March 21, 2016

Legislative framework of application development in the US

Written by: Guardsquare

In this blog series, we will shed light on the legislative framework of mobile application development in major countries and regions across the globe. The first part of the series is an analysis of US regulations that are of concern to application developers. It is important to note that the listed laws not only apply to American developers, but to all developers that target an American audience.

There is no across-the-board privacy law in the United States, since the US government prefers a sector-specific approach. Consequently, app developers are subject to various privacy laws at both the state and federal level. The most important federal law that applies to them is Section 5 of the Federal Trade Commission (FTC) Act, 15 U.S.C. § 45(a). This Act came into force in 2011 and prohibits “unfair or deceptive acts or practices in or affecting commerce”. The FTC penalizes companies whose policy statement is unclear, inadequate or if they fail to keep their privacy promises. The ruling of the Wyndham Case (fully “FTC v. Wyndham Worldwide Corp upholding the authority of the Federal Trade Commission to oversee cybersecurity practices”, 2012-2015) affirmed the FTC’s authority to regulate cybersecurity practices, since those practices can form the basis of an unfair practice under § 45(a).

Nearly all American states have passed so-called ‘mini-FTC Acts’ that grant them the authority to take enforcement actions against deceptive trade practices. They have also adopted data breach notification laws that obligate companies to provide notices in the event of a personal data breach. The Consumer Privacy Protection Act, introduced in March 2015, is a proposal to apply this at the federal level. The Act also contains a section to ensure standards for the development and implementation of technical and administrative safeguards, so that data-collecting entities are subject to consumer privacy requirements.

Other regulations regarding privacy have been proposed over the course of the last year. The most noteworthy is the Application Privacy, Protection and Security Act, refused in 2013 but reintroduced in 2016. This Act specifically addresses the treatment of data collected by mobile applications, and is the first of its kind worldwide. Another proposal is the Student Digital Privacy and Parental Rights Act (2015), that prohibits an entity to use students’ obtained personal information for targeted advertising or to sell that information to third parties.

Similar to Canada and the EU, the United States adopted additional rules to regulate mobile payment applications, medical applications and applications that collect data from children under the age of 13. A plethora of laws and regulators, both on the state and federal level, cover the m-payment market. Laws include the Gramm-Leach-Bliley Act (1999), which requires companies that offer financial products or services to explain their information-sharing practices to customers and to safeguard sensitive data. The Truth in Lending Act (1968) establishes rules regarding consumer credit, and is applicable to m-payment applications when the underlying source of payment is a credit card. The Electronic Signature Act (2000) regulates the timing and delivery of electronic privacy disclosures during the use of an application. Regulators include the Federal Reserve Board of Governors, the Consumer Financial Protection Bureau, the National Credit Union Administration and the Federal Trade Commission. Due to the sheer amount of applicable laws, the overall legal framework is neither comprehensive nor consistent. The current rules are abundant with ambiguities and overlaps that undermine consumer protection in the domain of m-payment applications.

Medical applications (sometimes abbreviated as mHealth apps), on the other hand, are regulated under a clearer legal framework. They fall under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which regulates the data privacy and security of medical information. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) was added to address the specific risks associated with the electronic transmission of health information. The Food and Drug Administration (FDA) is responsible for the continuation of developing mHealth regulations and the approval of medical apps. FDA focuses its oversight only on mobile apps that are used as an accessory to a regulated medical device or transform a mobile platform into a regulated medical device.

FDA considers mobile apps that 1) are connected to a medical device as a means to control the device 2) transform the mobile platform into a medical device or 3) perform patient-specific analysis and provide diagnosis or treatment recommendations, as medical apps that are subject to regulatory oversight. On the contrary, FDA does not regulate apps that 1) help patients self-manage their disease without providing treatment suggestions 2) provide patients with tools to organize their health information or 3) help patients document or communicate medical conditions to health care providers. The apps that fall under the oversight of the FDA are divided on three categories according to risk. They have to fulfill a range of regulatory requirements based on their classification.

Overall, the American laws that apply to app developers are shattered across sectors and governmental levels. Additionally, the financial and medical industries released numerous self-regulatory guidelines. This results in an inconsistent and unclear landscape of rules and requirements concerning mobile applications. Proposals of new regulations will only add to this fragmentation.

Sources

Standards and regulations

https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one

http://www.applicationprivacy.org/learn-resources/existing-laws-and-regulations/

https://uk.practicallaw.thomsonreuters.com/6-502-0467?q=*&__lrTS=20220121093530726&transitionType=Default&contextData=(sc.Default)&firstPage=true

FTC Act and ‘mini-FTC Acts’

https://www.law.cornell.edu/uscode/text/15/45

https://www.hldataprotection.com/2015/08/articles/consumer-privacy/analysis-of-ftc-v-wyndham-third-circuit-affirms-ftc-authority-to-regulate-data-security/

Proposed regulations

https://www.congress.gov/bill/114th-congress/house-bill/2092

https://www.congress.gov/bill/114th-congress/senate-bill/1158

https://www.govtrack.us/congress/bills/114/hr4517