Resource ID: 4-616-2225
Mobile Device and Applications Key Laws Chart
CHARLES R. MACEDO AND RICHARD P. ZEMSKY, AMSTER, ROTHSTEIN & EBENSTEIN LLP WITH PRACTICAL LAW INTELLECTUAL PROPERTY & TECHNOLOGY
Search the Resource ID numbers in blue on Practical Law for more. A chart listing key statutes and regulations that This Chart provides a high-level overview of key statutes that mobile app developers, operators, and other stakeholders, including apply to mobile devices and mobile applications businesses that use mobile devices, should consider when assessing (apps). It provides an overview of the their legal compliance obligations. This Chart does not address every law that may apply to mobile devices or apps or industry standards circumstances that trigger application of each or guidance. statute or regulation as well as key requirements and restrictions.
Statute or Regulation Covered Entities and Information Events that Trigger Consideration Key Requirements or Restrictions
Generally Applicable Laws
Federal Trade Entities whose business affects The FTC Act applies broadly to Developers and operators may not Commission Act commerce, except regulated mobile apps and devices to protect engage in deceptive marketing or (FTC Act) financial institutions and common consumers and also applies to other anti-consumer practices and (15 U.S.C §§ 41-58) carriers. The FTC Act prohibits a variety of practices that may must adopt reasonable privacy unfair trade practices, which implicate unfair trade practices and practices (see Practice Notes, FTC the Federal Trade Commission privacy concerns. The FTC provides Consumer Protection Investigations (FTC) and courts have broadly guidance for developers covering and Enforcement (4-549-3090) and interpreted to include consumer a wide range of topics including US Privacy and Data Security Law: privacy concerns. truth-in-advertising, data security, Overview (6-501-4555)). and consumer privacy. Similar state unfair practices laws, known as State Mini-FTC Acts, For a directory of the FTC’s mobile also apply to mobile devices and guidance, including information on apps. enforcement actions, see the FTC’s Mobile Technology Issues page.
Sarbanes-Oxley (SOX) Public companies and accounting Accessing or transmitting corporate Covered entities must implement (Pub. L. 107–204) firms and their confidential data from a mobile device or storing effective internal controls over mobile business information. corporate data on a mobile device. devices to protect corporate data.
© 2016 Thomson Reuters. All rights reserved. Mobile Device and Applications Key Laws Chart
Statute or Regulation Covered Entities and Information Events that Trigger Consideration Key Requirements or Restrictions
Electronic All persons and communications Receiving, accessing, or storing wire, Wiretap Act. Prohibits intercepting Communications Privacy when electronic or mechanical oral, or electronic communications communications while in transit Act (ECPA) devices are involved in either or records of consumer video viewing using a mobile device and prohibits (Pub. L. 99–508) transmitting or intercepting them. or rental activity, or when a party using or disclosing the contents accesses such information stored on of any communication obtained (As codified, key sections The VPPA applies to information a device. illegally. that identifies a person as having include the Wiretap Act Stored Communications Act. (18 U.S.C. §§ 2510-2522) requested or obtained specific video materials or services. Prohibits knowingly disclosing Stored Communications communications by certain parties Act (18 U.S.C. and prohibits unauthorized access §§ 2701-2709); and to a system used to transmit wire or electronic communications and Video Privacy Protection through that unauthorized access, Act (VPPA) obtaining, altering, or preventing (18 U.S.C. § 2710)) another’s authorized access to a wire or electronic communication stored on the system. Video Privacy Protection Act. Prohibits disclosure of video viewing or rental activity records.
Computer Fraud and All persons and all information Accessing or damaging a mobile Prohibits: Abuse Act (CFAA) stored on protected computers, device or engaging in password The unauthorized access of: (18 U.S.C. § 1030) which includes mobile devices. trafficking or extortion relating to a protected computer. zzdevices to obtain certain types of prohibited information; zza protected computer used by or for the federal government or a financial institution, or used in interstate or foreign commerce or communication. Knowingly trafficking in device passwords and extortion involving a threat to damage a protected computer.
Content Restriction Laws
Digital Millennium Requires internet service providers Whenever app users can upload Service providers must provide a Copyright Act (DMCA) to provide mechanisms for content content into or by way of a mobile mechanism for content owners to (Pub. L. 105-304) owners to object to the posting of app. submit a notice of objection and their copyrighted material on the must have procedures in place to internet. take down content after a verified objection (see Practice Note, Digital Millennium Copyright Act (DMCA): Safe Harbors for Online Service Providers (1-518-6907)). For a form of DMCA takedown notice, see Standard Document, DMCA Complaint (Takedown Notice) (3-502-6258).
