
	

113 HR 1913 IH: Application Privacy, Protection, and Security Act of 2013
U.S. House of Representatives
2013-05-09
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



		I
		113th CONGRESS
		1st Session
		H. R. 1913
		IN THE HOUSE OF REPRESENTATIVES
		
			May 9, 2013
			Mr. Johnson of
			 Georgia (for himself, Ms. Jackson
			 Lee, Mr. Engel,
			 Mr. Conyers, and
			 Mr. Chabot) introduced the following
			 bill; which was referred to the Committee
			 on Energy and Commerce
		
		A BILL
		To provide for greater transparency in and user control
		  over the treatment of data collected by mobile applications and to enhance the
		  security of such data.
	
	
		1.Short titleThis Act may be cited as the
			 Application Privacy, Protection, and
			 Security Act of 2013 or the APPS Act of 2013.
		2.Transparency,
			 user control, and security
			(a)Consent to terms
			 and conditions
				(1)In
			 generalBefore a mobile application collects personal data about
			 a user of the application, the developer of the application shall—
					(A)provide the user
			 with notice of the terms and conditions governing the collection, use, storage,
			 and sharing of the personal data; and
					(B)obtain the consent
			 of the user to such terms and conditions.
					(2)Required
			 contentThe notice required by paragraph (1)(A) shall include the
			 following:
					(A)The categories of
			 personal data that will be collected.
					(B)The categories of
			 purposes for which the personal data will be used.
					(C)The categories of
			 third parties with which the personal data will be shared.
					(D)A data retention
			 policy that governs the length for which the personal data will be stored and
			 the terms and conditions applicable to storage, including a description of the
			 rights of the user under subsection (b) and the process by which the user may
			 exercise such rights.
					(3)Additional
			 specifications and flexibilityThe Commission shall by regulation
			 specify the format, manner, and timing of the notice required by paragraph
			 (1)(A). In promulgating the regulations, the Commission shall consider how to
			 ensure the most effective and efficient communication to the user regarding the
			 treatment of personal data.
				(4)Direct access to
			 data by third partiesFor
			 purposes of this Act, if the developer of a mobile application allows a third
			 party to access personal data collected by the application, such personal data
			 shall be considered to be shared with the third party, whether or not such
			 personal data are first transmitted to the developer.
				(b)Withdrawal of
			 consentThe developer of a mobile application shall—
				(1)provide a user of
			 the application with a means of—
					(A)notifying the
			 developer that the user intends to stop using the application; and
					(B)requesting the
			 developer—
						(i)to refrain from
			 any further collection of personal data through the application; and
						(ii)at the option of
			 the user, either—
							(I)to the extent
			 practicable, to delete any personal data collected by the application that is
			 stored by the developer; or
							(II)to refrain from
			 any further use or sharing of such data; and
							(2)within a
			 reasonable and appropriate time after receiving a request under paragraph
			 (1)(B), comply with such request.
				(c)Security of
			 personal data and de-Identified dataThe developer of a mobile
			 application shall take reasonable and appropriate measures to prevent
			 unauthorized access to personal data and de-identified data collected by the
			 application.
			(d)ExceptionNothing
			 in this Act prohibits the developer of a mobile application from disclosing or
			 preserving personal data or de-identified data as required by—
				(1)other Federal law
			 (including a court order); or
				(2)except as provided
			 in section 6, the law of a State or a political subdivision of a State
			 (including a court order).
				3.Application and
			 enforcement
			(a)General
			 applicationThe requirements
			 of this Act and the regulations promulgated under this Act apply, according to
			 their terms, to those persons, partnerships, and corporations over which the
			 Commission has authority pursuant to section 5(a)(2) of the Federal Trade
			 Commission Act (15 U.S.C. 45(a)(2)).
			(b)Enforcement by
			 Federal Trade Commission
				(1)Unfair or
			 deceptive acts or practicesA violation of this Act or a
			 regulation promulgated under this Act shall be treated as a violation of a
			 regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
			 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
				(2)Powers of
			 CommissionThe Commission
			 shall enforce this Act and the regulations promulgated under this Act in the
			 same manner, by the same means, and with the same jurisdiction, powers, and
			 duties as though all applicable terms and provisions of the
			 Federal Trade Commission Act (15
			 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any
			 person who violates this Act or a regulation promulgated under this Act shall
			 be subject to the penalties and entitled to the privileges and immunities
			 provided in the Federal Trade Commission Act.
				(c)Actions by
			 States
				(1)In
			 generalIn any case in which
			 the attorney general of a State, or an official or agency of a State, has
			 reason to believe that an interest of the residents of such State has been or
			 is threatened or adversely affected by an act or practice in violation of this
			 Act or a regulation promulgated under this Act, the State, as parens patriae,
			 may bring a civil action on behalf of the residents of the State in an
			 appropriate district court of the United States to—
					(A)enjoin such act or
			 practice;
					(B)enforce compliance
			 with this Act or such regulation;
					(C)obtain damages,
			 restitution, or other compensation on behalf of residents of the State;
			 or
					(D)obtain such other
			 legal and equitable relief as the court may consider to be appropriate.
					(2)NoticeBefore
			 filing an action under this subsection, the attorney general, official, or
