< Back to H.R. 6377 (112th Congress, 2011–2013)

Text of the Mobile Device Privacy Act

This bill was introduced on September 12, 2012, in a previous session of Congress, but was not enacted. The text of the bill below is as of Sep 12, 2012 (Introduced).

Source: GPO

I

112th CONGRESS

2d Session

H. R. 6377

IN THE HOUSE OF REPRESENTATIVES

September 12, 2012

(for himself and Ms. DeGette) introduced the following bill; which was referred to the Committee on Energy and Commerce

A BILL

To require disclosures to consumers regarding the capability of software to monitor mobile device usage, to require the express consent of the consumer prior to monitoring, and for other purposes.

1.

Short title

This Act may be cited as the Mobile Device Privacy Act.

2.

Disclosures to consumers regarding mobile device monitoring software

(a)

In general

Not later than 1 year after the date of the enactment of this Act, the Federal Trade Commission shall promulgate regulations under section 553 of title 5, United States Code, that require—

(1)

a person who is in the business of selling mobile devices directly to consumers (including a provider of commercial mobile service or commercial mobile data service who sells mobile devices in connection with contracts to provide service) to disclose the information described in subsection (b) to the consumer at the time of sale of a mobile device on which monitoring software is installed;

(2)

a provider of commercial mobile service or commercial mobile data service to disclose the information described in subsection (b) to the consumer at the time of entry into a contract to provide service to the consumer on a mobile device—

(A)

on which the provider installs monitoring software in connection with such contract; and

(B)

that the consumer does not purchase from the provider in connection with such contract;

(3)

a manufacturer of a mobile device or of the operating system software for a mobile device who installs monitoring software on such device, after such device is sold to the consumer, to disclose to the consumer at the time of installing such software the information described in subsection (b);

(4)

a provider of commercial mobile service or commercial mobile data service who installs monitoring software on a mobile device, after entry into a contract to provide service to the consumer on such device, to disclose to the consumer at the time of installing such software the information described in subsection (b); and

(5)

a person who operates a website or other online service from which a consumer downloads monitoring software for installation on a mobile device to disclose the information described in subsection (b) to the consumer at the time of the download.

(b)

Information described

The information described in this subsection is the following:

(1)

The fact that the monitoring software is installed on the mobile device (or, in the case of a disclosure described in subsection (a)(5), the fact that the software that the consumer downloads is monitoring software).

(2)

The types of information that the monitoring software is capable of collecting and transmitting.

(3)

The identity of any person to whom any information collected will be transmitted and of any other person with whom such information will be shared.

(4)

How such information will be used.

(5)

Procedures by which a consumer who has consented to collection and transmission of information by the monitoring software may exercise the opportunity to prohibit further collection and transmission, as described in section 3(2).

(6)

Such additional information about the monitoring software as the Federal Trade Commission considers appropriate.

(c)

Manner of disclosure

The regulations promulgated under subsection (a) shall require the following:

(1)

The disclosures shall be made in a clear and conspicuous manner, to be determined by the Federal Trade Commission.

(2)

The disclosures shall be displayed in a clear and conspicuous manner on the website of a person required to make such disclosures, except that if such person does not maintain a website, such person shall file such disclosures with the appropriate Commission.

(d)

Exemptions permitted

If the Federal Trade Commission determines that the use of monitoring software for a particular purpose is consistent with the reasonable expectations of consumers, the Federal Trade Commission may include in the regulations promulgated under subsection (a) an exemption from the disclosures required by such regulations with respect to monitoring software that is used only for such purpose (or for another purpose with respect to which the Federal Trade Commission has made a determination under this subsection).

3.

Consumer consent to monitoring of mobile device usage

Not later than 1 year after the date of the enactment of this Act, the Federal Trade Commission shall promulgate regulations under section 553 of title 5, United States Code, that require any person who is subject to the disclosure requirements of the regulations promulgated under section 2(a) to—

(1)

obtain the express consent of the consumer prior to the time when the monitoring software first begins collecting and transmitting information; and

(2)

provide a consumer who has consented to collection and transmission of information by the monitoring software with the opportunity at any time to prohibit further collection and transmission of information by such software.

4.

