skip to main content

S. 47: APP Act


The text of the bill below is as of Jan 26, 2021 (Introduced).


II

117th CONGRESS

1st Session

S. 47

IN THE SENATE OF THE UNITED STATES

January 26, 2021

introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation

A BILL

To require software marketplace operators and owners of covered foreign software to provide consumers with a warning prior to the download of such software, to establish consumer data protections, and for other purposes.

1.

Short title

This Act may be cited as the Adversarial Platform Prevention Act of 2021 or the APP Act.

2.

Consumer protections regarding covered foreign software

(a)

Consumer warning and acknowledgment for download of covered foreign software

(1)

In general

A software marketplace operator or an owner of covered foreign software may not:

(A)

Permit a consumer to download covered foreign software unless, before the download begins—

(i)

a warning that meets the requirements of paragraph (2) is displayed to the consumer, separately from any privacy policy, terms of service, or other notice; and

(ii)

the consumer is required to choose (by taking an affirmative step such as clicking on a button) between the options of—

(I)

acknowledging such warning and proceeding with the download; or

(II)

cancelling the download.

(B)

Make available covered foreign software for download by consumers unless the operator or owner has in place procedures to ensure compliance with subparagraph (A).

(2)

Requirements for warning

The requirements of this paragraph are, with respect to a warning regarding covered foreign software—

(A)

that the warning include—

(i)

the name of the covered foreign software;

(ii)

the name of each owner of the covered foreign software, and, if applicable with respect to each such owner, the name of the covered country—

(I)

under the laws of which such owner is organized;

(II)

in which such owner conducts its principal operations; or

(III)

in which such owner is headquartered;

(iii)

the name of each controlling entity of the owner of the covered foreign software, and if applicable with respect to each such controlling entity, the name of the covered country—

(I)

under the laws of which such entity is organized;

(II)

in which such entity conducts its principal operations; or

(III)

in which such entity is headquartered;

(iv)

any enumerated risk to data privacy and security or the censorship of speech associated with the laws and practices of a covered country disclosed under this subparagraph;

(v)

whether the owner of a covered foreign software, or any controlling entity of such owner, has ever provided the data of United States consumers, as it relates to such software, to any law enforcement agency, intelligence agency, or other government entity of a covered country; and

(vi)

a description of how to acknowledge the warning and either proceed with or cancel the download;

(B)

that the warning be updated annually; and

(C)

such other requirements as the Commission, in consultation with the Attorney General of the United States, shall determine.

(3)

Liability of software owner

If a software marketplace operator permits a consumer to download covered foreign software or makes covered foreign software available for download in violation of paragraph (1), the operator shall not be liable for a violation of such paragraph if the operator reasonably relied on inaccurate information from the owner of the covered foreign software in determining that the software was not covered foreign software, and the owner of the covered foreign software shall be considered to have committed the violation of such paragraph.

(b)

Consumer data protections

(1)

Consumer data privacy practices

(A)

Consumer data report

Not later than 30 days after the date of enactment of this Act (or in the case of covered foreign software that is created after such date or software that becomes covered foreign software after such date, 60 days after the date that such software is created or becomes covered foreign software), and annually thereafter, an owner of covered foreign software shall submit to the Commission and the Attorney General of the United States a report that includes a complete description of any consumer data privacy practice of the owner as it relates to the data of United States consumers, including—

(i)

the type of data of United States consumers being accessed;

(ii)

a description of how such data is used by the owner;

(iii)

a description of any consumer data protection measure in place that protects the rights and interests of United States consumers;

(iv)

information regarding—

(I)

the number of requests from a law enforcement agency, intelligence agency, or other government entity of a covered country to disclose the consumer data of a person in the United States; and

(II)

a description of how such requests were handled; and

(v)

a description of any internal content moderation practice of the owner as it relates to the data of consumers in the United States, including any such practice that also relates to consumers in another country.

