[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 4869 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  2d Session
                                S. 4869

To require software marketplace operators and owners of covered foreign 
 software to provide consumers with a warning prior to the download of 
 such software, to establish consumer data protections, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

             October 26 (legislative day, October 19), 2020

   Mr. Rubio introduced the following bill; which was read twice and 
   referred to the Committee on Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
To require software marketplace operators and owners of covered foreign 
 software to provide consumers with a warning prior to the download of 
 such software, to establish consumer data protections, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Adversarial Platform Prevention Act 
of 2020'' or the ``APP Act''.

SEC. 2. CONSUMER PROTECTIONS REGARDING COVERED FOREIGN SOFTWARE.

    (a) Consumer Warning and Acknowledgment for Download of Covered 
Foreign Software.--
            (1) In general.--A software marketplace operator or an 
        owner of covered foreign software may not:
                    (A) Permit a consumer to download covered foreign 
                software unless, before the download begins--
                            (i) a warning that meets the requirements 
                        of paragraph (2) is displayed to the consumer, 
                        separately from any privacy policy, terms of 
                        service, or other notice; and
                            (ii) the consumer is required to choose (by 
                        taking an affirmative step such as clicking on 
                        a button) between the options of--
                                    (I) acknowledging such warning and 
                                proceeding with the download; or
                                    (II) cancelling the download.
                    (B) Make available covered foreign software for 
                download by consumers unless the operator or owner has 
                in place procedures to ensure compliance with 
                subparagraph (A).
            (2) Requirements for warning.--The requirements of this 
        paragraph are, with respect to a warning regarding covered 
        foreign software--
                    (A) that the warning include--
                            (i) the name of the covered foreign 
                        software;
                            (ii) the name of each owner of the covered 
                        foreign software, and, if applicable with 
                        respect to each such owner, the name of the 
                        covered country--
                                    (I) under the laws of which such 
                                owner is organized;
                                    (II) in which such owner conducts 
                                its principal operations; or
                                    (III) in which such owner is 
                                headquartered;
                            (iii) the name of each controlling entity 
                        of the owner of the covered foreign software, 
                        and if applicable with respect to each such 
                        controlling entity, the name of the covered 
                        country--
                                    (I) under the laws of which such 
                                entity is organized;
                                    (II) in which such entity conducts 
                                its principal operations; or
                                    (III) in which such entity is 
                                headquartered;
                            (iv) any enumerated risk to data privacy 
                        and security or the censorship of speech 
                        associated with the laws and practices of a 
                        covered country disclosed under this 
                        subparagraph;
                            (v) whether the owner of a covered foreign 
                        software, or any controlling entity of such 
                        owner, has ever provided the data of United 
                        States consumers, as it relates to such 
                        software, to any law enforcement agency, 
                        intelligence agency, or other government entity 
                        of a covered country; and
                            (vi) a description of how to acknowledge 
                        the warning and either proceed with or cancel 
                        the download;
                    (B) that the warning be updated annually; and
                    (C) such other requirements as the Commission, in 
                consultation with the Attorney General of the United 
                States, shall determine.
            (3) Liability of software owner.--If a software marketplace 
        operator permits a consumer to download covered foreign 
        software or makes covered foreign software available for 
        download in violation of paragraph (1), the operator shall not 
        be liable for a violation of such paragraph if the operator 
        reasonably relied on inaccurate information from the owner of 
        the covered foreign software in determining that the software 
        was not covered foreign software, and the owner of the covered 
        foreign software shall be considered to have committed the 
        violation of such paragraph.
    (b) Consumer Data Protections.--
            (1) Consumer data privacy practices.--
                    (A) Consumer data report.--Not later than 30 days 
                after the date of enactment of this Act (or in the case 
                of covered foreign software that is created after such 
                date or software that becomes covered foreign software 
                after such date, 60 days after the date that such 
                software is created or becomes covered foreign 
                software), and annually thereafter, an owner of covered 
                foreign software shall submit to the Commission and the 
                Attorney General of the United States a report that 
                includes a complete description of any consumer data 
                privacy practice of the owner as it relates to the data 
                of United States consumers, including--
                            (i) the type of data of United States 
                        consumers being accessed;
                            (ii) a description of how such data is used 
                        by the owner;
                            (iii) a description of any consumer data 
                        protection measure in place that protects the 
                        rights and interests of United States 
                        consumers;
                            (iv) information regarding--
                                    (I) the number of requests from a 
                                law enforcement agency, intelligence 
                                agency, or other government entity of a 
                                covered country to disclose the 
                                consumer data of a person in the United 
                                States; and
                                    (II) a description of how such 
                                requests were handled; and
                            (v) a description of any internal content 
                        moderation practice of the owner as it relates 