Information security requirements

(a)

In general

Not later than 1 year after the date of the enactment of this Act, the Federal Trade Commission shall promulgate regulations under section 553 of title 5, United States Code, that require any person who receives, directly or indirectly, information that is transmitted from monitoring software with respect to which disclosures are required by the regulations promulgated under section 2(a) to establish and implement policies and procedures regarding information security practices for the treatment and protection of such information, taking into consideration—

(1)

the size of, and the nature, scope, and complexity of the activities engaged in by, such person;

(2)

the current state of the art in administrative, technical, and physical safeguards for protecting such information; and

(3)

the cost of implementing such safeguards.

(b)

Requirements

Such regulations shall require the policies and procedures to include the following:

(1)

A security policy with respect to the collection, use, sale, other dissemination, and maintenance of such information.

(2)

The identification of an officer or other individual as the point of contact with responsibility for the management of the security of such information.

(3)

A process for identifying and assessing any reasonably foreseeable vulnerabilities in any system maintained by such person that contains such information, which shall include regular monitoring for a breach of security of such system.

(4)

A process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process required by paragraph (3), which may include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software.

(5)

A process for disposing of such information by shredding, permanently erasing, or otherwise modifying such information to make such information permanently unreadable or undecipherable.

(6)

A standard method or methods for the destruction of paper documents and other non-electronic data containing such information.

(c)

Disclosure of policies and procedures

Such regulations shall require the policies and procedures to be displayed in a clear and conspicuous manner on the website of a person required to establish and implement such policies and procedures, except that if such person does not maintain a website, such person shall file such policies and procedures with the appropriate Commission.

(d)

Treatment of entities governed by other law

A person shall be deemed to be in compliance with the regulations promulgated under subsection (a) if such person is in compliance with any other Federal law that requires such person to maintain policies and procedures with respect to information security that, taken as a whole and as the Federal Trade Commission shall determine in the rulemaking required by such subsection, provide protections substantially similar to, or greater than, those provided by the policies and procedures required by the regulations promulgated under such subsection.

5.

Filing of certain agreements regarding information receipt

(a)

In general

Not later than 1 year after the date of the enactment of this Act, the Federal Trade Commission shall promulgate regulations under section 553 of title 5, United States Code, that require a copy of an agreement described in subsection (b) to be filed with the appropriate Commission.

(b)

Agreement described

An agreement described in this subsection—

(1)

is an agreement under which a person receives, directly or indirectly, information that is transmitted from monitoring software with respect to which disclosures are required by the regulations promulgated under section 2(a); and

(2)

does not include an agreement between such a person and the consumer on whose mobile device such monitoring software is installed.

6.

Enforcement

(a)

By Federal Trade Commission

(1)

Unfair or deceptive acts or practices

A violation of a regulation promulgated under section 2, 3, 4, or 5 shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.

(2)

Powers of Federal Trade Commission

The Federal Trade Commission shall enforce the regulations promulgated under sections 2, 3, 4, and 5 in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act, and any person who violates such regulations shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.

(b)

By Federal Communications Commission

(1)

Treatment as violation of Communications Act of 1934

A violation of a regulation promulgated under section 2, 3, 4, or 5 by a provider of commercial mobile service or commercial mobile data service or a manufacturer of a mobile device shall be treated as a violation of the Communications Act of 1934 (47 U.S.C. 151 et seq.).

(2)

Powers of Federal Communications Commission

The Federal Communications Commission shall enforce the regulations promulgated under sections 2, 3, 4, and 5 with respect to providers of commercial mobile service or commercial mobile data service and manufacturers of mobile devices in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Communications Act of 1934 were incorporated into and made a part of this Act, and any such provider or manufacturer who violates such regulations shall be subject to the penalties and entitled to the privileges and immunities provided in the Communications Act of 1934.

(c)

Division of responsibilities between FTC and FCC

(1)

Regulations

In promulgating the regulations required by sections 2, 3, 4, and 5, the Federal Trade Commission shall consult with the Federal Communications Commission.

(2)

Enforcement

In enforcing such regulations, the Federal Trade Commission and the Federal Communications Commission shall consult with each other.

(3)

FCC regulations on filings

The Federal Communications Commission, in consultation with the Federal Trade Commission, may promulgate regulations with respect to the form and manner of any filing that is required to be made with the Federal Communications Commission by a regulation required by section 2, 4, or 5.

