APPS Act (H.R. 6547)December 2018
The APPS Act would require mobile apps to get specific permission before collecting and using consumer data, and to delete consumer data upon request. Although the Act provides for helpful “safe harbors” that can guide companies’ data collection, its definitions are vague and required consent processes are clumsy. Also, the Act does not recognize compelling reasons for a business to retain consumer data after a “deletion” request – such as legal, accounting, billing, and security needs. The best that can be said for the APPS Act is that so long as the FTC cautiously exercises its rule-making authority, the Act probably won’t do major damage beyond adding confusion and paperwork.
The APPS Act would obligate mobile apps to (1) obtain permission from consumers before collecting and using data, and (2) delete consumers’ data upon their request. These obligations seem straightforward and reasonable, but as directed would actually be impractical and perhaps harmful to commerce and data security. Additionally, key definitions in the Act are unclear and thereby can cause confusion or dispute.
- The Act requires all mobile applications, prior to collecting consumer data, to obtain users’ specific permission with regard to the use and storage of the data. This replaces the current situation in which consumers receive notice of these practices, but do not need to agree to a contract. By requiring consumer agreement instead of a simple notice, the Act may result in apps incorporating several contractual terms (e.g., jurisdiction and venue) that would otherwise be unnecessary, and provides opportunities to include arbitration and other provisions that some my dislike.
- The Act requires apps to delete certain information when consumers request but does not exempt from deletion data that should be maintained for legal, billing, auditing, or security purposes. The Act also does not recognize that data “deletion” is a term of art, and that often data is masked so that it is generally inaccessible but it may remain accessible, e.g., to law enforcement and hackers.
- The Act helpfully excludes “de-identified information” from the definition of protected “personal information,” but otherwise it delegates this important definition to the Federal Trade Commission.
- The Act authorizes “safe harbors” which can be very helpful, but it provides only a narrow process for recognition of safe harbors which substantially reduces their value.
Clear Terms: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 4/10]
Specific Harms: Legislation should focus on specific harms and outcomes. [Score: 2/10]
Helpful Processes: Required processes and notices should be clearly defined and helpful. [Score: 6/10]
Not Retroactive: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 10/10]
Not Harmful: Legislation should not inhibit beneficial data models and uses. [Score: 7/10]
Free Speech: Legislation should not inhibit freedom of expression or government transparency. [Score: 10/10]
Simple Consents: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 4/10]
International Commerce: International commerce and cooperation should not be inhibited. [Score: 1/10]
Fair Enforcement: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 6/10]
Small Enterprises: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 7/10]
“9-10” means the legislation thoughtfully accounts for the concern.
“7-8” means that, with adjustments, it can likely account for the concern.
“5-6” means it is neutral on the matter, or that any concerns can be readily cured or mitigated.
“3-4” means that causes confusion or concern, but not in as widespread a manner as a “1” rating.
“1-2” means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.