[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[H.R. 6377 Introduced in House (IH)]
112th CONGRESS
2d Session
H. R. 6377
To require disclosures to consumers regarding the capability of
software to monitor mobile device usage, to require the express consent
of the consumer prior to monitoring, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
September 12, 2012
Mr. Markey (for himself and Ms. DeGette) introduced the following bill;
which was referred to the Committee on Energy and Commerce
_______________________________________________________________________
A BILL
To require disclosures to consumers regarding the capability of
software to monitor mobile device usage, to require the express consent
of the consumer prior to monitoring, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Mobile Device Privacy Act''.
SEC. 2. DISCLOSURES TO CONSUMERS REGARDING MOBILE DEVICE MONITORING
SOFTWARE.
(a) In General.--Not later than 1 year after the date of the
enactment of this Act, the Federal Trade Commission shall promulgate
regulations under section 553 of title 5, United States Code, that
require--
(1) a person who is in the business of selling mobile
devices directly to consumers (including a provider of
commercial mobile service or commercial mobile data service who
sells mobile devices in connection with contracts to provide
service) to disclose the information described in subsection
(b) to the consumer at the time of sale of a mobile device on
which monitoring software is installed;
(2) a provider of commercial mobile service or commercial
mobile data service to disclose the information described in
subsection (b) to the consumer at the time of entry into a
contract to provide service to the consumer on a mobile
device--
(A) on which the provider installs monitoring
software in connection with such contract; and
(B) that the consumer does not purchase from the
provider in connection with such contract;
(3) a manufacturer of a mobile device or of the operating
system software for a mobile device who installs monitoring
software on such device, after such device is sold to the
consumer, to disclose to the consumer at the time of installing
such software the information described in subsection (b);
(4) a provider of commercial mobile service or commercial
mobile data service who installs monitoring software on a
mobile device, after entry into a contract to provide service
to the consumer on such device, to disclose to the consumer at
the time of installing such software the information described
in subsection (b); and
(5) a person who operates a website or other online service
from which a consumer downloads monitoring software for
installation on a mobile device to disclose the information
described in subsection (b) to the consumer at the time of the
download.
(b) Information Described.--The information described in this
subsection is the following:
(1) The fact that the monitoring software is installed on
the mobile device (or, in the case of a disclosure described in
subsection (a)(5), the fact that the software that the consumer
downloads is monitoring software).
(2) The types of information that the monitoring software
is capable of collecting and transmitting.
(3) The identity of any person to whom any information
collected will be transmitted and of any other person with whom
such information will be shared.
(4) How such information will be used.
(5) Procedures by which a consumer who has consented to
collection and transmission of information by the monitoring
software may exercise the opportunity to prohibit further
collection and transmission, as described in section 3(2).
(6) Such additional information about the monitoring
software as the Federal Trade Commission considers appropriate.
(c) Manner of Disclosure.--The regulations promulgated under
subsection (a) shall require the following:
(1) The disclosures shall be made in a clear and
conspicuous manner, to be determined by the Federal Trade
Commission.
(2) The disclosures shall be displayed in a clear and
conspicuous manner on the website of a person required to make
such disclosures, except that if such person does not maintain
a website, such person shall file such disclosures with the
appropriate Commission.
(d) Exemptions Permitted.--If the Federal Trade Commission
determines that the use of monitoring software for a particular purpose
is consistent with the reasonable expectations of consumers, the
Federal Trade Commission may include in the regulations promulgated
under subsection (a) an exemption from the disclosures required by such
regulations with respect to monitoring software that is used only for
such purpose (or for another purpose with respect to which the Federal
Trade Commission has made a determination under this subsection).
SEC. 3. CONSUMER CONSENT TO MONITORING OF MOBILE DEVICE USAGE.
Not later than 1 year after the date of the enactment of this Act,
the Federal Trade Commission shall promulgate regulations under section
553 of title 5, United States Code, that require any person who is
subject to the disclosure requirements of the regulations promulgated
under section 2(a) to--
(1) obtain the express consent of the consumer prior to the
time when the monitoring software first begins collecting and
transmitting information; and
(2) provide a consumer who has consented to collection and
transmission of information by the monitoring software with the
opportunity at any time to prohibit further collection and
transmission of information by such software.
SEC. 4. INFORMATION SECURITY REQUIREMENTS.
(a) In General.--Not later than 1 year after the date of the
enactment of this Act, the Federal Trade Commission shall promulgate
regulations under section 553 of title 5, United States Code, that
require any person who receives, directly or indirectly, information
that is transmitted from monitoring software with respect to which
disclosures are required by the regulations promulgated under section
2(a) to establish and implement policies and procedures regarding
information security practices for the treatment and protection of such
information, taking into consideration--
(1) the size of, and the nature, scope, and complexity of
the activities engaged in by, such person;
(2) the current state of the art in administrative,
technical, and physical safeguards for protecting such
information; and
(3) the cost of implementing such safeguards.