2 © 2016 Thomson Reuters. All rights reserved. Mobile Device and Applications Key Laws Chart
Statute or Regulation Covered Entities and Information Events that Trigger Consideration Key Requirements or Restrictions
Communications Internet service providers. Knowingly distributing obscene Covered parties must provide notice Decency Act (CDA) Regulates the transmission of material. to recipients of the option to block (Pub. L. 104-104) obscene and defamatory content. obscene material. The statute prevents service providers and users from being treated as the publisher or speaker of information provided by another information content provider.
Laws that Apply to Financial Information
Restore Online Merchants that obtain financial Employing negative option Requirements include: Shoppers’ Confidence information through processing marketing on the internet or A merchant may not disclose Act (ROSCA) online transactions. facilitating third-party post- customer billing information to (Pub. L. 111-345) transaction sales. any third-party seller for use in an internet-based sale from that third-party seller. Before attempting to charge a customer through a negative option feature, the seller must: zzclearly disclose all material terms of the transaction before obtaining billing information; zzobtain the customer’s express informed consent before charging the customer; and zzprovide mechanisms for the customer to stop recurring charges.
Gramm-Leach-Bliley Act Financial institutions (broadly Disclosing NPI about a consumer The Financial Privacy Rule. The (GLBA) defined to include virtually any to a nonaffiliated third party. The covered entity must provide notice (Pub. L. 106-102) entity that provides consumer Financial Privacy Rule covers the of its privacy policies and practices financial products or services) use, collection and disclosure of NPI. initially and on an annual basis and that hold non-public personally The Safeguards Rule covers security allow the consumer to opt out of the identifiable information (NPI). measures financial institutions must disclosure of consumer information. Service providers to financial take to protect NPI. The Safeguards Rule. The covered institutions also have compliance entity must implement appropriate obligations. administrative, technical, and physical safeguards to protect NPI, including, for example: zzimplementing a written information security program; zzappointing a person to be in charge of security of NPI; and zzconducting a risk assessment. zz(See Practice Note, GLBA: The Financial Privacy and Safeguards Rules (4-578-2212).)
© 2016 Thomson Reuters. All rights reserved. 3 Mobile Device and Applications Key Laws Chart
Statute or Regulation Covered Entities and Information Events that Trigger Consideration Key Requirements or Restrictions
Laws that Apply to Health or Medical Information
Health Insurance HIPAA covered entities, which are: Collecting, creating, using, storing, Covered entities and their BAs must Portability and Health plans. maintaining, or transmitting implement appropriate administrative, Accountability Act PHI. The HIPAA Privacy Rule technical, and physical safeguards to of 1996 (HIPAA) and Health care clearinghouses. governs the privacy of PHI, and protect PHI. Health care providers. Health Information in the HIPAA Security Rule imposes Privacy Rule. Requirements Technology for Economic Covered entities’ business obligations specific to the security include: and Clinical Health Act associates (BAs), for example of electronic PHI. zznotifying individuals about their (HITECH) service providers, must also privacy rights and how their (Pub. L. 104-191 and Pub. comply with HIPAA. HIPAA information can be used; L. 111–5) applies to protected health information (PHI), which zzadopting and implementing generally includes health and privacy procedures; medical information. zzdesignating a privacy officer; and zzsecuring PHI. Security Rule. Requirements include: zzensuring that workforce complies with the Security Rule; and zzprotecting against reasonably anticipated threats or hazards to the security or integrity of ePHI or uses or disclosures of ePHI that are not permitted or required. (See Practice Notes: zzHIPAA Enforcement: Penalties and Investigations (2-519-1055). zzHIPAA Privacy Rule (4-501-7220). zzHIPAA Security Rule (5-502-1269). zzHIPAA Privacy and Security: Individual Rights (5-523-7518). zzHIPAA Breach Notification Rules (1-532-2085).)
Food and Drug Health and medical information A mobile app that is used as an Apps may be required to obtain FDA Administration Act maintained by mobile apps that accessory to a medical device or as approval under a risk-based approach (Mobile Medical meet the definition of a medical medical device software. in certain circumstances (see the FDA’s Applications) device and all entities other than Mobile Medical Applications: Guidance those that are HIPAA-regulated. for Industry and Food and Drug Administration Staff and the FTC’s Mobile Health Apps Interactive Tool, produced in cooperation with the FDA and other federal agencies.)
FTC’s Health Breach Vendors of personal health records An unauthorized acquisition of Covered party must notify: Notification Rule (PHR), which are electronic records unsecured individually identifiable Each affected person who is a (16 C.F.R. §§ 318.1-318.9) of identifiable health information PHR information. US citizen or resident. on an individual that can be drawn from multiple sources and that are The FTC. managed, shared and controlled The media, if the breach affects at by or primarily for the individual. least 500 residents of a particular The rule covers vendors’ service state or US territory. providers but does not apply to (See the FTC’s Complying with the HIPAA covered entities. FTC’s Health Breach Notification Rule.)
