Posted on February 5, 2012 by Mark Brennan

Draft House Bill Would Impose New Requirements on Mobile Data Collection and Create Joint FTC-FCC Oversight

A draft bill circulated by Rep. Ed Markey (D-Mass) would require the Federal Trade Commission (FTC) to adopt regulations addressing monitoring software installed on mobile devices.  The bill stems from media reports last year regarding Carrier IQ's monitoring software, which is installed on millions of mobile devices.  If enacted, the Mobile Device Privacy Act would result in new obligations for wireless service providers, equipment manufacturers, device retailers, operating system providers, website operators, and other online service providers, underscoring both the number of industry segments involved and the complexity of addressing privacy concerns in todays mobile ecosystem.

One particularly noteworthy element of the Markey bill is the definition of monitoring software that spurs a host of new regulations.

The term monitoring software means software that has the capability automatically to monitor the usage of a mobile telephone or the location of the user and to transmit the information collected to another device or system, whether or not such capability is the primary function of the software or the purpose for which the software is marketed.

This broad definition would encompass a wide array of mobile apps and services available today.

Under the draft Mobile Device Privacy Act, the FTC would have one year to issue regulations requiring carriers and device retailers to disclose at the point of sale in a clear and conspicuous manner the fact that monitoring software is installed, the type of information the software is capable of collecting and transmitting, the identity of parties with which the information will be shared, and how the information will be used.  If the monitoring software is installed after the consumer purchases the device or service, the entity installing the software or providing the software download (e.g., carrier, equipment manufacturer, operating system provider, website operator, or other online service provider) would have to make the disclosure. 

The bill would also require parties to obtain express consent from consumers before the monitoring software begins collecting and transmitting data.

In addition, the bill would impose new information security requirements.  The FTC would have one year to adopt regulations requiring recipients of the monitoring data to establish information security policies and procedures to protect the data.  Parties that enter into agreements to share the monitoring data would have to file those agreements with the FTC and the Federal Communications Commission (FCC).

The Markey bill would also establish joint FTC and FCC enforcement, with the FCC having enforcement authority over commercial mobile service providers, mobile broadband service providers, and mobile telephone manufacturers and the FTC having authority over other parties.  The bill also provides for state attorney general suits and a private right of action.
Tags: , , , , , , , , , , , , , , ,
Posted on October 19, 2011 by Mark Brennan

New Guidelines Released for Mobile App Privacy Policies

On October 17, the Mobile Marketing Association (“MMA”) released a set of draft privacy policy guidelines for mobile applications (“apps”) designed to address key data and privacy security issues. Entitled “Mobile Application Privacy Policy Framework,” the draft guidelines provide a “starting point” privacy policy template written in consumer-friendly language with instructions for adapting the template to specific apps.

The guidelines provide a helpful tool for informing app users of the type of information that the app obtains and how that information is used, with sections devoted to both user-provided data and automatically collected information. The guidelines also address the collection and use of “precise" real-time location information, an issue that has garnered much media attention (and increasing regulatory scrutiny) due to the popularity of new location-based services. Finally, the guidelines also address other critical app areas, including:

  • Third-party access and use of consumer data;
  • Advertising (including the use of mobile advertising networks);
  • Consumer consent and opt-out rights;
  • Data retention;
  • Children’s Online Privacy Protection Act (“COPPA”) compliance;
  • Security and confidentiality safeguards; and
  • Future changes to the policy.

The guidelines are a response to data privacy and security concerns brought about by the skyrocketing consumer demand for and usage of apps, which have exploded in the last few years. For example, although the iTunes Store and Android Market only opened in 2008, today more than 1.2 million apps are currently available from multiple app stores on various operating systems. And consumers have downloaded more than 10 billion mobile apps to date.

Hogan Lovells represented the Future of Privacy Forum, a member organization of the MMA Privacy & Advisory Committee,which developed the guidelines. According to MMA, the draft guidelines are the first in a series of privacy policy materials that the organization is planning to develop. 

Comments on the draft guidelines are due November 18, 2011. After that date, the guidelines will be finalized and released publicly.
Tags: , , , , , , , , , , , , , , , , ,
Posted on November 23, 2009 by Bret Cohen

FTC Releases Details About December 7, January 28 Privacy Roundtables

On November 17, the Federal Trade Commission released the agenda of the first of three privacy round tables it will hold over the course of the next few months.  The first round table will occur on December 7 at the FTC Conference Center in Washington, DC, and will feature four panels entitled "Benefits and Risks of Collecting, Using, and Retaining Consumer Data," "Consumer Expectations and Disclosures," "Online Behavioral Advertising," and "Exploring Existing Regulatory Frameworks."

The FTC also announced that its second privacy round table will be held on January 28, 2010 at the University of California, Berkeley, School of Law.  The round table will focus on how technology affects consumer privacy, including its role in both raising privacy concerns and enhancing privacy protections, and will include specific discussions on cloud computing, mobile computing, and social networking.  The FTC has posed two questions for comment in advance of this round table:

  1. What role do privacy enhancing technologies play in addressing Internet-related privacy concerns?  Consider the efficacy of technological innovations in areas such as identity management systems, new means of providing consumer notice and choice, and emerging methods of ensuring accountability in data usage.  In framing comments, consider the costs and benefits of privacy-enhancing technologies in the following contexts:  cloud computing services; social networking sites; online behavioral advertising; the mobile environment; services that collect sensitive data, such as location-based information; and any other contexts you wish to address.  If privacy enhancing technologies do play a role in resolving privacy concerns, discuss whether and how to create incentives for the development and adoption of such technologies, and ways to ensure they are effective and useful to consumers.
  2. What challenges do innovations in the digital environment pose for consumer privacy, and how can those challenges be addressed without stifling innovation or otherwise undermining benefits to consumers?  For example, consider the technology and business practices that enable greater collection, use, and distribution of consumer data, including evolving methods of observation and tracking; techniques for correlating data, including the re-identification of anonymized data; the merging of data between on-line and off-line environments; and the emergence of third-party application developers in online platform environments.

The FTC currently is soliciting requests to participate as panelists in this second round table, as well as recommendations for topics for inclusion in the agenda, which are due by December 9.  Comments or additional research on the topics will be considered prior to the second round table if they are received by December 21.

Details have not yet been released for the third and final privacy round table, which is to be held on March 17, 2010 in Washington.

Tags: , , , , , , , , , ,