                        to the data of consumers in the United States, 
                        including any such practice that also relates 
                        to consumers in another country.
                    (B) Public accessibility.--Notwithstanding any 
                other provision of law, not later than 60 days after 
                the receipt of a report under subparagraph (A), the 
                Attorney General of the United States shall publish the 
                information contained in such report (except for any 
                confidential material) in a publicly accessible manner.
            (2) Consumer data disclosure practices.--
                    (A) Effect of disclosure and censorship.--An owner 
                of covered foreign software may not collect or store 
                data of United States consumers, as it relates to such 
                covered foreign software, if such owner complies with 
                any request from a law enforcement agency, intelligence 
                agency, or other government entity of a covered 
                country--
                            (i) to disclose the consumer data of a 
                        person in the United States; or
                            (ii) to censor the online activity of a 
                        person in the United States.
                    (B) Report to federal trade commission and attorney 
                general of the united states.--Not later than 14 days 
                after receiving a request described in subparagraph 
                (A), an owner of covered foreign software shall submit 
                to the Commission and the Attorney General of the 
                United States a report that includes a description of 
                such request.
                    (C) Access to consumer data in subsidiaries.--Not 
                later than 1 year after the date of enactment of this 
                Act, the Commission, in consultation with the Attorney 
                General of the United States, shall issue regulations 
                to require an owner of covered foreign software to 
                implement consumer data protection measures to ensure 
                that any parent company in a covered country may not 
                access the consumer data collected and stored, or 
                otherwise held, by a subsidiary entity of such parent 
                company in a country that is not a covered country.
            (3) Prohibitions on storage, use, and sharing of consumer 
        data.--
                    (A) Use, transfer, and storage of consumer data.--
                With respect to the consumer data of any person in the 
                United States, an owner of covered foreign software may 
                not--
                            (i) use such data in a covered country;
                            (ii) transfer such data to a covered 
                        country; or
                            (iii) store such data outside of the United 
                        States.
                    (B) Sharing of consumer data.--An owner of covered 
                foreign software may not share with, sell to, or 
                otherwise disclose to any other commercial entity the 
                consumer data of any person in the United States.
            (4) Censorship remedy.--In the case where an owner of 
        covered foreign software censors the online activity of a 
        person in the United States, such owner shall provide any 
        affected user with a means to appeal such censorship.
    (c) Nonapplication of Communications Decency Act Protections.--
Notwithstanding section 230 of the Communications Act of 1934 (47 
U.S.C. 230) (commonly known as the ``Communications Decency Act''), an 
owner of a covered foreign software shall not be considered a provider 
of an interactive computer service for purposes of subsection (c) of 
such section with respect to such covered foreign software.
    (d) Enforcement by Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        this section or a regulation promulgated under this section 
        shall be treated as a violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
            (2) Powers of commission.--
                    (A) In general.--The Commission shall enforce this 
                section and the regulations promulgated under the 
                section in the same manner, by the same means, and with 
                the same jurisdiction, powers, and duties as though all 
                applicable terms and provisions of the Federal Trade 
                Commission Act (15 U.S.C. 41 et seq.) were incorporated 
                into and made a part of this Act. Any person who 
                violates this section or a regulation promulgated under 
                this section shall be subject to the penalties and 
                entitled to the privileges and immunities provided in 
                the Federal Trade Commission Act.
                    (B) Additional relief.--In addition to the 
                penalties provided in the Federal Trade Commission Act 
                (15 U.S.C. 41 et seq.), if a court or the Commission 
                (in a formal adjudicative proceeding) determines that 
                an owner of covered foreign software violated this 
                section or a regulation promulgated under this section, 
                the court or the Commission shall prohibit the owner 
                from making such software available for sale or 
                download in the United States.
            (3) Regulations.--The Commission may promulgate regulations 
        under section 553 of title 5, United States Code, to carry out 
        this section.
            (4) Savings clause.--Nothing in this section shall be 
        construed to limit the authority of the Commission under any 
        other provision of law.
    (e) Criminal Offense.--
            (1) In general.--A software marketplace operator or an 
        owner of covered foreign software that knowingly violates 
        subsection (a) or (b) shall be fined $50,000 for each 
        violation.
            (2) Clarifications.--
                    (A) Separate violation.--For purposes of paragraph 
                (1), each download by a consumer of a covered foreign 
                software that does not meet the requirements of 
                subparagraph (A) of subsection (a)(1) or is made 
                available in violation of subparagraph (B) of such 
                subsection shall be treated as a separate violation.
                    (B) Individual offense.--An officer of a software 
                marketplace operator or of an owner of covered foreign 
                software who knowingly causes a violation of subsection 
                (a)(1) with the intent to conceal the fact that the 
                software is covered foreign software shall be fined 
                under title 18, United States Code.
            (3) Referral of evidence by ftc.--Whenever the Commission 
        obtains evidence that a software marketplace operator or owner 
        of covered foreign software has engaged in conduct that may 
        constitute a violation of subsection (a) or (b), the Commission 
        shall transmit such evidence to the Attorney General of the 
        United States, who may institute criminal proceedings under 
        this subsection. Nothing in this paragraph affects any other 
        authority of the Commission to disclose information.
    (f) Report to Congress.--Not later than 1 year after the date of 
the enactment of this Act, the Commission, in consultation with the 
Attorney General of the United States, shall submit to Congress a 
