[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 6547 Introduced in House (IH)]

<DOC>






115th CONGRESS
  2d Session
                                H. R. 6547

   To provide for greater transparency in and user control over the 
 treatment of data collected by mobile applications and to enhance the 
                         security of such data.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 26, 2018

 Mr. Johnson of Georgia (for himself, Mr. Barton, Ms. Jackson Lee, Mr. 
  Chabot, and Mr. Cicilline) introduced the following bill; which was 
            referred to the Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
   To provide for greater transparency in and user control over the 
 treatment of data collected by mobile applications and to enhance the 
                         security of such data.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Application Privacy, Protection, and 
Security Act of 2018'' or the ``APPS Act of 2018''.

SEC. 2. TRANSPARENCY, USER CONTROL, AND SECURITY.

    (a) Consent to Terms and Conditions.--
            (1) In general.--Before a mobile application collects 
        personal data about a user of the application, the developer of 
        the application shall--
                    (A) provide the user with notice of the terms and 
                conditions governing the collection, use, storage, and 
                sharing of the personal data; and
                    (B) obtain the consent of the user to such terms 
                and conditions.
            (2) Required content.--The notice required by paragraph 
        (1)(A) shall include the following:
                    (A) The categories of personal data that will be 
                collected.
                    (B) The categories of purposes for which the 
                personal data will be used.
                    (C) The categories of third parties with which the 
                personal data will be shared.
                    (D) A data retention policy that governs the length 
                for which the personal data will be stored and the 
                terms and conditions applicable to storage, including a 
                description of the rights of the user under subsection 
                (b) and the process by which the user may exercise such 
                rights.
            (3) Additional specifications and flexibility.--The 
        Commission shall by regulation specify the format, manner, and 
        timing of the notice required by paragraph (1)(A). In 
        promulgating the regulations, the Commission shall consider how 
        to ensure the most effective and efficient communication to the 
        user regarding the treatment of personal data.
            (4) Direct access to data by third parties.--For purposes 
        of this Act, if the developer of a mobile application allows a 
        third party to access personal data collected by the 
        application, such personal data shall be considered to be 
        shared with the third party, whether or not such personal data 
        are first transmitted to the developer.
    (b) Withdrawal of Consent.--The developer of a mobile application 
shall--
            (1) provide a user of the application with a means of--
                    (A) notifying the developer that the user intends 
                to stop using the application; and
                    (B) requesting the developer--
                            (i) to refrain from any further collection 
                        of personal data through the application; and
                            (ii) at the option of the user, either--
                                    (I) to the extent practicable, to 
                                delete any personal data collected by 
                                the application that is stored by the 
                                developer; or
                                    (II) to refrain from any further 
                                use or sharing of such data; and
            (2) within a reasonable and appropriate time after 
        receiving a request under paragraph (1)(B), comply with such 
        request.
    (c) Security of Personal Data and De-Identified Data.--The 
developer of a mobile application shall take reasonable and appropriate 
measures to prevent unauthorized access to personal data and de-
identified data collected by the application.
    (d) Exception.--Nothing in this Act prohibits the developer of a 
mobile application from disclosing or preserving personal data or de-
identified data as required by--
            (1) other Federal law (including a court order); or
            (2) except as provided in section 6, the law of a State or 
        a political subdivision of a State (including a court order).

SEC. 3. APPLICATION AND ENFORCEMENT.

    (a) General Application.--The requirements of this Act and the 
regulations promulgated under this Act apply, according to their terms, 
to those persons, partnerships, and corporations over which the 
Commission has authority pursuant to section 5(a)(2) of the Federal 
Trade Commission Act (15 U.S.C. 45(a)(2)).
    (b) Enforcement by Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        this Act or a regulation promulgated under this Act shall be 
        treated as a violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
            (2) Powers of commission.--The Commission shall enforce 
        this Act and the regulations promulgated under this Act in the 
        same manner, by the same means, and with the same jurisdiction, 
        powers, and duties as though all applicable terms and 
        provisions of the Federal Trade Commission Act (15 U.S.C. 41 et 
        seq.) were incorporated into and made a part of this Act. Any 
        person who violates this Act or a regulation promulgated under 
        this Act shall be subject to the penalties and entitled to the 
        privileges and immunities provided in the Federal Trade 
        Commission Act.
    (c) Actions by States.--
            (1) In general.--In any case in which the attorney general 
        of a State, or an official or agency of a State, has reason to 
        believe that an interest of the residents of such State has 
        been or is threatened or adversely affected by an act or 
        practice in violation of this Act or a regulation promulgated 
        under this Act, the State, as parens patriae, may bring a civil 
        action on behalf of the residents of the State in an 
        appropriate district court of the United States to--
                    (A) enjoin such act or practice;
                    (B) enforce compliance with this Act or such 
                regulation;
                    (C) obtain damages, restitution, or other 
                compensation on behalf of residents of the State; or
                    (D) obtain such other legal and equitable relief as 
                the court may consider to be appropriate.
            (2) Notice.--Before filing an action under this subsection, 
        the attorney general, official, or agency of the State involved 
        shall provide to the Commission a written notice of such action 
        and a copy of the complaint for such action. If the attorney 
        general, official, or agency determines that it is not feasible 
        to provide the notice described in this paragraph before the 
        filing of the action, the attorney general, official, or agency 
        shall provide written notice of the action and a copy of the 
        complaint to the Commission immediately upon the filing of the 
        action.
            (3) Authority of commission.--
                    (A) In general.--On receiving notice under 
                paragraph (2) of an action under this subsection, the 
                Commission shall have the right--
                            (i) to intervene in the action;
                            (ii) upon so intervening, to be heard on 
                        all matters arising therein; and
                            (iii) to file petitions for appeal.
                    (B) Limitation on state action while federal action 
                is pending.--If the Commission or the Attorney General 
                of the United States has instituted a civil action for 
                violation of this Act or a regulation promulgated under 
                this Act (referred to in this subparagraph as the 
                ``Federal action''), no State attorney general, 
                official, or agency may bring an action under this 
                subsection during the pendency of the Federal action 
                against any defendant named in the complaint in the 
                Federal action for any violation of this Act or such 
                regulation alleged in such complaint.
            (4) Rule of construction.--For purposes of bringing a civil 
        action under this subsection, nothing in this Act shall be 
        construed to prevent an attorney general, official, or agency 
        of a State from exercising the powers conferred on the attorney 
        general, official, or agency by the laws of such State to 
        conduct investigations, administer oaths and affirmations, or 
        compel the attendance of witnesses or the production of 
        documentary and other evidence.