(B)

Public accessibility

Notwithstanding any other provision of law, not later than 60 days after the receipt of a report under subparagraph (A), the Attorney General of the United States shall publish the information contained in such report (except for any confidential material) in a publicly accessible manner.

(2)

Consumer data disclosure practices

(A)

Effect of disclosure and censorship

An owner of covered foreign software may not collect or store data of United States consumers, as it relates to such covered foreign software, if such owner complies with any request from a law enforcement agency, intelligence agency, or other government entity of a covered country—

(i)

to disclose the consumer data of a person in the United States; or

(ii)

to censor the online activity of a person in the United States.

(B)

Report to Federal Trade Commission and Attorney General of the United States

Not later than 14 days after receiving a request described in subparagraph (A), an owner of covered foreign software shall submit to the Commission and the Attorney General of the United States a report that includes a description of such request.

(C)

Access to consumer data in subsidiaries

Not later than 1 year after the date of enactment of this Act, the Commission, in consultation with the Attorney General of the United States, shall issue regulations to require an owner of covered foreign software to implement consumer data protection measures to ensure that any parent company in a covered country may not access the consumer data collected and stored, or otherwise held, by a subsidiary entity of such parent company in a country that is not a covered country.

(3)

Prohibitions on storage, use, and sharing of consumer data

(A)

Use, transfer, and storage of consumer data

With respect to the consumer data of any person in the United States, an owner of covered foreign software may not—

(i)

use such data in a covered country;

(ii)

transfer such data to a covered country; or

(iii)

store such data outside of the United States.

(B)

Sharing of consumer data

An owner of covered foreign software may not share with, sell to, or otherwise disclose to any other commercial entity the consumer data of any person in the United States.

(4)

Censorship remedy

In the case where an owner of covered foreign software censors the online activity of a person in the United States, such owner shall provide any affected user with a means to appeal such censorship.

(c)

Nonapplication of Communications Decency Act protections

Notwithstanding section 230 of the Communications Act of 1934 (47 U.S.C. 230) (commonly known as the Communications Decency Act), an owner of a covered foreign software shall not be considered a provider of an interactive computer service for purposes of subsection (c) of such section with respect to such covered foreign software.

(d)

Enforcement by Federal Trade Commission

(1)

Unfair or deceptive acts or practices

A violation of this section or a regulation promulgated under this section shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.

(2)

Powers of Commission

(A)

In general

The Commission shall enforce this section and the regulations promulgated under the section in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates this section or a regulation promulgated under this section shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.

(B)

Additional relief

In addition to the penalties provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.), if a court or the Commission (in a formal adjudicative proceeding) determines that an owner of covered foreign software violated this section or a regulation promulgated under this section, the court or the Commission shall prohibit the owner from making such software available for sale or download in the United States.

(3)

Regulations

The Commission may promulgate regulations under section 553 of title 5, United States Code, to carry out this section.

(4)

Savings clause

Nothing in this section shall be construed to limit the authority of the Commission under any other provision of law.

(e)

Criminal offense

(1)

In general

A software marketplace operator or an owner of covered foreign software that knowingly violates subsection (a) or (b) shall be fined $50,000 for each violation.

(2)

Clarifications

(A)

Separate violation

For purposes of paragraph (1), each download by a consumer of a covered foreign software that does not meet the requirements of subparagraph (A) of subsection (a)(1) or is made available in violation of subparagraph (B) of such subsection shall be treated as a separate violation.

(B)

Individual offense

An officer of a software marketplace operator or of an owner of covered foreign software who knowingly causes a violation of subsection (a)(1) with the intent to conceal the fact that the software is covered foreign software shall be fined under title 18, United States Code.

(3)

Referral of evidence by FTC

Whenever the Commission obtains evidence that a software marketplace operator or owner of covered foreign software has engaged in conduct that may constitute a violation of subsection (a) or (b), the Commission shall transmit such evidence to the Attorney General of the United States, who may institute criminal proceedings under this subsection. Nothing in this paragraph affects any other authority of the Commission to disclose information.

