United States Congressman Hank Johnson(@RepHankJohnson) has introduced a draft of the APPS Act to committee in the House of Representatives. What is the APPS Act? Well, you can read the full draft here but the description sums it up nicely: “[to] provide for greater transparency in and user control over the treatment of data collected by mobile applications and to enhance the security of such data.”
The bill has several goals in terms of data privacy:
- Prior to collecting the data, the application shall “provide the user with notice of the terms and conditions governing collection, use and storage of personal data…” §2(a)(1)(A)
- Obtain consent from the user – §2(a)(1)(B)
The developer would be required to disclose the following:
- Categories of personal data to be collected – §2(a)(2)(A)
- Categories of purposes the data will be used – §2(a)(2)(B)
- Categories of third parties which the data will be shared – §2(a)(2)(C)
- The data retention policy governing the length personal data will be stored and terms and conditions of the data storage – §2(a)(2)(D)
What does this mean for users?
Now to dispense with the legalese and talk about what this means in plain English. Currently the Play Store discloses a fraction of this information. Let’s take the image of the permissions for an app above. As you may note, the app indicates that it will have access to (1) GPS (ie – your location); (2) it can read your Google service configuration; (3) it has full internet access; (4) it has access to your Google accounts and authentication credentials; and (5) it can prevent the phone from sleeping. This type of disclosure would certainly violate the APPS Act.
How would a disclosure that was in conformity with the APPS Act look? Let’s again use the permissions image and specifically look at the location services disclosure. The categories to be collected are relatively straight forward, and this app would likely meet the requirements in terms of “personal data to be collected.” Perhaps plain language would be used instead of technical language. An example may be, instead of stating “course (network-based) location, fine (GPS) location” the app might say something like “this application will track your location based on GPS and cellular data.” However, the Act would require further disclosure. The developer would have to disclose why the data is being collected, who will be using the data, the length of time the data will be stored and how the data will be stored. As you can imagine, this might require the user to scroll through pages of information in order to install the app.
Users will absolutely benefit from the required disclosures in the proposed Act. However, most significant to the security minded folk may be subsection (b). Subsection (b) of the APPS Act concerns “Withdrawal of Consent.” The Act would require developers to provide a means for users to inform the developer of their intent to stop using the app and request the developer “refrain from any further collection of personal data through the application” and at the user’s request, either “delete any personal data collected by the application that is stored by the developer” or “refrain from any further use or sharing of such data.” §2(b)(1)(A)-(B).
What does this mean for developers?
Now that the main points of the Act regarding users have been discussed, let’s discuss for a moment how this will affect developers. Section 3 of the Act concerns enforcement of Section 2 provisions. The Act delegates enforcement to the Federal Trade Commission (“FTC”). The Act also gives a State’s Attorney General power to bring a civil suit on behalf of its citizens, should the State feel a developer is violating the Act. Lastly, the Act incorporates a “safe harbor” provision that allows developers to satisfy the requirements of the Act if they adopt a code of conduct for consumer data privacy.
In terms of the effects on developers, developers may be on the hook for violating the Act’s disclosure requirements. However, don’t jump to the recent CFAA news and the unfortunate case of Aaron Swartz as the potential punishment for violation of the Act. Nowhere, upon knowledge and belief, does the Act mention criminal punishment, only civil. Therefore, there will be no jail time and no federal criminal charges for developers who violate the disclosure requirements. Merely, the FTC or a State’s Attorney General could seek monetary damages against the developer. Maybe not a big deal to the likes of Google, but that prospect may be a cause for concern among smaller developers.
The FTC has also taken a proactive step by outlining recommendations for mobile application developers on its website. The recommendations basically track Rep. Johnson’s proposed legislation, laying out what developers should disclose to mobile application users. This step by the FTC will hopefully alleviate some of the burden on developers by encouraging developers to incorporate disclosures that will conform with the APPS Act before any law is passed by Congress. Those who would like to read the FTC’s full recommendations can take find them on the FTC’s website.
A move toward increased privacy
So, that’s the proposed Act. For the first time the United States government is attempting to regulate the collection and storage of mobile data in the name of consumer data privacy, a worthy cause to be sure.
From an end user prospective, does this adequately address privacy concerns? Some may be of the opinion that this will deter developers, especially those who release apps for no money. Might this Act stifle innovation among developers, or will compliance be relatively easy to incorporate into mobile applications?
This bill may not be perfect, but as the US government’s first meaningful step in addressing mobile data privacy concerns, how does it sound? Tell us your thoughts from consumer and developer points of view. For those who would like to follow this and other data privacy conversations, Rep. Johnson and many other experts (including myself, when I can) take part in the Twitter Chat #PrivChat on Tuesdays at 12 PM EST.
The extra legal stuff might be a pain when downloading new apps, but I like the idea of knowing exactly why a service needs certain permissions.
I swear, people are too damn paranoid about privacy in this world!!! You want privacy? That’s what doors and walls are for. Sheez, what are people sooooo private about in thus world? Just live life, and don’t be a criminal!
You don’t have to be a criminal to not want apps tracking your location or sending information about you to ad networks.
I actually prefer an ad that I would ACTUALLY click over some ad about nail polish. On Google, I get ads about cell phones and defensive driving. LoL!! I actually click on some of those ads because they’re relevant to me. IDC if they have my information. If it’s anonymous, I don’t think it matters. And if you go and say “Are you sure that data is anonymous”, then how are they allowed to say the data is anonymous?
No one has ever come to my house from collecting this data. LoL!!
I like it.
Hopefully all that extra disclosure won’t make my phone too heavy and tip over, eh Hank?
This is the guy that thought Guam was going to capsize. Check him out on YouTube
I do like the fact that they will be required to disclose exactly what is being collected, but as I mentioned, the part of the act that I think is revolutionary not only in terms of mobile data, and data in general, is the ability to revoke permission to use the data and request it be deleted. I’m definitely not some conspiracy theorist that thinks the government has nothing better to do than monitor me, but the government isn’t my concern. I care more about how corporations are making money off of my data. If you want to use my data, cut me in! If not, then it’s mine and I think I have a reasonable expectation of privacy when it comes to data about my life.
Umm.
Will Google have to enforce this ?
Developers outside the US won’t concern themselves much with US laws.
If you want my legal opinion, the US will absolutely enforce this against foreign developers. A) Google will probably make compliance with the Act a prerequisite to posting an app in the play store and B) The Federal Rules of Civil Procedure give personal jurisdiction (the jurisdiction of the court over a person/entity) over anyone who transacts business in a state/the US. So foreign developers will still be subject to all the Act’s requirements.