
	
		I
		112th CONGRESS
		2d Session
		H. R. 6377
		IN THE HOUSE OF REPRESENTATIVES
		
			September 12, 2012
			Mr. Markey (for
			 himself and Ms. DeGette) introduced
			 the following bill; which was referred to the
			 Committee on Energy and
			 Commerce
		
		A BILL
		To require disclosures to consumers regarding the
		  capability of software to monitor mobile device usage, to require the express
		  consent of the consumer prior to monitoring, and for other
		  purposes.
	
	
		1.Short titleThis Act may be cited as the
			 Mobile Device Privacy
			 Act.
		2.Disclosures to
			 consumers regarding mobile device monitoring software
			(a)In
			 generalNot later than 1 year
			 after the date of the enactment of this Act, the Federal Trade Commission shall
			 promulgate regulations under section 553 of title 5, United States Code, that
			 require—
				(1)a person who is in the business of selling
			 mobile devices directly to consumers (including a provider of commercial mobile
			 service or commercial mobile data service who sells mobile devices in
			 connection with contracts to provide service) to disclose the information
			 described in subsection (b) to the consumer at the time of sale of a mobile
			 device on which monitoring software is installed;
				(2)a provider of commercial mobile service or
			 commercial mobile data service to disclose the information described in
			 subsection (b) to the consumer at the time of entry into a contract to provide
			 service to the consumer on a mobile device—
					(A)on which the provider installs monitoring
			 software in connection with such contract; and
					(B)that the consumer
			 does not purchase from the provider in connection with such contract;
					(3)a manufacturer of a mobile device or of the
			 operating system software for a mobile device who installs monitoring software
			 on such device, after such device is sold to the consumer, to disclose to the
			 consumer at the time of installing such software the information described in
			 subsection (b);
				(4)a
			 provider of commercial mobile service or commercial mobile data service who
			 installs monitoring software on a mobile device, after entry into a contract to
			 provide service to the consumer on such device, to disclose to the consumer at
			 the time of installing such software the information described in subsection
			 (b); and
				(5)a person who operates a website or other
			 online service from which a consumer downloads monitoring software for
			 installation on a mobile device to disclose the information described in
			 subsection (b) to the consumer at the time of the download.
				(b)Information
			 describedThe information described in this subsection is the
			 following:
				(1)The fact that the
			 monitoring software is installed on the mobile device (or, in the case of a
			 disclosure described in subsection (a)(5), the fact that the software that the
			 consumer downloads is monitoring software).
				(2)The types of
			 information that the monitoring software is capable of collecting and
			 transmitting.
				(3)The identity of any person to whom any
			 information collected will be transmitted and of any other person with whom
			 such information will be shared.
				(4)How such information will be used.
				(5)Procedures by which a consumer who has
			 consented to collection and transmission of information by the monitoring
			 software may exercise the opportunity to prohibit further collection and
			 transmission, as described in section 3(2).
				(6)Such additional information about the
			 monitoring software as the Federal Trade Commission considers
			 appropriate.
				(c)Manner of
			 disclosureThe regulations promulgated under subsection (a) shall
			 require the following:
				(1)The disclosures
			 shall be made in a clear and conspicuous manner, to be determined by the
			 Federal Trade Commission.
				(2)The disclosures
			 shall be displayed in a clear and conspicuous manner on the website of a person
			 required to make such disclosures, except that if such person does not maintain
			 a website, such person shall file such disclosures with the appropriate
			 Commission.
				(d)Exemptions
			 permittedIf the Federal Trade Commission determines that the use
			 of monitoring software for a particular purpose is consistent with the
			 reasonable expectations of consumers, the Federal Trade Commission may include
			 in the regulations promulgated under subsection (a) an exemption from the
			 disclosures required by such regulations with respect to monitoring software
			 that is used only for such purpose (or for another purpose with respect to
			 which the Federal Trade Commission has made a determination under this
			 subsection).
			3.Consumer consent
			 to monitoring of mobile device usageNot later than 1 year after the date of the
			 enactment of this Act, the Federal Trade Commission shall promulgate
			 regulations under section 553 of title 5, United States Code, that require any
			 person who is subject to the disclosure requirements of the regulations
			 promulgated under section 2(a) to—
			(1)obtain the express
			 consent of the consumer prior to the time when the monitoring software first
			 begins collecting and transmitting information; and
			(2)provide a consumer
			 who has consented to collection and transmission of information by the
			 monitoring software with the opportunity at any time to prohibit further
			 collection and transmission of information by such software.
			4.Information
			 security requirements
			(a)In
			 generalNot later than 1 year
			 after the date of the enactment of this Act, the Federal Trade Commission shall
			 promulgate regulations under section 553 of title 5, United States Code, that
			 require any person who receives, directly or indirectly, information that is
			 transmitted from monitoring software with respect to which disclosures are
			 required by the regulations promulgated under section 2(a) to establish and
			 implement policies and procedures regarding information security practices for
			 the treatment and protection of such information, taking into
			 consideration—
				(1)the size of, and
			 the nature, scope, and complexity of the activities engaged in by, such
			 person;
				(2)the current state
			 of the art in administrative, technical, and physical safeguards for protecting
			 such information; and
				(3)the cost of
			 implementing such safeguards.