(b) Requirements.--Such regulations shall require the policies and
procedures to include the following:
(1) A security policy with respect to the collection, use,
sale, other dissemination, and maintenance of such information.
(2) The identification of an officer or other individual as
the point of contact with responsibility for the management of
the security of such information.
(3) A process for identifying and assessing any reasonably
foreseeable vulnerabilities in any system maintained by such
person that contains such information, which shall include
regular monitoring for a breach of security of such system.
(4) A process for taking preventive and corrective action
to mitigate against any vulnerabilities identified in the
process required by paragraph (3), which may include
implementing any changes to security practices and the
architecture, installation, or implementation of network or
operating software.
(5) A process for disposing of such information by
shredding, permanently erasing, or otherwise modifying such
information to make such information permanently unreadable or
undecipherable.
(6) A standard method or methods for the destruction of
paper documents and other non-electronic data containing such
information.
(c) Disclosure of Policies and Procedures.--Such regulations shall
require the policies and procedures to be displayed in a clear and
conspicuous manner on the website of a person required to establish and
implement such policies and procedures, except that if such person does
not maintain a website, such person shall file such policies and
procedures with the appropriate Commission.
(d) Treatment of Entities Governed by Other Law.--A person shall be
deemed to be in compliance with the regulations promulgated under
subsection (a) if such person is in compliance with any other Federal
law that requires such person to maintain policies and procedures with
respect to information security that, taken as a whole and as the
Federal Trade Commission shall determine in the rulemaking required by
such subsection, provide protections substantially similar to, or
greater than, those provided by the policies and procedures required by
the regulations promulgated under such subsection.
SEC. 5. FILING OF CERTAIN AGREEMENTS REGARDING INFORMATION RECEIPT.
(a) In General.--Not later than 1 year after the date of the
enactment of this Act, the Federal Trade Commission shall promulgate
regulations under section 553 of title 5, United States Code, that
require a copy of an agreement described in subsection (b) to be filed
with the appropriate Commission.
(b) Agreement Described.--An agreement described in this
subsection--
(1) is an agreement under which a person receives, directly
or indirectly, information that is transmitted from monitoring
software with respect to which disclosures are required by the
regulations promulgated under section 2(a); and
(2) does not include an agreement between such a person and
the consumer on whose mobile device such monitoring software is
installed.
SEC. 6. ENFORCEMENT.
(a) By Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
a regulation promulgated under section 2, 3, 4, or 5 shall be
treated as a violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
(2) Powers of federal trade commission.--The Federal Trade
Commission shall enforce the regulations promulgated under
sections 2, 3, 4, and 5 in the same manner, by the same means,
and with the same jurisdiction, powers, and duties as though
all applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated into
and made a part of this Act, and any person who violates such
regulations shall be subject to the penalties and entitled to
the privileges and immunities provided in the Federal Trade
Commission Act.
(b) By Federal Communications Commission.--
(1) Treatment as violation of communications act of 1934.--
A violation of a regulation promulgated under section 2, 3, 4,
or 5 by a provider of commercial mobile service or commercial
mobile data service or a manufacturer of a mobile device shall
be treated as a violation of the Communications Act of 1934 (47
U.S.C. 151 et seq.).
(2) Powers of federal communications commission.--The
Federal Communications Commission shall enforce the regulations
promulgated under sections 2, 3, 4, and 5 with respect to
providers of commercial mobile service or commercial mobile
data service and manufacturers of mobile devices in the same
manner, by the same means, and with the same jurisdiction,
powers, and duties as though all applicable terms and
provisions of the Communications Act of 1934 were incorporated
into and made a part of this Act, and any such provider or
manufacturer who violates such regulations shall be subject to
the penalties and entitled to the privileges and immunities
provided in the Communications Act of 1934.
(c) Division of Responsibilities Between FTC and FCC.--
(1) Regulations.--In promulgating the regulations required
by sections 2, 3, 4, and 5, the Federal Trade Commission shall
consult with the Federal Communications Commission.
(2) Enforcement.--In enforcing such regulations, the
Federal Trade Commission and the Federal Communications
Commission shall consult with each other.
(3) FCC regulations on filings.--The Federal Communications
Commission, in consultation with the Federal Trade Commission,
may promulgate regulations with respect to the form and manner
of any filing that is required to be made with the Federal
Communications Commission by a regulation required by section
2, 4, or 5.