report on the implementation and enforcement of this section.
    (g) Expansion of Covered Transactions Under the DPA.--Section 
721(a)(4)(B)(iii)(III) of the Defense Production Act of 1950 (50 U.S.C. 
4565(a)(4)(B)(iii)(III)) is amended by inserting ``or commercially 
available'' after ``sensitive''.
    (h) Express Preemption of State Law.--This Act shall supersede any 
provision of a law, regulation, or other requirement of any State or 
political subdivision of a State to the extent that such provision 
relates to the privacy or security of consumer data or the downloading 
of covered foreign software.
    (i) Definitions.--In this section:
            (1) Censor.--
                    (A) In general.--The term ``censor'', with respect 
                to the online activity of a person in the United 
                States, means--
                            (i) to alter, delete, remove, or otherwise 
                        make inaccessible user information without the 
                        consent of such user; or
                            (ii) to alter, delete, remove, deny, 
                        prevent, or otherwise prohibit user activity 
                        without the consent of such user.
                    (B) Exception.--Such term shall not include any 
                action by an owner of covered foreign software that is 
                taken for the purpose of restricting access to, or 
                availability of, material that the owner considers to 
                be obscene, lewd, lascivious, filthy, excessively 
                violent, harassing, or otherwise objectionable, whether 
                or not such material is constitutionally protected.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Covered country.--
                    (A) In general.--Subject to subparagraph (B), the 
                term ``covered country'' means--
                            (i) China, Russia, North Korea, Iran, 
                        Syria, Sudan, Venezuela, or Cuba;
                            (ii) any other country the government of 
                        which the Secretary of State determines has 
                        provided support for international terrorism 
                        pursuant to--
                                    (I) section 1754(c)(1)(A) of the 
                                Export Control Reform Act of 2018 (50 
                                U.S.C. 4318(c)(1)(A));
                                    (II) section 620A of the Foreign 
                                Assistance Act of 1961 (22 U.S.C. 
                                2371);
                                    (III) section 40 of the Arms Export 
                                Control Act (22 U.S.C. 2780); or
                                    (IV) any other provision of law; 
                                and
                            (iii) any other country designated by the 
                        Attorney General of the United States based on 
                        findings that such country's control over 
                        potentially dangerous software poses an undue 
                        or unnecessary risk to the national security of 
                        the United States or to the safety and security 
                        of United States persons.
                    (B) Process.--
                            (i) Advance notice to congress.--The 
                        Attorney General of the United States shall not 
                        designate a country under subparagraph (A)(iii) 
                        (or revoke such a designation under clause 
                        (iii)) unless the Attorney General of the 
                        United States--
                                    (I) provides not less than 30 days 
                                notice prior to making such designation 
                                or revocation to--
                                            (aa) the Committee on 
                                        Energy and Commerce of the 
                                        House of Representatives;
                                            (bb) the Permanent Select 
                                        Committee on Intelligence of 
                                        the House of Representatives;
                                            (cc) the Committee on 
                                        Commerce, Science, and 
                                        Transportation of the Senate; 
                                        and
                                            (dd) the Select Committee 
                                        on Intelligence of the Senate; 
                                        and
                                    (II) upon request, provides an in-
                                person briefing to each such Committee 
                                during the 30-day notice period.
                            (ii) Notice and publication of 
                        designation.--Upon designating a country under 
                        subparagraph (A)(iii), the Attorney General of 
                        the United States shall transmit a notification 
                        of the designation to the Commission, and shall 
                        publish such notification. Such designation 
                        shall become effective on the day that is 60 
                        days after the date on which such notification 
                        is transmitted and published.
                            (iii) Revocation of designation.--The 
                        designation of a country under subparagraph (A) 
                        may only be revoked by the Attorney General of 
                        the United States.
            (4) Covered foreign software.--
                    (A) In general.--The term ``covered foreign 
                software'' means any of the following:
                            (i) Software that is owned or directly or 
                        indirectly controlled by a person described in 
                        subparagraph (B).
                            (ii) Software that stores data of United 
                        States consumers in a covered country.
                    (B) Persons described.--A person described in this 
                subparagraph is--
                            (i) a person (other than an individual)--
                                    (I) that is organized under the 
                                laws of a covered country;
                                    (II) the principal operations of 
                                which are conducted in a covered 
                                country; or
                                    (III) that is headquartered in a 
                                covered country; or
                            (ii) a person (other than an individual) 
                        that is, directly or indirectly, controlled by 
                        a person described in clause (i).
            (5) Mobile application.--The term ``mobile application'' 
        means a software program that runs on the operating system of a 
        smartphone, tablet computer, or similar mobile electronic 
        device.
            (6) Software.--The term ``software'' means any computer 
        software program, including a mobile application.
            (7) Software marketplace operator.--The term ``software 
        marketplace operator'' means a person who, for a commercial 
        purpose, operates an online store or marketplace through which 
        software is made available for download by consumers in the 
        United States.
                                 <all>