Insights
FTC Examines Pre-Download Consumer Disclosures of Mobile Shopping Applications; Makes Recommendations Applicable to All Consumer Data
By Elizabeth A. Drogula
08.05.14
Continuing its examination of consumer protection issues in the mobile payments sphere, on August 1, 2014, the FTC released a staff report examining the pre-download disclosures of mobile shopping applications to evaluate the information provided to consumers about: (1) their rights and protections in the event of a payment dispute; and (2) how their personal data will be collected, used, shared, and secured. The FTC found that only roughly half of the applications that it reviewed disclosed whether they had dispute resolution or liability limits prior to download. With respect to data practices, the FTC found that the majority of the applications made privacy policies available for review prior to download, but deemed the language of the policies to be vague and overbroad, “making it difficult for readers to understand how the apps actually used consumers’ information or to compare the apps’ data practices.” Accordingly, the FTC report calls for more information and greater transparency in pre-download mobile shopping app disclosures, and makes three key recommendations:
Recommendation 1: When offering consumers the ability to make payments through mobile devices, companies should disclose consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions.
The FTC’s 2014 report expands on its 2013 mobile payments report, Paper, Plastic . . . or Mobile, with respect to the protections and liability available to consumers for mobile purchases based on how the purchases are funded and processed. In the 2013 mobile payments report, the FTC explained that if a consumer purchases an item via an app that places a charge directly on the consumer’s credit or debit cards (i.e., a “pass-through” payment model), the consumer is protected by the liability limits that apply to physical credit and debit cards under federal law. If a consumer purchases an item via a stored value account, however, the statutory protections generally do not apply, and the consumers are limited to whatever contractual protections are provided, if any.
For its 2014 report, the FTC examined whether and to what extent mobile shopping apps explained the protections available to consumers in the event of a payment dispute in their pre-download disclosures. The FTC found that only 16 of the 30 in-store purchase apps that it reviewed provided pre-download disclosures addressing dispute resolution or limitation of liability policies, and only nine of those applications offered any written protections for users. The remaining seven apps disclaimed all liability for losses due to unauthorized or fraudulent transactions related to the use of the apps.
Moreover, the FTC considered the actual protections that may be available to users based on the payment models of the apps and funding sources and found that, in most cases, consumers may not be able to discern them. For example, the majority of apps reviewed employed a pass-through payment model, but the FTC found that most did not state in pre-download disclosures that users could receive the same statutory and contractual protections associated with their external funding sources used to pay for their purchases, and others expressly disclaimed all liability. Of the eight apps using stored value payment models, the FTC found that only three provided policies that offered consumers any protections.
Accordingly, the FTC report recommends that companies offering mobile shopping apps to provide consumers with clear pre-download information about dispute resolution and liability limits, particularly if an app uses a stored value payment model that may afford consumers less protection. The FTC also notes that, based on the information that it reviewed, it may not be easy for consumers to determine whether an app uses a pass-through or stored value payment model, and cautions consumers to look specifically for apps “that tell them upfront how the payment service works and what they can do if they encounter a problem,” stating that if an app does not provide this information, “consumers should consider taking steps to minimize their liability by choosing a different payment app or funding such payments with low-dollar amounts.”
Recommendation 2: Companies should clearly describe how they collect, use, and share consumer data.
The FTC’s guidance here with respect to how data practices should be described in privacy policies goes well beyond mobile apps. This recommendation focuses on the general concept of “transparency,” which is a core principle of the FTC’s privacy initiatives, and any privacy program built upon the Fair Information Practice Principles. In short, the FTC advises companies that, while having a privacy policy is good, if the policy is written in terms that are too vague or overbroad, it does not achieve the goal of “enabl[ing] consumers to learn how, and for what purposes, companies collect, use, and share their data.” To make this point, the FTC identifies several statements that it deemed to be overly vague and/or broad in the mobile shopping app policies that it reviewed, including some that appear to be fairly common in privacy policies generally. For example
- Many of the privacy policies reviewed stated that personal data may be used to “enhance” or “improve” user experiences, without providing examples that may inform consumers of what the limits of those uses may be, or how they may go beyond what a consumer would reasonably expect.
- Many of the privacy policies introduced sections describing how information may be shared with a general statement that the companies would not “sell or share” personal information “except as described” in the policy, followed by “vague language that reserved broad rights to share consumers’ data.”