(d)

Actions by States

(1)

Civil actions

In any case in which the attorney general of a State, or an official or agency of a State, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice that violates any regulation promulgated under section 2, 3, 4, or 5, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in an appropriate State court or an appropriate district court of the United States to—

(A)

enjoin that act or practice;

(B)

enforce compliance with the regulation;

(C)

obtain damages, restitution, or other compensation on behalf of residents of the State; or

(D)

obtain such other legal and equitable relief as the court may consider to be appropriate.

(2)

Notice

Before filing an action under this subsection, the attorney general, official, or agency of the State involved shall provide to the appropriate Commission a written notice of that action and a copy of the complaint for that action. If the attorney general, official, or agency determines that it is not feasible to provide the notice described in this paragraph before the filing of the action, the attorney general, official, or agency shall provide written notice of the action and a copy of the complaint to the appropriate Commission immediately upon the filing of the action.

(3)

Authority of appropriate Commission

(A)

In general

On receiving notice under paragraph (2) of an action under this subsection, the appropriate Commission shall have the right—

(i)

to intervene in the action;

(ii)

upon so intervening, to be heard on all matters arising therein; and

(iii)

to file petitions for appeal.

(B)

Limitation on State action while Federal action is pending

If the Federal Trade Commission, the Federal Communications Commission, or the Attorney General of the United States has instituted a civil action for violation of a regulation promulgated under section 2, 3, 4, or 5 (referred to in this subparagraph as the Federal action), no State attorney general, official, or agency may bring an action under this subsection during the pendency of the Federal action against any defendant named in the complaint in the Federal action for any violation as alleged in that complaint.

(4)

Rule of construction

For purposes of bringing a civil action under this subsection, nothing in this Act shall be construed to prevent an attorney general, official, or agency of a State from exercising the powers conferred on the attorney general, official, or agency by the laws of that State to conduct investigations, administer oaths and affirmations, or compel the attendance of witnesses or the production of documentary and other evidence.

(e)

Private right of action

(1)

In general

A person injured by an act in violation of a regulation promulgated under section 2, 3, 4, or 5 may bring in an appropriate State court or an appropriate district court of the United States—

(A)

an action to enjoin such violation;

(B)

an action to recover damages for actual monetary loss from such violation, or to receive up to $1,000 in damages for each such violation, whichever is greater; or

(C)

both such actions.

(2)

Willful or knowing violations

If the court finds that the defendant acted willfully or knowingly in committing a violation described in paragraph (1), the court may, in its discretion, increase the amount of the award to an amount equal to not more than 3 times the amount available under paragraph (1)(B).

(3)

Costs

The court shall award to a prevailing plaintiff in an action under this subsection the costs of such action and reasonable attorney’s fees, as determined by the court.

(4)

Limitation

An action may be commenced under this subsection not later than 2 years after the date on which the person first discovered or had a reasonable opportunity to discover the violation.

(5)

Nonexclusive remedy

The remedy provided by this subsection shall be in addition to any other remedies available to the person, except that, in the case of a violation or series of related violations by a common carrier subject to title II of the Communications Act of 1934 (47 U.S.C. 201 et seq.), the person may pursue either the remedy provided by this subsection or any remedies provided by such title, but not both.

7.

Definitions

In this Act:

(1)

Appropriate Commission

The term appropriate Commission means either the Federal Trade Commission or the Federal Communications Commission, or both, depending on which Commission has jurisdiction under section 6 with respect to the person and activity involved.

(2)

Commercial mobile data service

The term commercial mobile data service has the meaning given such term in section 6001 of the Middle Class Tax Relief and Job Creation Act of 2012 (47 U.S.C. 1401).

(3)

Commercial mobile service

The term commercial mobile service has the meaning given such term in section 332 of the Communications Act of 1934 (47 U.S.C. 332).

(4)

Mobile device

The term mobile device means a personal electronic device that has the capability of transmitting and receiving voice, video, or data communications by means of commercial mobile service or commercial mobile data service.

(5)

Monitoring software

The term monitoring software means software that has the capability to monitor the usage of a mobile device or the location of the user and to transmit the information collected to another device or system, whether or not such capability is the primary function of the software or the purpose for which the software is marketed.