SEC. 4. REGULATIONS.

    Not later than 1 year after the date of the enactment of this Act, 
the Commission shall promulgate regulations in accordance with section 
553 of title 5, United States Code, to implement and enforce this Act.

SEC. 5. SAFE HARBOR.

    (a) In General.--The developer of a mobile application may satisfy 
the requirements of this Act and the regulations promulgated under this 
Act by adopting and following a code of conduct for consumer data 
privacy (insofar as such code relates to data collected by a mobile 
application) that--
            (1) was developed in a multistakeholder process convened by 
        the National Telecommunications and Information Administration, 
        as described in the document issued by the President on 
        February 23, 2012, entitled ``Consumer Data Privacy in a 
        Networked World: A Framework for Protecting Privacy and 
        Promoting Innovation in the Global Digital Economy''; and
            (2) the Commission has approved as meeting the requirements 
        of the regulations promulgated under section 4.
    (b) Regulations.--The Commission shall promulgate regulations in 
accordance with section 553 of title 5, United States Code, to govern 
the consideration and approval of codes of conduct under subsection 
(a)(2).

SEC. 6. RELATIONSHIP TO STATE LAW.

    This Act and the regulations promulgated under this Act supercede a 
provision of law of a State or a political subdivision of a State only 
to the extent that such provision--
            (1) conflicts with this Act or such regulations, as 
        determined without regard to section 2(d)(2);
            (2) specifically relates to the treatment of personal data 
        or de-identified data; and
            (3) provides a level of transparency, user control, or 
        security in the treatment of personal data or de-identified 
        data that is less than the level provided by this Act and such 
        regulations.

SEC. 7. PRESERVATION OF FTC AUTHORITY.

    Nothing in this Act may be construed in any way to limit or affect 
the authority of the Commission under any other provision of law.

SEC. 8. DEFINITIONS.

    In this Act:
            (1) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (2) De-identified data.--The term ``de-identified data'' 
        means data that cannot reasonably be used to identify or infer 
        information about, or otherwise be linked to, a particular 
        individual or mobile device, as determined with a reasonable 
        level of justified confidence based on the available methods 
        and technologies, the nature of the data at issue, and the 
        purposes for which the data will be used.
            (3) Developer.--The term ``developer'' shall have the 
        meaning given such term by the Commission by regulation.
            (4) Mobile application.--The term ``mobile application'' 
        means a software program that--
                    (A) runs on the operating system of a mobile 
                device; and
                    (B) collects data from a user.
            (5) Mobile device.--The term ``mobile device'' means a 
        smartphone, tablet computer, or similar portable computing 
        device that transmits data over a wireless connection.
            (6) Personal data.--The term ``personal data'' shall have 
        the meaning given such term by the Commission by regulation, 
        except that such term shall not include de-identified data.
            (7) State.--The term ``State'' means each of the several 
        States, the District of Columbia, each commonwealth, territory, 
        or possession of the United States, and each federally 
        recognized Indian Tribe.
            (8) Third party.--The term ``third party'' means, with 
        respect to the developer of an application, an entity that 
        holds itself out to the public as separate from the developer 
        such that a user of the application acting reasonably under the 
        circumstances would not expect the entity to be related to the 
        developer or to have access to personal data the user provides 
        to the developer. Such term includes an affiliate of the 
        developer unless the affiliation is reasonably clear to users 
        of the application.

SEC. 9. EFFECTIVE DATE.

    This Act shall apply with respect to any collection, use, storage, 
or sharing of personal data or de-identified data that occurs after the 
date that is 30 days after the promulgation of final regulations under 
section 4.
                                 <all>