A draft bill circulated by Rep. Ed Markey (D-Mass) would require the Federal Trade Commission (FTC) to adopt regulations addressing monitoring software installed on mobile devices. The bill stems from media reports last year regarding Carrier IQ’s monitoring software, which is installed on millions of mobile devices. If enacted, the Mobile Device Privacy Act would result in new obligations for wireless service providers, equipment manufacturers, device retailers, operating system providers, website operators, and other online service providers, underscoring both the number of industry segments involved and the complexity of addressing privacy concerns in todays mobile ecosystem.
One particularly noteworthy element of the Markey bill is the definition of monitoring software that spurs a host of new regulations.
The term monitoring software means software that has the capability automatically to monitor the usage of a mobile telephone or the location of the user and to transmit the information collected to another device or system, whether or not such capability is the primary function of the software or the purpose for which the software is marketed.
This broad definition would encompass a wide array of mobile apps and services available today.
Under the draft Mobile Device Privacy Act, the FTC would have one year to issue regulations requiring carriers and device retailers to disclose at the point of sale in a clear and conspicuous manner the fact that monitoring software is installed, the type of information the software is capable of collecting and transmitting, the identity of parties with which the information will be shared, and how the information will be used. If the monitoring software is installed after the consumer purchases the device or service, the entity installing the software or providing the software download (e.g., carrier, equipment manufacturer, operating system provider, website operator, or other online service provider) would have to make the disclosure.
The bill would also require parties to obtain express consent from consumers before the monitoring software begins collecting and transmitting data.
In addition, the bill would impose new information security requirements. The FTC would have one year to adopt regulations requiring recipients of the monitoring data to establish information security policies and procedures to protect the data. Parties that enter into agreements to share the monitoring data would have to file those agreements with the FTC and the Federal Communications Commission (FCC).
The Markey bill would also establish joint FTC and FCC enforcement, with the FCC having enforcement authority over commercial mobile service providers, mobile broadband service providers, and mobile telephone manufacturers and the FTC having authority over other parties. The bill also provides for state attorney general suits and a private right of action.