In August 2014, the Federal Trade Commission (FTC) published a staff report that evaluates the consumer disclosures made by a number of popular mobile shopping applications and makes recommendations to the providers and users of those apps.¹ The FTC staff did not address or find any fault with app platforms, like Google Play or Apple’s App Store, with respect to the consumer disclosures of those apps. This report follows the FTC staff’s March 2013 mobile payment report that recommended mobile payment providers convey clear policies regarding fraudulent and unauthorized charges, encouraged all stakeholders to raise consumer awareness about mobile payment security, and stressed the applicability of its general privacy recommendations to companies in the mobile payment marketplace.²

In surveying shopping apps for its most recent report, the FTC staff reviewed 121 different apps available through Google Play and Apple’s App Store. The FTC staff focused specifically on apps that: (i) facilitate real-time price comparisons; (ii) facilitate consumers’ efforts to find and redeem coupons or discounts; and (iii) allow consumers to make purchases in physical stores. For each app, the FTC staff reviewed the app promotion pages, developer websites, and other pre-download information.

The report contained the following recommendations for the providers of shopping apps:

• Companies should disclose consumer rights and liability limits for unauthorized, fraudulent, or erroneous transactions.
• Companies should clearly describe data collection, use, and sharing.
• Companies should provide strong data security matching their promises.
• The FTC staff also issued parallel recommendations for users of shopping apps.

Recommendations for Businesses

Companies should disclose consumer rights and liability limits for unauthorized, fraudulent, or erroneous transactions. Because in-store purchase apps can process transactions in ways that affect which statutory protections, if any, apply to consumers for unauthorized purchases or payments, the FTC staff reviewed 30 in-store purchase apps for descriptions of the applicable transaction model, as well as consumer dispute resolution procedures and liability limits. The majority of these apps used a “pass-through” transaction model—a transaction in which the consumer makes a purchase through an app by placing a charge directly on a credit, debit, or prepaid card. According to the report, under this model consumers have the same statutory and contractual protections as if the consumer had used the physical payment card in a traditional transaction.³ The remaining in-store purchase apps followed a “stored value” transaction model, under which consumers are required to deposit funds into an account maintained by the app provider and used to pay for purchases through the app. The report explained that under this model, consumers generally do not have the same statutory protections that apply to purchases with credit or debit cards and instead, can only rely on the protections that are voluntarily provided.

The FTC staff found that only 16 of the 30 in-store purchase apps made disclosures relating to dispute resolution procedures or liability limits and furthermore, and only nine of these 16 apps provided written protections for their users. Notably, seven of the 30 in-store purchase apps disclaimed all liability arising from transactions through the app. The FTC staff also found it generally difficult to obtain clear information about the apps’ applicable transaction models.

As a result of this survey, the FTC staff reiterated the recommendation made in its March 2013 mobile payment report that in-store app providers (and particularly, providers of “stored value” apps) should provide clear pre-download information to consumers regarding consumer dispute resolution procedures and liability limits.

Companies should clearly describe data collection, use, and sharing. Given the capability of mobile devices and mobile apps to collect a significant amount of user data, the FTC staff surveyed the privacy policies for all shopping apps that it reviewed. Nearly all of the apps surveyed were governed by privacy policies, whether available on the app developers’ websites or on the apps’ promotion pages within Google Play or the Apple iTunes Store. In many cases, however, the FTC staff considered the disclosures relating to data collection and, in particular, data use and sharing, to be vague, which they believed would make it difficult for consumers to assess how the particular shopping app would actually handle their data.

Consequently, while the FTC staff was encouraged by the number of readily available privacy policies, it nonetheless found that the privacy policies “fail[ed] to achieve what should be the central purpose of any privacy policy—making clear how data is collected, used, and shared.” As a corollary, the FTC staff suggested that app developer should further consider reasonable data collection and use limitations.

Companies should provide strong data security matching their promises. The FTC staff reviewed the privacy policies of all surveyed shopping apps for security-related language because, according to the report, consumers often cite security concerns as hindering their adoption of mobile payment technologies. The FTC staff found that over 80 percent of the shopping apps surveyed made promises in their privacy policies relating to the apps’ data security practices. Although the FTC staff did not test the apps to verify their security-related promises, it encouraged all companies offering shopping apps to secure the data they collect and honor any such promises made to consumers. To this end, the report directed app developers to look to the “reasonable and appropriate security standards for mobile apps” promulgated by the FTC in its enforcement actions and business guidance materials.

Recommendations for Consumers

The FTC staff also issued a number of recommendations for consumers using shopping apps, which are synchronized with its recommendations to companies. First, the FTC staff advised that consumers should review each shopping app’s dispute resolution procedures and liability limits and, in the context of applicable statutory protections, consider the payment methods they will use to fund their purchases. Likewise, the FTC staff encouraged consumers to seek information about how their data will be collected, used, and shared by shopping apps before downloading them.

Implications

As evidenced by and stated in the report, the FTC staff has continued to make emerging mobile issues a high priority. Although the report did not call for greater federal oversight or rulemaking, shopping app providers should consider the report’s recommendations and determine how to best implement these recommendations into their apps and business practices.

¹ FTC staff, “What’s the Deal? An FTC staff Study on Mobile Shopping Apps” (August 2013), available at http://www.FTC staff.gov/system/files/documents/reports/whats-deal-federal-trade-commission-study-mobile-shopping-apps-august-2014/140801mobileshoppingapps.pdf.

² FTC, “Paper, Plastic…or Mobile?: An FTC Workshop on Mobile Payments” (March 2013), available at http://www.ftc.gov/opa/2013/03/mobilepymts.shtm. For information relating to the March 2013 report, see WSGR Alert: FTC Recommends Consumer Protections for Mobile Payment Industry, March 28, 2013, available at http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-mobile-payment-industry.htm.

³ The report notes that federal law limits consumer liability for credit and debit transactions and provides dispute resolution procedures for errors. However, for prepaid card transactions, consumers must generally rely on their contracts with these card providers for these protections.