				(b)RequirementsSuch
			 regulations shall require the policies and procedures to include the
			 following:
				(1)A security policy with respect to the
			 collection, use, sale, other dissemination, and maintenance of such
			 information.
				(2)The identification of an officer or other
			 individual as the point of contact with responsibility for the management of
			 the security of such information.
				(3)A process for identifying and assessing any
			 reasonably foreseeable vulnerabilities in any system maintained by such person
			 that contains such information, which shall include regular monitoring for a
			 breach of security of such system.
				(4)A process for
			 taking preventive and corrective action to mitigate against any vulnerabilities
			 identified in the process required by paragraph (3), which may include
			 implementing any changes to security practices and the architecture,
			 installation, or implementation of network or operating software.
				(5)A
			 process for disposing of such information by shredding, permanently erasing, or
			 otherwise modifying such information to make such information permanently
			 unreadable or undecipherable.
				(6)A standard method
			 or methods for the destruction of paper documents and other non-electronic data
			 containing such information.
				(c)Disclosure of
			 policies and proceduresSuch
			 regulations shall require the policies and procedures to be displayed in a
			 clear and conspicuous manner on the website of a person required to establish
			 and implement such policies and procedures, except that if such person does not
			 maintain a website, such person shall file such policies and procedures with
			 the appropriate Commission.
			(d)Treatment of
			 entities governed by other lawA person shall be deemed to be in
			 compliance with the regulations promulgated under subsection (a) if such person
			 is in compliance with any other Federal law that requires such person to
			 maintain policies and procedures with respect to information security that,
			 taken as a whole and as the Federal Trade Commission shall determine in the
			 rulemaking required by such subsection, provide protections substantially
			 similar to, or greater than, those provided by the policies and procedures
			 required by the regulations promulgated under such subsection.
			5.Filing of certain
			 agreements regarding information receipt
			(a)In
			 generalNot later than 1 year
			 after the date of the enactment of this Act, the Federal Trade Commission shall
			 promulgate regulations under section 553 of title 5, United States Code, that
			 require a copy of an agreement described in subsection (b) to be filed with the
			 appropriate Commission.
			(b)Agreement
			 describedAn agreement
			 described in this subsection—
				(1)is an agreement under which a person
			 receives, directly or indirectly, information that is transmitted from
			 monitoring software with respect to which disclosures are required by the
			 regulations promulgated under section 2(a); and
				(2)does not include
			 an agreement between such a person and the consumer on whose mobile device such
			 monitoring software is installed.
				6.Enforcement
			(a)By Federal Trade
			 Commission
				(1)Unfair or
			 deceptive acts or practicesA violation of a regulation
			 promulgated under section 2, 3, 4, or 5 shall be treated as a violation of a
			 regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
			 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
				(2)Powers of
			 Federal Trade CommissionThe
			 Federal Trade Commission shall enforce the regulations promulgated under
			 sections 2, 3, 4, and 5 in the same manner, by the same means, and with the
			 same jurisdiction, powers, and duties as though all applicable terms and
			 provisions of the Federal Trade Commission
			 Act (15
			 U.S.C. 41 et seq.) were incorporated into and made a part of
			 this Act, and any person who violates such regulations shall be subject to the
			 penalties and entitled to the privileges and immunities provided in the Federal
			 Trade Commission Act.
				(b)By Federal
			 Communications Commission
				(1)Treatment as
			 violation of Communications Act of 1934A violation of a
			 regulation promulgated under section 2, 3, 4, or 5 by a provider of commercial
			 mobile service or commercial mobile data service or a manufacturer of a mobile
			 device shall be treated as a violation of the Communications Act of 1934 (47
			 U.S.C. 151 et seq.).
				(2)Powers of
			 Federal Communications CommissionThe Federal Communications Commission shall
			 enforce the regulations promulgated under sections 2, 3, 4, and 5 with respect
			 to providers of commercial mobile service or commercial mobile data service and
			 manufacturers of mobile devices in the same manner, by the same means, and with
			 the same jurisdiction, powers, and duties as though all applicable terms and
			 provisions of the Communications Act of 1934 were incorporated into and made a
			 part of this Act, and any such provider or manufacturer who violates such
			 regulations shall be subject to the penalties and entitled to the privileges
			 and immunities provided in the Communications Act of 1934.
				(c)Division of
			 responsibilities between FTC and FCC
				(1)RegulationsIn promulgating the regulations required by
			 sections 2, 3, 4, and 5, the Federal Trade Commission shall consult with the
			 Federal Communications Commission.
				(2)EnforcementIn
			 enforcing such regulations, the Federal Trade Commission and the Federal
			 Communications Commission shall consult with each other.
				(3)FCC regulations
			 on filingsThe Federal
			 Communications Commission, in consultation with the Federal Trade Commission,
			 may promulgate regulations with respect to the form and manner of any filing
			 that is required to be made with the Federal Communications Commission by a
			 regulation required by section 2, 4, or 5.
