After listening to all of the feedback that we received through AppRights, the third provision to protect your privacy requires transparent data collection through notice and choice.
Before collecting any data from users, developers would be required to provide users with notice of the terms and conditions for collecting, using, and sharing users’ personal data. This notice would include the categories of personal data collection, the categories of purposes for this collection, and the categories of third parties that share this data following collection by the developer.
The Federal Trade Commission would determine what type of notice is appropriate through a rulemaking that specifies the format, manner, and timing of the notice. This rulemaking is important for providing flexible protection as norms and technologies change.
Users would exercise choice by deciding whether to consent to data collection after receiving this notice.
(a) CONSENT TO TERMS AND CONDITIONS.—
(1) IN GENERAL.—Before a mobile application collects personal data about a user of the application, the developer of the application shall—
(A) provide the user with notice of the terms and conditions governing the collection, use, storage, and sharing of the personal data; and
(B) obtain the consent of the user to such terms and conditions.
(2) REQUIRED CONTENT.—The notice required by paragraph (1)(A) shall include the following:
(A) The categories of personal data that will be collected.
(B) The categories of purposes for which the personal data will be used.
(C) The categories of third parties with which the personal data will be shared.
(D) A description of the rights of the user under subsection (b) and the process by which the user may exercise such rights.
(3) ADDITIONAL SPECIFICATIONS AND FLEXIBILITY.—The Commission shall by regulation specify the format, manner, and timing of the notice required by paragraph (1)(A). In promulgating the regulations, the Commission shall consider how to ensure the most effective and efficient communication to the user regarding the treatment of personal data.
(4) DIRECT ACCESS TO DATA BY THIRD PARTIES.—For purposes of this Act, if the developer of a mobile application allows a third party to access personal data collected by the application, such personal data shall be considered to be shared with the third party, whether or not such personal data are first transmitted to the developer.
• The term “anonymous data” means data from which particular individuals cannot be identified.
• The term “developer” has the meaning given by the Federal Trade Commission by regulation.
• The term “mobile application” means a software program (A) that runs on the operating system of a mobile device; and (B) with which the user of the device directly interacts.
• The term “mobile device” means a smartphone, tablet computer, or similar portable computing device that transmits data over a wireless connection.
• The term “personal data” has the meaning given by the Federal Trade Commission by regulation, but does not include anonymous data.
We discussed the security provision last week, the second provision of the mobile privacy legislation that the Congressman intends on introducing in the 113th Congress. This provision protected user data by requiring developers to prevent unauthorized access to a user’s data, such as a data breach, through reasonable and appropriate security measures.
Each provision will have a two-week period for you to let us know about your thoughts and concerns. Once we have heard back from you on all three principles, we will issue another legislative transparency report that explores your feedback before the Congressman introduces legislation.
We look forward to your input on the transparency provision, and hope you will continue to express your views and concerns regarding mobile privacy. By sharing your thoughts with us through our secure form at AppRights.us, or interacting with us on Facebook or Twitter, we will work together to find the right solutions to each issue.