			 agency of the State involved shall provide to the Commission a written notice
			 of such action and a copy of the complaint for such action. If the attorney
			 general, official, or agency determines that it is not feasible to provide the
			 notice described in this paragraph before the filing of the action, the
			 attorney general, official, or agency shall provide written notice of the
			 action and a copy of the complaint to the Commission immediately upon the
			 filing of the action.
				(3)Authority of
			 Commission
					(A)In
			 generalOn receiving notice under paragraph (2) of an action
			 under this subsection, the Commission shall have the right—
						(i)to intervene in
			 the action;
						(ii)upon so
			 intervening, to be heard on all matters arising therein; and
						(iii)to file
			 petitions for appeal.
						(B)Limitation on
			 State action while Federal action is pendingIf the Commission or the Attorney General
			 of the United States has instituted a civil action for violation of this Act or
			 a regulation promulgated under this Act (referred to in this subparagraph as
			 the Federal action), no State attorney general, official, or
			 agency may bring an action under this subsection during the pendency of the
			 Federal action against any defendant named in the complaint in the Federal
			 action for any violation of this Act or such regulation alleged in such
			 complaint.
					(4)Rule of
			 constructionFor purposes of bringing a civil action under this
			 subsection, nothing in this Act shall be construed to prevent an attorney
			 general, official, or agency of a State from exercising the powers conferred on
			 the attorney general, official, or agency by the laws of such State to conduct
			 investigations, administer oaths and affirmations, or compel the attendance of
			 witnesses or the production of documentary and other evidence.
				4.RegulationsNot later than 1 year after the date of the
			 enactment of this Act, the Commission shall promulgate regulations in
			 accordance with section 553 of title 5, United States Code, to implement and
			 enforce this Act.
		5.Safe
			 harbor
			(a)In
			 generalThe developer of a
			 mobile application may satisfy the requirements of this Act and the regulations
			 promulgated under this Act by adopting and following a code of conduct for
			 consumer data privacy (insofar as such code relates to data collected by a
			 mobile application) that—
				(1)was developed in a
			 multistakeholder process convened by the National Telecommunications and
			 Information Administration, as described in the document issued by the
			 President on February 23, 2012, entitled Consumer Data Privacy in a
			 Networked World: A Framework for Protecting Privacy and Promoting Innovation in
			 the Global Digital Economy; and
				(2)the Commission has
			 approved as meeting the requirements of the regulations promulgated under
			 section 4.
				(b)RegulationsThe
			 Commission shall promulgate regulations in accordance with section 553 of title
			 5, United States Code, to govern the consideration and approval of codes of
			 conduct under subsection (a)(2).
			6.Relationship to
			 State lawThis Act and the
			 regulations promulgated under this Act supercede a provision of law of a State
			 or a political subdivision of a State only to the extent that such
			 provision—
			(1)conflicts with this Act or such
			 regulations, as determined without regard to section 2(d)(2);
			(2)specifically
			 relates to the treatment of personal data or de-identified data; and
			(3)provides a level
			 of transparency, user control, or security in the treatment of personal data or
			 de-identified data that is less than the level provided by this Act and such
			 regulations.
			7.Preservation of
			 FTC authorityNothing in this
			 Act may be construed in any way to limit or affect the authority of the
			 Commission under any other provision of law.
		8.DefinitionsIn this Act:
			(1)CommissionThe
			 term Commission means the Federal Trade Commission.
			(2)De-identified
			 dataThe term
			 de-identified data means data that cannot reasonably be used to
			 identify or infer information about, or otherwise be linked to, a particular
			 individual or mobile device, as determined with a reasonable level of justified
			 confidence based on the available methods and technologies, the nature of the
			 data at issue, and the purposes for which the data will be used.
			(3)DeveloperThe
			 term developer shall have the meaning given such term by the
			 Commission by regulation.
			(4)Mobile
			 applicationThe term mobile application means a
			 software program that—
				(A)runs on the
			 operating system of a mobile device; and
				(B)collects data from
			 a user.
				(5)Mobile
			 deviceThe term mobile device means a smartphone,
			 tablet computer, or similar portable computing device that transmits data over
			 a wireless connection.
			(6)Personal
			 dataThe term personal
			 data shall have the meaning given such term by the Commission by
			 regulation, except that such term shall not include de-identified data.
			(7)StateThe term State means each of
			 the several States, the District of Columbia, each commonwealth, territory, or
			 possession of the United States, and each federally recognized Indian
			 tribe.
			(8)Third
			 partyThe term third party means, with respect to
			 the developer of an application, an entity that holds itself out to the public
			 as separate from the developer such that a user of the application acting
			 reasonably under the circumstances would not expect the entity to be related to
			 the developer or to have access to personal data the user provides to the
			 developer. Such term includes an affiliate of the developer unless the
			 affiliation is reasonably clear to users of the application.
			9.Effective
			 dateThis Act shall apply with
			 respect to any collection, use, storage, or sharing of personal data or
			 de-identified data that occurs after the date that is 30 days after the
			 promulgation of final regulations under section 4.
		