(f)

Report to Congress

Not later than 1 year after the date of the enactment of this Act, the Commission, in consultation with the Attorney General of the United States, shall submit to Congress a report on the implementation and enforcement of this section.

(g)

Expansion of covered transactions under the DPA

Section 721(a)(4)(B)(iii)(III) of the Defense Production Act of 1950 (50 U.S.C. 4565(a)(4)(B)(iii)(III)) is amended by inserting or commercially available after sensitive.

(h)

Express preemption of State law

This Act shall supersede any provision of a law, regulation, or other requirement of any State or political subdivision of a State to the extent that such provision relates to the privacy or security of consumer data or the downloading of covered foreign software.

(i)

Definitions

In this section:

(1)

Censor

(A)

In general

The term censor, with respect to the online activity of a person in the United States, means—

(i)

to alter, delete, remove, or otherwise make inaccessible user information without the consent of such user; or

(ii)

to alter, delete, remove, deny, prevent, or otherwise prohibit user activity without the consent of such user.

(B)

Exception

Such term shall not include any action by an owner of covered foreign software that is taken for the purpose of restricting access to, or availability of, material that the owner considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected.

(2)

Commission

The term Commission means the Federal Trade Commission.

(3)

Covered country

(A)

In general

Subject to subparagraph (B), the term covered country means—

(i)

China, Russia, North Korea, Iran, Syria, Sudan, Venezuela, or Cuba;

(ii)

any other country the government of which the Secretary of State determines has provided support for international terrorism pursuant to—

(I)

section 1754(c)(1)(A) of the Export Control Reform Act of 2018 (50 U.S.C. 4318(c)(1)(A));

(II)

section 620A of the Foreign Assistance Act of 1961 (22 U.S.C. 2371);

(III)

section 40 of the Arms Export Control Act (22 U.S.C. 2780); or

(IV)

any other provision of law; and

(iii)

any other country designated by the Attorney General of the United States based on findings that such country's control over potentially dangerous software poses an undue or unnecessary risk to the national security of the United States or to the safety and security of United States persons.

(B)

Process

(i)

Advance notice to Congress

The Attorney General of the United States shall not designate a country under subparagraph (A)(iii) (or revoke such a designation under clause (iii)) unless the Attorney General of the United States—

(I)

provides not less than 30 days notice prior to making such designation or revocation to—

(aa)

the Committee on Energy and Commerce of the House of Representatives;

(bb)

the Permanent Select Committee on Intelligence of the House of Representatives;

(cc)

the Committee on Commerce, Science, and Transportation of the Senate; and

(dd)

the Select Committee on Intelligence of the Senate; and

(II)

upon request, provides an in-person briefing to each such Committee during the 30-day notice period.

(ii)

Notice and publication of designation

Upon designating a country under subparagraph (A)(iii), the Attorney General of the United States shall transmit a notification of the designation to the Commission, and shall publish such notification. Such designation shall become effective on the day that is 60 days after the date on which such notification is transmitted and published.

(iii)

Revocation of designation

The designation of a country under subparagraph (A) may only be revoked by the Attorney General of the United States.

(4)

Covered foreign software

(A)

In general

The term covered foreign software means any of the following:

(i)

Software that is owned or directly or indirectly controlled by a person described in subparagraph (B).

(ii)

Software that stores data of United States consumers in a covered country.

(B)

Persons described

A person described in this subparagraph is—

(i)

a person (other than an individual)—

(I)

that is organized under the laws of a covered country;

(II)

the principal operations of which are conducted in a covered country; or

(III)

that is headquartered in a covered country; or

(ii)

a person (other than an individual) that is, directly or indirectly, controlled by a person described in clause (i).

(5)

Mobile application

The term mobile application means a software program that runs on the operating system of a smartphone, tablet computer, or similar mobile electronic device.

(6)

Software

The term software means any computer software program, including a mobile application.

(7)

Software marketplace operator

The term software marketplace operator means a person who, for a commercial purpose, operates an online store or marketplace through which software is made available for download by consumers in the United States.