The Problem
Innovations in mobile commerce could intrude on consumer privacy and risk the disclosure of information that could harm consumers. Government regulators such as the FTC and the European Commission as well as consumers are worried about this. Consumer concerns and government regulation could impede the development of mobile commerce innovations that would benefit consumers by making it easier for them to shop and get better deals.
The Question
How should we deal with real and imagined privacy concerns to maximize the potential of mobile commerce for consumers and strike the balance between consumer interests and innovator interests?
Background
Mobile payments using smart phones at the physical point of sale hasn’t really caught on pretty much anywhere. But many are chasing the dream by developing commerce applications that include payments as one of the features. Many of these applications involve using consumer information—ranging from what people bought where recently to where they are right now—to help get consumers and merchants together and often to drive merchant sales and consumer value.
A February 2013 report by the staff at the Federal Trade Commission noted that, “[w]hen people use their mobile devices, they are sharing information about their daily lives with a multitude of players. The FTC then asked some probing questions
- How many companies are privy to this information?
- How often do they access such content and how do they use it or share it?
- What do consumers understand about who is getting their information and how they are using it?
According to the FTC, “In recent studies, consumers have expressed concern about their privacy on mobile devices. For example, a nationwide survey indicated that 57% of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons.” It went on to note that “[i]n a 2011 survey of U.S. smartphone users, less than one-third of survey respondents reported feeling in control of their personal information on their mobile devices. Lack of attention to these concerns could lead to an erosion of trust in the mobile marketplace, which could be detrimental to both consumers and industry.”
The FTC has presented “suggestions” for the mobile ecosystem to improve mobile privacy. These suggestions include having operating system platforms “[p]rovide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation” and having applications do this if the platform doesn’t.
Another recent study by Christopher Hoofnagle and his colleagues Berkeley Center for Law and Technology, “found that Americans overwhelmingly oppose the revelation of contact information (phone number, email address, and home address) to merchants when making purchases with mobile payment systems. Furthermore, an even higher level of opposition exists to systems that track consumers’ movements through their mobile phones.”
Hoofnagle and his co-authors recommend adapting and extending California’s Song-Beverly Act to mobile payments. That Act prohibits merchants from requesting personal information at the register. Recently, though, a court in California ruled against the application of the Song-Beverly Act to requesting information in online transactions on the grounds that the information helped reduce online card fraud.
A recent article reported that “The Center for Democracy and Technology, a nonprofit organization that focuses on technology laws, thinks privacy is the major tradeoff with mobile payments…. Mobile payments can expose payments data to more parties than traditional credit cards do. In the case of Google Wallet, for example, you expose your data to Google, which serves as the mobile payments provider, in addition to credit card issuers and payment processors, the nonprofit group said. Third-party apps can potentially gain access to data, too, it said. Once all the small bits are combined, like the customer’s e-mail addresses, phone numbers and purchase histories, merchants have a pretty detailed customer profile.”
Then again, consumers say a lot of things to surveyors but do different things when it comes to making decisions. That’s one of the reasons Steve Jobs went with his gut on a key Apple products rather than pouring over market research.
In addition to these issues, consumers have long expressed concerns—justified or not—about the threat of hacking into their card information if they pay with NFCC contactless cards—or NFC-based mobile phones. They may have similar worries about storing card information in wallets on mobile phones. Although many entrepreneurs are working on mobile security measures it is unknown how vulnerable the mobile ecosystem will be to clever and well-financed criminal minds.
|
The Problem
Team 1A
Team 1A proposed defining a “Consumer Privacy Preference Rating Standard” that is industry self-regulated and universally adopted and that allows for consumers and merchants to agree on the use of personal identifiable information (PII) and shopping data.
This standard would be similar to the MPAA rating for movies and would allow consumers to easily identify the level of data sharing of a transaction that they are engaging with a Wallet Provider or a Merchant. Merchants and Wallet Providers could choose to implement choices of different rated transactions with different value propositions back to the consumer.
Merchants and wallet providers could identify the value that they would provide to the consumer based on the level of data sharing and allow for the market to identify competitive offerings. The ratings could be based on, but not limited to the following categories:
- Personal Identifiable Information
- Location Data of a Consumer
- Purchase and Transaction History
- Sharing data with external companies
According to Team 1A, this solution would remove the barriers of data sharing by educating consumers on the level of information sharing that they are engaging with. It would also protect Wallet Providers and Merchants by allowing them to secure the necessary agreements with consumers to utilize their information.
Team 1B
Team 1B proposed that stakeholders should self regulate by extending PCI to balance consumer privacy and mobile payment innovation.
In order to deal with real and imagined privacy concerns, and avoid external regulation of the payments industry, mobile commerce stakeholders should enhance self-regulation by expanding the information subject to PCI. PCI can be expanded to include the device information (MAC Address, phone number, geolocation), shopping cart contents, and other personal consumer information.
In addition, in the view of Team 1B, the consumer’s position has to rise in prominence by more clear and direct disclosure of the potential uses of data, and some limitations on the extent of the “opt-in” at the time of transacting. Care must be taken to ensure that PCI standards promote innovation while considering the needs of all constituencies: Consumers, Merchants, Issuers, Acquirers/Processors, Regulators and Technology Providers and the Card Networks.
Existing business models and innovation could still flourish, with the added requirement that participants comply with PCI standards, because the compliance investment is more than offset by reduced risk benefit. The ability to pick up information “on the fly” without explicit consumer permission would be curtailed, leaving healthy competition in the payments market where models based on the value driven to consumers and to merchants are left to thrive. Confidence and trust in the entire system delivers value to all constituents.
Team 1B argued that benefits would accrue to:
- Consumers: They would get convenience—1-click, better user experience, privacy, security, and explicit control.
- Merchants: They would get better qualified data, efficiency in operations, reduction in breach exposure (shared secrets), and lower fines.
- Issuers: They would have a continued prominent role in mobile payments system, more transactions, better user experiences for merchants/consumers, greater chances to replace the cash economy, and would be able to spread out a lot of regulatory burden they are carrying today.
- Card Networks: They would obtain more transactions, confidence/trust, and less government intervention.
- Governments: They would have to spend less resources as enforcement would not be required.
- Technology Companies: They would have more opportunities, be able to innovate more and face a level playing field.
Team 1C
According to Team 1C, a key problem that needs to be solved in terms of consumer privacy and mobile commerce is the need for greater transparency and consumer choice at the point of transaction. All channel types should have a consistent level of transparency that does not exist today. This can be achieved by creating a standardized framework establishing the way payment and personal data is exchanged between the consumer and the merchant by extending choice and control to the consumer about the information being shared. This can be accomplished by creating best practices, technology toolkits, and certification programs.
Readings
Federal Trade Commission, “Mobile Privacy Disclosures: Building Trust Through Transparency”, FTC Staff Report, February 2013.
Chris Jay Hoofnagle, Jennifer M. Urban, and Su Li, “Mobile Payments: Consumer Benefits & New Privacy Concerns,” Berkeley Center for Law and Technology Research Paper, April 24, 2012.
<< Back to Intro | Next Issue >>
|
|