4 © 2016 Thomson Reuters. All rights reserved. Mobile Device and Applications Key Laws Chart
Statute or Regulation Covered Entities and Information Events that Trigger Consideration Key Requirements or Restrictions
Laws that Apply to Commercial Messages
Controlling the Assault Commercial emails and anyone Sending a commercial email Prohibits the transmission of of Non-Solicited who sends them. message. commercial emails that contain Pornography and false or misleading transmission Marketing Act (CAN- information or deceptive subject SPAM Act) headings. (15 U.S.C. §§ 7701-13) Commercial emails must include: zzthat the message is an advertisement or solicitation; zzan unsubscribe mechanism; and zzthe sender’s physical postal address. Includes restrictions on initiations of commercial emails containing sexually oriented material. Prohibits the sending of commercial messages to certain email addresses provided by wireless carriers specifically for mobile messaging services. (See Practice Note, CAN-SPAM Act Compliance (0-503-5278).)
Telephone Consumer Subject to certain exceptions, to Sending a commercial message that Requires prior express written consent Protection Act (TCPA) any person or entity that initiates will be received on a mobile device. of person being called (see Practice (47 U.S.C. § 227 and a call: Note, TCPA Litigation: Key Issues and regulations at 47 C.F.R. Using an automated telephone Considerations (4-613-7306)). § 64.1200(a)) dialing system or artificial or prerecorded voice. For advertising or marketing purposes.
Laws that Apply to Information of Minors and Students
Children’s Online Privacy Website and online service Collecting personal information from Must make available a privacy policy Protection Act (COPPA) operators, including mobile app children under age 13. that identifies how the collected (15 U.S.C. §§ 6501-6506) operators that operate child- information is used. directed services or have reason Obtain verifiable parental consent. to know that children use their services. Provide parents: zzthe ability to review and change their children’s personal information; zzprevent its further use; and zzrequire its deletion. zz(See Practice Note, Children’s Online Privacy: COPPA Compliance (1-555-6526), Children’s Online Privacy Protection Act (COPPA) Compliance Checklist (0-528-7426), and Standard Document, Children’s (COPPA) Privacy Policy Notice (8-551-3350).)
© 2016 Thomson Reuters. All rights reserved. 5 Mobile Device and Applications Key Laws Chart
Statute or Regulation Covered Entities and Information Events that Trigger Consideration Key Requirements or Restrictions
Other Privacy and Security Laws
The California Online Operators of commercial websites Collecting California residents’ PII. Requires: Privacy and Protection and online services that collect Conspicuous posting of privacy Act (CalOPPA) California residents’ PII, including policies. any identifier that permits the (Cal. Bus & Prof. Code Disclosures regarding how the §§ 22575-22579) online or physical contacting of a specific individual, through a operator responds to do-not-track website or mobile app. signals and third-party access to PII. (See California Privacy and Data Other similar state laws may also Security Laws: Overview: Online and apply to mobile devices and apps. Mobile Privacy (6-597-4106).)
State Data Breach Those doing business within the Collecting, storing, maintaining, or Data breach laws. Require notice to Notification, Data state that collect or otherwise have transmitting PII. consumers, entities on whose behalf Security and Records in their possession, PII. PII varies a breached entity holds PII, and Disposal Statutes by state, but typically consists of sometimes regulators, in the event an individual’s name plus one or of an incident that compromises more data elements, such as: the security or confidentiality of Social Security number. PII (see Practice Note, Breach Notification (3-501-1474) and Data Driver’s license or state Breach Notification Laws: State identification number. Q&A Tool (3-578-0925)). Financial account information Data security laws. Require data sufficient to access an holders to take certain actions to individual’s account. protect PII. Health or medical information. Records disposal laws. Require (See State Data Breach Laws certain records to be securely Protected Personal Information disposed of under specified Chart: Overview (4-609-2845).) circumstances.
FCC’s Customer Telecommunications carriers when A breach of data collected on Carrier must: Proprietary Network they experience a breach of certain wireless devices, including location Notify law enforcement. Information (CPNI) phone record information such as information about where a call starts Breach Notification Rule call logs, call duration, and phone and ends. Notify customers or disclose the numbers. breach, but not until after law (47 C.F.R. § 64.2011) enforcement is notified. Maintain records of any breaches.
ABOUT PRACTICAL LAW Practical Law provides legal know-how that gives lawyers a better starting point. Our expert team of attorney editors creates and maintains thousands of up-to-date, practical resources across all major practice areas. We go beyond primary law and traditional legal research to give you the resources needed to practice more efficiently, improve client service and add more value.
If you are not currently a subscriber, we invite you to take a trial of our online services at legalsolutions.com/practical-law. For more information or to schedule training, call 1-800-733-2889 or e-mail [email protected].
06-16 © 2016 Thomson Reuters. All rights reserved. Use of Practical Law websites and services is subject to the Terms of Use (http://static.legalsolutions.thomsonreuters.com/static/agreement/westlaw-additional-terms.pdf) and Privacy Policy (https://a.next.westlaw.com/Privacy). 6