According to Rep. Hank Johnson (D-GA-04), consumers lack "basic rights about how much basic data is being collected on" mobile devices and require new legal protections. That is why he introduced the Application Privacy, Protection and Security (APPS) Act (H.R. 1913) in Congress on May 9. His legislation will matter to the survey, opinion and marketing research profession, whether as app developers, app partners, or as users of data collected via mobile devices.
The APPS Act, which would require significant transparency and data minimization, hasn't changed dramatically from the draft APPS Act that Rep. Johnson had been circulating, which the Marketing Research Association (MRA) analyzed for our members in January.
MRA appreciates that the APPS Act is relatively circumspect, focused primarily on notice and consumer opt opt for data collection in mobile apps. It provides some welcome flexibility in the deidentification process, given that it is hard to provide consumer control over de-identified data. We're also particularly pleased to see a safe harbor in the APPS Act for entities that adhere to a voluntary code of conduct developed through the National Information and Technology Administration (NTIA) multistakeholder process for mobile apps privacy. However, we still have some serious concerns with Rep. Johnson's bill.
MRA worries about fully empowering the Federal Trade Commission (FTC) to define what the term "personal data" means, since (as demonstrated during our successful amendment to the SAFE Data Act in July 2011) the FTC thinks that almost any piece of information could be personally identifiable. The APPS Act would define "de-identified data" as "data from which particular individuals cannot be identified," and that would be the only kind of data excluded from the definition of "personal data."
The FTC would also be the entity to decide what "de-identified data" means. As MRA explained at length in our comments on the FTC's case against marketing research firm Compete, there is already a vigorous (and far from settled) debate in academic and technology circles on de-idenfication.
Even the requirement that the mobile app transparency notice include a data retention policy could be problematic for survey, opinion and marketing research since, as we showed in the SAFE Data Act debate in 2011 over data minimization, the research needs in data retention can be difficult to predict.
More broadly, we are also wary of moving legislation impacting the mobile space before the NTIA multistakeholder process can coallesce around a workable code of conduct for mobile apps privacy. While we applaud Rep. Johnson for including a specific safe harbor for entities that adhere to such a code -- something that the FTC has already flatly rejected during multistakeholder process meetings -- it is hard to embrace legislation in relation to an unfinished and still somewhat uncertain code. We are optimistic about results from the multistakeholder process, but it is not over yet. We continue to urge policymakers to patiently await a conclusion, and to perhaps even see how the resulting code works or does not work for consumers, before they leap into writing new statutes or regulations.