DATA PROTECTION POLICY ANALYSIS
APPS Act (H.R. 6547)
Date: December 2018
The APPS Act would require mobile apps to get specific permission before collecting and using consumer data, and to delete consumer data upon request. Although the Act provides for helpful “safe harbors” that can guide companies’ data collection, its definitions are vague and required consent processes are clumsy. Also, the Act does not recognize compelling reasons for a business to retain consumer data after a “deletion” request – such as legal, accounting, billing, and security needs. The best that can be said for the APPS Act is that so long as the FTC cautiously exercises its rule-making authority, the Act probably won’t do major damage beyond adding confusion and paperwork.
The APPS Act would obligate mobile apps to (1) obtain permission from consumers before collecting and using data, and (2) delete consumers’ data upon their request. These obligations seem straightforward and reasonable, but as directed would actually be impractical and perhaps harmful to commerce and data security. Additionally, key definitions in the Act are unclear and thereby can cause confusion or dispute.
- The Act requires all mobile applications, prior to collecting consumer data, to obtain users’ specific permission with regard to the use and storage of the data. This replaces the current situation in which consumers receive notice of these practices, but do not need to agree to a contract. By requiring consumer agreement instead of a simple notice, the Act may result in apps incorporating several contractual terms (e.g., jurisdiction and venue) that would otherwise be unnecessary, and provides opportunities to include arbitration and other provisions that some my dislike.
- The Act requires apps to delete certain information when consumers request but does not exempt from deletion data that should be maintained for legal, billing, auditing, or security purposes. The Act also does not recognize that data “deletion” is a term of art, and that often data is masked so that it is generally inaccessible but it may remain accessible, e.g., to law enforcement and hackers.
- The Act helpfully excludes “de-identified information” from the definition of protected “personal information,” but otherwise it delegates this important definition to the Federal Trade Commission.
- The Act authorizes “safe harbors” which can be very helpful, but it provides only a narrow process for recognition of safe harbors which substantially reduces their value.
CLEAR TERMS: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 4/10]
The most important definition – “personal information” – is delegated to FTC regulation so its clarity will be unknown for a year or longer after enactment. Additionally, key definitions, like when data is “deidentified” and thus not covered, are unclear.
SPECIFIC HARMS: Legislation should focus on specific harms and outcomes. [Score: 2/10]
The legislation seeks to avoid the generalized harm of “consumer deception” by mandating that consumers know and agree to how their data is used. It does not focus on specific harms, e.g., regarding sensitive data.
HELPFUL PROCESSES: Required processes and notices should be clearly defined and helpful. [Score: 6/10]
The process of gaining approval for Terms of Service is clear, but it is questionable whether this approval requirement is any more helpful then the existing notice requirement.
NOT RETROACTIVE: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 10/10]
The Act does not apply retroactively.
NOT HARMFUL: Legislation should not inhibit beneficial data models and uses. [Score: 7/10]
The Act does not directly inhibit beneficial data models and uses, but the data deletion requirement has no exceptions, so it may inhibit app publishers’ ability to use data that otherwise would be retained for fraud detection or data security.
FREE SPEECH: Legislation should not inhibit freedom of expression or government transparency. [Score: 10/10]
No; it does not inhibit freedom of expression or government transparency.
SIMPLE CONSENTS: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 4/10]
Because the Act relies on explicit consent, lawyers will prepare lengthy, detailed consent interfaces wrapped inside Terms and Conditions. The likely effect is annoying “consent fatigue” and consumers not reading the Terms and Conditions – so consumer clarity will not improve.
INTERNATIONAL COMMERCE: International commerce and cooperation should not be inhibited. [Score: 1/10]
The Act conflicts with international law, by imposing a “consent” requirement that is not imposed by other countries. It also inhibits global uniformity by requiring a system of individual contracts – rather than building on the uniform platform controls that, e.g., Google and Apple already provide.
FAIR ENFORCEMENT: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 6/10]
The enforcement provisions are not unfair, but it remains uncertain whether they will be applied unfairly because the most important provisions of the Act – defining “personal” information and “safe harbors” – are delegated to the FTC and will be unknown for a year or longer after enactment.
SMALL ENTERPRISES: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 7/10]
Because the APPS Act requires explicit (and apparently very specific) consent to collect and process data, it is likely that (a) startups and small companies will have proportionately higher legal costs than larger competitors, and (b) consumers will be less likely to give consent to startups and small companies. Larger companies will benefit and smaller companies will find it more difficult to compete.
means the legislation thoughtfully accounts for the concern.
means that, with adjustments, it can likely account for the concern.
means it is neutral on the matter, or that any concerns can be readily cured or mitigated.
means that causes confusion or concern, but not in as widespread a manner as a “1” rating.
means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.