APPS Act Strengthens Mobile Privacy Protections, Increases Disclosure to Users
Last week, Representative Hank Johnson of Georgia introduced the Application, Privacy, and Security Act (APPS Act), a bipartisan bill that would require stronger transparency and security requirements for mobile application developers and distributors. The bill is co-sponsored by Representatives Steve Chabot of Ohio, John Conyers of Michigan, Eliot Engel of New York, and Sheila Jackson Lee of Texas. As mobile technologies become increasingly indispensible for Americans, ensuring that privacy policies are clear and accurate is an important goal. There has been no shortage of recent attention to mobile privacy, from FTC enforcement actions to the continuing NTIA multistakeholder process on mobile app transparency, but Congress has been relatively quiet on this critical consumer issue.
Congressman Johnson’s bill attempts to codify several Fair Information Practices (FIPs) into regulations governing mobile applications. It requires app developers to provide notice to users regarding the collection, use, storage, and sharing of personal data, and to obtain consent for the app’s terms and conditions. The notice would require disclosure of the categories of data collected, the purposes for which the data would be used, and the categories of third parties that such data would be shared with. This last requirement is especially important, as companies often share user data with third party affiliates in non-obvious ways. Because the bill defines third parties as those entities that a consumer would not reasonably determine to be related to the developer, this requirement is important in communicating to users exactly where the data may go. As a result, it would give users greater choice in avoiding particular apps that may be overly broad in sharing personal data, and would hopefully encourage developers to compete on privacy by limiting the scope of data sharing.
Developers would also have to state a data retention policy, and the procedures by which a user could withdraw consent. When a user withdraws consent, the developer would (at the user’s option) have to delete the user’s data to the extent practicable, or refrain from use or sharing of such data. The bill also creates an obligation such that developers must employ reasonable security measures to protect user data.
These obligations may seem trivial or unnecessary, but the mobile landscape remains largely unregulated. Currently, there are no affirmative federal obligations for app developers to provide privacy policies or disclosures to users. Indeed, California Attorney General Kamala Harris’ announcement last year of an agreement with major technology companies that confirmed that California state law required apps to have privacy policies was a significant step forward for protecting individual privacy. Delta ran afoul of the California law last December when it neglected to include a privacy policy in its app – after multiple warnings. That suit was later dismissed due to federal preemption of the state-level obligations. The need, therefore, for clear, nationwide obligations upon developers is obvious. Moreover, such obligations benefit app developers as well by providing clearer regulatory guidance, encouraging privacy by design, and making it less likely they will be caught off guard by an FTC or state level enforcement action.
The obligations created under the APPS Act map onto most of the FIPs, which we have long advocated for as a model to protect consumer privacy. Specifically, the bill addresses transparency, individual participation, purpose specification, data minimization, use limitation, and security in the obligations levied upon developers. We would prefer a more rigorous data minimization requirement that requires that data be retained only as long as necessary for a disclosed purpose, rather than merely requiring the existence of a policy that sets out a limit. Under the bill, a developer could merely state an overly long period, such as ten years or even indefinitely, for retaining data and avoid any consequences – thus contravening the intent of the bill. In general, though, the bill does a good job of codifying FIPs protections into law.
Mere requirements without enforcement, however, do little good. The APPS Act grants the FTC the right to enforce its provisions and to promulgate rules (such as notice requirements), and to states’ attorneys general to file civil actions in federal court. The Act also grants safe harbor protections to developers that comply with codes such as those developed in the NTIA multistakeholder process. We support increased FTC oversight over mobile apps, especially given the large amounts of personally identifiable information such apps can collect from consumers. The APPS Act therefore recognizes the important role the FTC has in protecting individual privacy.
While this legislation overall strengthens protections for consumers, we think that a baseline consumer privacy law, rather than sector-specific legislation, is the best way to ensure strong privacy protection for Americans. Continuing to create piecemeal laws is not a feasible long-term strategy, especially as new technologies and uses that implicate individual privacy proliferate. While the APPS Act is a good start, we hope that Congress will take up the pressing need for baseline consumer privacy legislation sooner rather than later.