On September 12, Reps. Markey (D-MA) and DeGette (D-CO) introduced the Mobile Device Privacy Act, H.R. 6377. If enacted, the bill would place obligations on the mobile phone industry to disclose the use of tracking software, and to obtain consumer consent before the software is downloaded onto a device.
In a press statement introducing the legislation, Rep. Markey – who is co-Chair of the Bipartisan Congressional Privacy Caucus – stated that "Consumers should know and have the choice to say no to software on their mobile devices that is transmitting their personal and sensitive information. This is especially true for parents of children and teens, the fastest growing group of smartphone users. This legislation will provide greater transparency into the transmission of consumers’ personal information and empower consumers to say no to transmission." Opponents of the legislation, such as the Software & Information Industry Association, have argued that it "would impose rigid privacy rules on the mobile industry that can only lead to stagnation and a loss of innovative dynamism."
The Markey bill would create new regulatory authority for the Federal Trade Commission to oversee aspects of the mobile industry. The bill would require the FTC, in consultation with the FCC, to issue rules requiring mobile device manufacturers, service providers, mobile operating system developers, and app developers to make disclosures to users about "monitoring software" installed on a mobile device. Monitoring software is broadly defined to include all software that "has the capability to monitor the usage" of the device, the user’s geolocation, and to transmit this information elsewhere. In the same vein, the bill also envisages FTC rules requiring device sellers and app developers to obtain a user’s "express consent" before monitoring or transmitting any information collected. The bill also envisages that all entities in receipt of monitoring data (i.e. first and third parties) implement information security policies and practices spanning data collection, retention, and disposal.
Enforcement authority under the bill goes primarily to the FTC, with secondary authority being given to the FCC and the states. The bill does not exclude private enforcement actions by individuals. Statutory damages for these breaches would vary between $1,000 per unintentional violation, and $3,000 per intentional violation.
The bill will not likely receive further attention from this Congress, which went into recess over the weekend pending the November elections.