FTC Examines Pre-Download Consumer Disclosures of Mobile Shopping Applications; Makes Recommendations Applicable to All Consumer Data

Continuing its examination of consumer protection issues in the mobile payments sphere, on August 1, 2014, the FTC released a staff report examining the pre-download disclosures of mobile shopping applications to evaluate the information provided to consumers about: (1) their rights and protections in the event of a payment dispute; and (2) how their personal data will be collected, used, shared, and secured. The FTC found that only roughly half of the applications that it reviewed disclosed whether they had dispute resolution or liability limits prior to download. With respect to data practices, the FTC found that the majority of the applications made privacy policies available for review prior to download, but deemed the language of the policies to be vague and overbroad, “making it difficult for readers to understand how the apps actually used consumers’ information or to compare the apps’ data practices.” Accordingly, the FTC report calls for more information and greater transparency in pre-download mobile shopping app disclosures, and makes three key recommendations: Recommendation 1: When offering consumers the ability to make payments through mobile devices, companies should disclose consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions. The FTC’s 2014 report expands on its 2013 mobile payments report, Paper, Plastic . . . or Mobile, with respect to the protections and liability available to consumers for mobile purchases based on how the purchases are funded and processed. In the 2013 mobile payments report, the FTC explained that if a consumer purchases an item via an app that places a charge directly on the consumer’s credit or debit cards (i.e., a “pass-through” payment model), the consumer is protected by the liability limits that apply to physical credit and debit cards under federal law. If a consumer purchases an item via a stored value account, however, the statutory protections generally do not apply, and the consumers are limited to whatever contractual protections are provided, if any. For its 2014 report, the FTC examined whether and to what extent mobile shopping apps explained the protections available to consumers in the event of a payment dispute in their pre-download disclosures. The FTC found that only 16 of the 30 in-store purchase apps that it reviewed provided pre-download disclosures addressing dispute resolution or limitation of liability policies, and only nine of those applications offered any written protections for users. The remaining seven apps disclaimed all liability for losses due to unauthorized or fraudulent transactions related to the use of the apps. Moreover, the FTC considered the actual protections that may be available to users based on the payment models of the apps and funding sources and found that, in most cases, consumers may not be able to discern them. For example, the majority of apps reviewed employed a pass-through payment model, but the FTC found that most did not state in pre-download disclosures that users could receive the same statutory and contractual protections associated with their external funding sources used to pay for their purchases, and others expressly disclaimed all liability. Of the eight apps using stored value payment models, the FTC found that only three provided policies that offered consumers any protections. Accordingly, the FTC report recommends that companies offering mobile shopping apps to provide consumers with clear pre-download information about dispute resolution and liability limits, particularly if an app uses a stored value payment model that may afford consumers less protection. The FTC also notes that, based on the information that it reviewed, it may not be easy for consumers to determine whether an app uses a pass-through or stored value payment model, and cautions consumers to look specifically for apps “that tell them upfront how the payment service works and what they can do if they encounter a problem,” stating that if an app does not provide this information, “consumers should consider taking steps to minimize their liability by choosing a different payment app or funding such payments with low-dollar amounts.” Recommendation 2: Companies should clearly describe how they collect, use, and share consumer data. The FTC’s guidance here with respect to how data practices should be described in privacy policies goes well beyond mobile apps. This recommendation focuses on the general concept of “transparency,” which is a core principle of the FTC’s privacy initiatives, and any privacy program built upon the Fair Information Practice Principles. In short, the FTC advises companies that, while having a privacy policy is good, if the policy is written in terms that are too vague or overbroad, it does not achieve the goal of “enabl[ing] consumers to learn how, and for what purposes, companies collect, use, and share their data.” To make this point, the FTC identifies several statements that it deemed to be overly vague and/or broad in the mobile shopping app policies that it reviewed, including some that appear to be fairly common in privacy policies generally. For example

• Many of the privacy policies reviewed stated that personal data may be used to “enhance” or “improve” user experiences, without providing examples that may inform consumers of what the limits of those uses may be, or how they may go beyond what a consumer would reasonably expect.

• Many of the privacy policies introduced sections describing how information may be shared with a general statement that the companies would not “sell or share” personal information “except as described” in the policy, followed by “vague language that reserved broad rights to share consumers’ data.”

The report also expresses a concern that if a company uses vague and broad language to describe its data practices in its privacy policy, its evaluation of whether it has a business need for the data being collected may be similarly vague and broad, resulting in unnecessary and excessive data collection. To this end, the FTC reminds companies to “build in privacy at every stage of product development” and organizational practices, i.e., to implement Privacy by Design, as described in its March 2012 Privacy Report. Recommendation 3: Companies should ensure that their strong data security promises translate into strong data security practices. The FTC’s report notes that many of the privacy policies that it reviewed assure consumers that the companies implement “technical,” “organizational,” and/or “physical” safeguards to protect their data, using general references to “reasonable” and “industry standard” measures, and more specific references to the use of encryption or SSL technology. The FTC did not test the data security practices of the mobile shopping apps that it reviewed, so the report does not dispute the security assurances made. The report simply reminds companies that the FTC has “addressed reasonable and appropriate security standards for mobile apps through both enforcement actions and business guidance materials,” and that companies are accountable to consumers for any security promises made in their privacy policies. Indeed, in addition to bringing enforcement actions against companies that allegedly fail to provide data security promised in consumer notices under the “deceptive acts and practices” prong of Section 5 of the FTC Act, in the Wyndham case, a federal court recently confirmed the FTC’s authority to bring enforcement actions to redress deficient corporate data security practices under the unfairness prong of Section 5. Wyndham’s petition to the U.S. Court of Appeals for the Third Circuit seeking to challenge this ruling in an interlocutory appeal has been granted. Conclusion Although issued in the context of reviewing the pre-download disclosures of mobile shopping applications, the findings in the FTC’s report with respect to data practices, and the description of those practices, are general in application. Accordingly, the report is ultimately an instruction to all companies collecting consumer data to “do a better job of considering reasonable data collection and use limitations and describing those activities clearly to consumers.” The FTC also urges providers of mobile shopping applications to do a better job of disclosing dispute resolution and liability limit information to users, and cautions consumers that if they cannot see information about how an apps’ payment system works in pre-download disclosures, or how their information may be collected, used, and shared, they should consider minimizing “their exposure by limiting the personal and financial data they provide, or by choosing a different app.”