; and if a consumer downloads an app and that app contains monitoring software
- The disclosure includes the fact that the monitoring software has been installed on the phone, the types of information that are collected, the identity of the parties to which the information is transmitted, and how such information will be used
- Consumer consent before monitoring software begins collecting and transmitting information
- The party receiving the personal information must have policies in place to secure the information
- Agreements on information transmission must be filed at the Federal Trade Commission (FTC) and Federal Communications Commission (FCC)
- An enforcement regime for the FTC and FCC, along with State AG enforcement and a private right of action
For those that have downloaded a fair number of apps from Google Play or elsewhere, you will have seen summaries of what the app does and what types of data it accesses when it is in use. Many apps will flash a request from the app to use GPS location data. Adding some functionality to apps which adds more detail and user input to acknowledge what kind of monitoring the software performs does not seem like a huge hurdle. The Software & Information Industry Association disagrees with that notion and instead is advocating a more collaborative approach, saying the forced legislation imposes rigid rules which will serve only to slow innovation. Due to the amount of data most apps gather already, and that many prompt the user to access specific information already, that angle of the argument from SIIA is not very strong. Where the SIIA does make a sound argument is in referencing other initiatives where a collaborative approach is in place and working.
The point about securing the personal information just seems like good business, but seeing how the recently hacked Apple UDID information was handled, it would seem it will require a law to straighten some companies out. Because legislation often involves money, this bill has in its text provisions where the recovery of damages can be sought for each violation in the amount of $1000 or more. Where willful wrongdoing is determined, damages can be recovered up to 300% of the actual monetary loss.
Since it is an election year, do not expect any action on this bill before the next session of Congress in 2013. The bill still has to move out of committee before it will be debated and considered for a vote on the House floor. Then it would be voted in the Senate and reconciled before going to the president to be signed into law.