Rep. Ed Markey (D-MA-07) introduced the "Mobile Device Privacy Act" (H.R. 6377) on September 12, amidst a staid hearing on the "mobile apps economy," and against the backdrop of ongoing multistakeholder meetings on a code of conduct for mobile app privacy run by the White House.

The Act would require anyone "in the business of selling mobile devices directly to consumers" to disclose certain information "to the consumer at the time of sale of a mobile device on which monitoring software is installed" or anyone who installs monitoring software on a mobile device (including when embedded in other software) to disclose certain information "to the consumer at the time of installing such software." More importantly, the consumer's express consent would be required before the software "first begins collecting and transmitting information" and the consumer would have to be able to rescind that consent "at any time." The Act would also require stringent data security protections and would be enforced by the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC), civil actions filed by state Attorneys General, and private lawsuits.

The disclosures, which would have to be "clear and conspicuous," would include:

  1. "The fact that the monitoring software is installed on the mobile device" or "the fact that the software that the consumer downloads is monitoring software".
  2. "The types of information that the monitoring software is capable of collecting and transmitting"
  3. "The identity of any person to whom any information collected will be transmitted and of any other person with whom such information will be shared."
  4. "How such information will be used"
  5. "Procedures by which a consumer who has consented to collection and transmission of information by the monitoring software may exercise the opportunity to prohibit further collection and transmission"
  6. And anything else the FTC "considers appropriate."

The Mobile Device Privacy Act defines "‘mobile device" as "a personal electronic device that has the capability of transmitting and receiving voice, video, or data communications by means of commercial mobile service or commercial mobile data service." Tjhe Act defines "monitoring software" as "software that has the capability to monitor the usage of a mobile device or the location of the user and to transmit the information collected to another device or system, whether or not such capability is the primary function of the software or the purpose for which the software is marketed."

MRA is concerned that the Mobile Device Privacy Act may significantly restrict marketing research data collection, tracking and analysis on mobile devices, particularly by requiring express prior consent from consumers, and may be unnecessarily capricious by allowing for unending private lawsuits.

Congressional hearing on mobile apps
In opening a hearing titled "Where the Jobs Are: There’s an App for That" yesterday, House Commerce, Manufacturing, and Trade Subcommittee Chairman Mary Bono Mack (R-CA-45) stated, "Through American innovation and ingenuity – we’re rapidly becoming a world where there’s literally ‘An App for Everything."

Rey Ramsey, President and CEO of TechNet, testified that, "The barriers to entry to developing apps are fairly low; if you have a computer, broadband connection, and the right skills and software, … you can start coding."

It is precisely that sense of a rapidly changing "Wild West" landscape that concerns some activists and policy makers. Rep. Markey remarked that the House Energy & Commerce Committee needs to properly understand mobile data collection and use and why it occurs, and more importantly, "so do consumers." He then explained why he was introducing the Mobile Device Privacy Act:

"Consumers should know and have the choice to say no to software on their mobile devices that is transmitting their personal and sensitive information. This is especially true for parents of children and teens, the fastest growing group of smartphone users. This legislation will provide greater transparency into the transmission of consumers’ personal information and empower consumers to say no to such transmission. I look forward to working with my colleagues to pass this important consumer protection legislation."

Unfortunately, Rep. Markey's legislation, as we've detailed above, doesn't just give consumers the power to say "no," but requires their explicit prior consent. The Act is not as innocuous as he seems to claim.

MRA's involvement
While we oppose the Mobile Device Privacy Act, MRA has taken the position that location privacy in such circumstances demands an opt opt with a fair and appropriate transparency of the tracking activity. We also recommend opt in as the best practice of the research profession (but have no wish to see it required, without context, by law).

MRA continues to participate in the White House's multistakeholder privacy process. A previously-scheduled September 19 meeting has been cancelled in favor of a series of briefings this month on the nitty-gritty details of mobile app functionality, data flows, best practices, and existing self-regulatory standards. MRA will continue to keep members apprised of developments and advocate for the research profession's interests in the process.

For more information, see the FTC's latest guidelines on mobile apps, as well as MRA's reports from the 1st, 2nd and 3rd multistakeholder privacy meetings.