				(d)Actions by
			 States
				(1)Civil
			 actionsIn any case in which
			 the attorney general of a State, or an official or agency of a State, has
			 reason to believe that an interest of the residents of that State has been or
			 is threatened or adversely affected by an act or practice that violates any
			 regulation promulgated under section 2, 3, 4, or 5, the State, as parens
			 patriae, may bring a civil action on behalf of the residents of the State in an
			 appropriate State court or an appropriate district court of the United States
			 to—
					(A)enjoin that act or
			 practice;
					(B)enforce compliance
			 with the regulation;
					(C)obtain damages,
			 restitution, or other compensation on behalf of residents of the State;
			 or
					(D)obtain such other
			 legal and equitable relief as the court may consider to be appropriate.
					(2)NoticeBefore
			 filing an action under this subsection, the attorney general, official, or
			 agency of the State involved shall provide to the appropriate Commission a
			 written notice of that action and a copy of the complaint for that action. If
			 the attorney general, official, or agency determines that it is not feasible to
			 provide the notice described in this paragraph before the filing of the action,
			 the attorney general, official, or agency shall provide written notice of the
			 action and a copy of the complaint to the appropriate Commission immediately
			 upon the filing of the action.
				(3)Authority of
			 appropriate Commission
					(A)In
			 generalOn receiving notice under paragraph (2) of an action
			 under this subsection, the appropriate Commission shall have the right—
						(i)to intervene in
			 the action;
						(ii)upon so
			 intervening, to be heard on all matters arising therein; and
						(iii)to file
			 petitions for appeal.
						(B)Limitation on
			 State action while Federal action is pendingIf the Federal Trade Commission, the
			 Federal Communications Commission, or the Attorney General of the United States
			 has instituted a civil action for violation of a regulation promulgated under
			 section 2, 3, 4, or 5 (referred to in this subparagraph as the Federal
			 action), no State attorney general, official, or agency may bring an
			 action under this subsection during the pendency of the Federal action against
			 any defendant named in the complaint in the Federal action for any violation as
			 alleged in that complaint.
					(4)Rule of
			 constructionFor purposes of bringing a civil action under this
			 subsection, nothing in this Act shall be construed to prevent an attorney
			 general, official, or agency of a State from exercising the powers conferred on
			 the attorney general, official, or agency by the laws of that State to conduct
			 investigations, administer oaths and affirmations, or compel the attendance of
			 witnesses or the production of documentary and other evidence.
				(e)Private right of
			 action
				(1)In
			 generalA person injured by
			 an act in violation of a regulation promulgated under section 2, 3, 4, or 5 may
			 bring in an appropriate State court or an appropriate district court of the
			 United States—
					(A)an action to
			 enjoin such violation;
					(B)an action to
			 recover damages for actual monetary loss from such violation, or to receive up
			 to $1,000 in damages for each such violation, whichever is greater; or
					(C)both such
			 actions.
					(2)Willful or
			 knowing violationsIf the
			 court finds that the defendant acted willfully or knowingly in committing a
			 violation described in paragraph (1), the court may, in its discretion,
			 increase the amount of the award to an amount equal to not more than 3 times
			 the amount available under paragraph (1)(B).
				(3)CostsThe court shall award to a prevailing
			 plaintiff in an action under this subsection the costs of such action and
			 reasonable attorney’s fees, as determined by the court.
				(4)LimitationAn
			 action may be commenced under this subsection not later than 2 years after the
			 date on which the person first discovered or had a reasonable opportunity to
			 discover the violation.
				(5)Nonexclusive
			 remedyThe remedy provided by this subsection shall be in
			 addition to any other remedies available to the person, except that, in the
			 case of a violation or series of related violations by a common carrier subject
			 to title II of the Communications Act of 1934 (47 U.S.C. 201 et seq.), the
			 person may pursue either the remedy provided by this subsection or any remedies
			 provided by such title, but not both.
				7.DefinitionsIn this Act:
			(1)Appropriate
			 CommissionThe term
			 appropriate Commission means either the Federal Trade Commission
			 or the Federal Communications Commission, or both, depending on which
			 Commission has jurisdiction under section 6 with respect to the person and
			 activity involved.
			(2)Commercial
			 mobile data serviceThe term commercial mobile data
			 service has the meaning given such term in section 6001 of the Middle
			 Class Tax Relief and Job Creation Act of 2012 (47 U.S.C. 1401).
			(3)Commercial
			 mobile serviceThe term commercial mobile service
			 has the meaning given such term in section 332 of the Communications Act of
			 1934 (47 U.S.C. 332).
			(4)Mobile
			 deviceThe term mobile device means a personal
			 electronic device that has the capability of transmitting and receiving voice,
			 video, or data communications by means of commercial mobile service or
			 commercial mobile data service.
			(5)Monitoring
			 softwareThe term monitoring software means software
			 that has the capability to monitor the usage of a mobile device or the location
			 of the user and to transmit the information collected to another device or
			 system, whether or not such capability is the primary function of the software
			 or the purpose for which the software is marketed.
			