(d) Actions by States.--
(1) Civil actions.--In any case in which the attorney
general of a State, or an official or agency of a State, has
reason to believe that an interest of the residents of that
State has been or is threatened or adversely affected by an act
or practice that violates any regulation promulgated under
section 2, 3, 4, or 5, the State, as parens patriae, may bring
a civil action on behalf of the residents of the State in an
appropriate State court or an appropriate district court of the
United States to--
(A) enjoin that act or practice;
(B) enforce compliance with the regulation;
(C) obtain damages, restitution, or other
compensation on behalf of residents of the State; or
(D) obtain such other legal and equitable relief as
the court may consider to be appropriate.
(2) Notice.--Before filing an action under this subsection,
the attorney general, official, or agency of the State involved
shall provide to the appropriate Commission a written notice of
that action and a copy of the complaint for that action. If the
attorney general, official, or agency determines that it is not
feasible to provide the notice described in this paragraph
before the filing of the action, the attorney general,
official, or agency shall provide written notice of the action
and a copy of the complaint to the appropriate Commission
immediately upon the filing of the action.
(3) Authority of appropriate commission.--
(A) In general.--On receiving notice under
paragraph (2) of an action under this subsection, the
appropriate Commission shall have the right--
(i) to intervene in the action;
(ii) upon so intervening, to be heard on
all matters arising therein; and
(iii) to file petitions for appeal.
(B) Limitation on state action while federal action
is pending.--If the Federal Trade Commission, the
Federal Communications Commission, or the Attorney
General of the United States has instituted a civil
action for violation of a regulation promulgated under
section 2, 3, 4, or 5 (referred to in this subparagraph
as the ``Federal action''), no State attorney general,
official, or agency may bring an action under this
subsection during the pendency of the Federal action
against any defendant named in the complaint in the
Federal action for any violation as alleged in that
complaint.
(4) Rule of construction.--For purposes of bringing a civil
action under this subsection, nothing in this Act shall be
construed to prevent an attorney general, official, or agency
of a State from exercising the powers conferred on the attorney
general, official, or agency by the laws of that State to
conduct investigations, administer oaths and affirmations, or
compel the attendance of witnesses or the production of
documentary and other evidence.
(e) Private Right of Action.--
(1) In general.--A person injured by an act in violation of
a regulation promulgated under section 2, 3, 4, or 5 may bring
in an appropriate State court or an appropriate district court
of the United States--
(A) an action to enjoin such violation;
(B) an action to recover damages for actual
monetary loss from such violation, or to receive up to
$1,000 in damages for each such violation, whichever is
greater; or
(C) both such actions.
(2) Willful or knowing violations.--If the court finds that
the defendant acted willfully or knowingly in committing a
violation described in paragraph (1), the court may, in its
discretion, increase the amount of the award to an amount equal
to not more than 3 times the amount available under paragraph
(1)(B).
(3) Costs.--The court shall award to a prevailing plaintiff
in an action under this subsection the costs of such action and
reasonable attorney's fees, as determined by the court.
(4) Limitation.--An action may be commenced under this
subsection not later than 2 years after the date on which the
person first discovered or had a reasonable opportunity to
discover the violation.
(5) Nonexclusive remedy.--The remedy provided by this
subsection shall be in addition to any other remedies available
to the person, except that, in the case of a violation or
series of related violations by a common carrier subject to
title II of the Communications Act of 1934 (47 U.S.C. 201 et
seq.), the person may pursue either the remedy provided by this
subsection or any remedies provided by such title, but not
both.
SEC. 7. DEFINITIONS.
In this Act:
(1) Appropriate commission.--The term ``appropriate
Commission'' means either the Federal Trade Commission or the
Federal Communications Commission, or both, depending on which
Commission has jurisdiction under section 6 with respect to the
person and activity involved.
(2) Commercial mobile data service.--The term ``commercial
mobile data service'' has the meaning given such term in
section 6001 of the Middle Class Tax Relief and Job Creation
Act of 2012 (47 U.S.C. 1401).
(3) Commercial mobile service.--The term ``commercial
mobile service'' has the meaning given such term in section 332
of the Communications Act of 1934 (47 U.S.C. 332).
(4) Mobile device.--The term ``mobile device'' means a
personal electronic device that has the capability of
transmitting and receiving voice, video, or data communications
by means of commercial mobile service or commercial mobile data
service.
(5) Monitoring software.--The term ``monitoring software''
means software that has the capability to monitor the usage of
a mobile device or the location of the user and to transmit the
information collected to another device or system, whether or
not such capability is the primary function of the software or
the purpose for which the software is marketed.
<all>