Bill would put mobile app vendors on the hook for privacy

App developers would be required to notify and get consent from consumers before collecting their data

The mobile industry's efforts to convince lawmakers that self-regulation alone is the best way to address growing concerns over privacy-invading mobile applications appears to be running into some headwind.

On Thursday, Congressman Hank Johnson (D-GA) introduced new legislation that would require mobile application developers to provide clear notice to consumers and get their consent before collecting personal data from mobile devices.

Johnson's bill, the Application Privacy, Protection and Security (APPS) Act of 2013 (H.R. 1913), would force mobile application developers to disclose what data they collect and how they will use, share and store that data. They would be required to disclose the specific categories of data they collect and the third parties with whom they share the data.

Mobile application developers would need to have a clearly spelled out privacy and data retention policy that notifies the consumer how long data is stored and the choices they have for deleting or opting out of such collection. Under Johnson's proposal, the Federal Trade Commission (FTC) would be responsible for enforcing the provisions of the bill.

The proposed bill is another sign of the growing concern among lawmakers and others in Washington and elsewhere over the data collection practices of mobile application software vendors and providers of mobile services.

California has been one of the most aggressive states in this regard. Last year the state's Attorney General, Kamala Harris, struck an agreement with several leading companies including Facebook and Google to make their privacy policies more transparent to consumers of their mobile applications.

In October, she sent notices to 100 mobile application developers warning them of their non-compliance with California privacy laws and urging them to notify customers of their data collection practices within 30 days. In December, Harris sued Delta Airlines for failing to include a privacy policy in one of its mobile applications.

In March 2012, a total of 18 companies including Facebook, Apple, Twitter and Yelp were sued in Texas for allegedly distributing privacy-invading mobile applications.

The mobile industry itself has tried to address such concerns via a multi-stakeholder initiative led by the National Telecommunications and Information Administration (NTIA). Under the effort, industry stakeholders, rights groups and Internet marketers are working to develop a mutually acceptable privacy code of conduct for the mobile industry.

The industry has tried to argue that such self-regulation is a far better option than new mobile privacy laws pushed down by Congress.

Johnson's bill suggests that some lawmakers are either not entirely convinced that is the best approach, or want to push those efforts along

"What's happened for the most part over the past few years is that people have become more aware of the [mobile] privacy issue," said John Simpson of Consumer Watchdog, a privacy advocacy group. California AG Harris' insistence that mobile applications have a privacy policy and then the state's lawsuit against Delta were both significant, he said.

"[Johnson's bill] serves a useful function by focusing attention on the issue and it can help drive self-regulatory efforts," Simpson said. "If Rep. Johnson's bill is passed, it would be a significant step forward."

Consumers of mobile apps expect application developers and platforms to follow fair information practices when handling their personal data, said David Jacobs, consumer protection counsel at the Electronic Privacy Information Center (EPIC).

More than half the respondents in a recent survey by the Pew Research Center said they had avoided installing a mobile application after discovering the amount of information it collected. Another 30% said they had uninstalled applications after learning about the privacy policies associated with that application, Jacobs said. "Yet the mobile app marketplace currently suffers from inadequacies of transparency and control," he said.

"The Apps Act of 2013 contains several provisions that will advance transparency in mobile apps," he said. While it doesn't provide a full set of fair information practices for users the bill should help ensure better data handling by mobile application vendors, he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Federal Trade CommissionMobile/WirelessNetworkingsecuritywirelessmobilePPSprivacymobile apps

More about AppleDeltaElectronic Privacy Information CenterFacebookFederal Trade CommissionFTCGoogleTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place