Many transactions on mobile devices, including those made using prepaid or stored value accounts, generally are not protected by the statutory or contractual liability limits that consumers might expect. As such, consumers should be able to learn about their rights and protections before using a service to make a payment via their mobile device, according to comments Federal Trade Commission (FTC) staff published last week.
The agency’s comments were in response to the Consumer Financial Protection Bureau (CFPB) in June soliciting input on the use of mobile financial services by consumers and economically vulnerable populations to access products and services, manage their finances, and achieve their financial goals.
“We want to know more about how emerging technologies are affecting the opportunities and challenges that consumers are facing,” CFPB Director Richard Cordray said in prepared remarks at the Mobile Request for Information Field Hearing in New Orleans in June. “The inquiry also specifically addresses how the use of mobile payment products can be used to improve the financial lives of underserved consumers.”
In their comments published last week, FTC staff cited five consumer-protection issues mobile financial services pose and the steps the agency has taken to address them:
Liability for unauthorized charges using prepaid products
In a recent report “What’s the Deal? An FTC Report on Mobile Shopping Apps,” FTC staff examined the disclosures of various apps that allowed consumers to pass charges to prepaid and gift cards and that allowed them to use their credit or debit cards to fund prepaid accounts within the app to make subsequent purchases.
Almost half of the 30 in-store purchase apps did not disclose whether they had any dispute-resolution or liability-limits policies prior to download, the agency noted in its staff comments. Moreover, of the 16 apps that provided pre-download information about dispute-resolution procedures or liability limits, only nine offered any written protections for their users, and seven disclaimed all liability.
“Given the lack of alternative remedial avenues for stored-value service users, the report encourages consumers to look for those mobile-payment services that disclose upfront how the payment service works and what consumers can do if they encounter a problem,” they said.
FTC staff also reiterated their recommendation from the report that companies provide clear dispute-resolution and liability-limits information to their customers, particularly when using a stored value method to process payments.
Unfair carrier billing practices
As carrier billing has developed, fraud also has become a problem for consumers. In particular, mobile cramming, or the unlawful practice of placing unauthorized third-party charges on mobile-phone accounts, is a significant concern, FTC staff said. Mobile cramming often occurs when consumers are signed up and billed for third-party services, such as ringtones and recurring text messages containing trivia or horoscopes, without their knowledge or consent.
In six recent enforcement actions, the commission has alleged that such practices have cost consumers millions, and in three of these actions, defendants agreed to orders imposing judgments totaling more than $160 million, FTC staff said in their comments.
“In addition to the agency’s enforcement actions, the commission has engaged in policy and outreach initiatives to address mobile-cramming issues,” they said. “Specifically, the commission convened a roundtable of interested stakeholders to discuss strategies to eliminate mobile cramming, and FTC staff recently issued a report that recommends certain best practices for industry participants to protect consumers against mobile cramming.”
The FTC, staff said, has been the primary federal agency involved in privacy enforcement and policy since the 1970s, when it began enforcing one of the first federal privacy laws–the Fair Credit Reporting Act (FCRA). “Since then, rapid changes in technology have raised many new privacy challenges, and the FTC has expanded its efforts to address them,” they wrote.
The commission uses a variety of tools to protect consumers’ personal and financial information, including workshops, reports, surveys, testimony, law enforcement, and consumer and business education, the comments noted. During the past few years, a key omission focus has been to address the privacy concerns raised by the rapid expansion of mobile technologies and connected devices.
As part of this effort, the FTC held three roundtables in 2009-2010, followed by a preliminary and final report setting forth a framework for addressing privacy in today’s marketplace, FTC staff said.
“The commission’s work in this area has shown that mobile technologies raise unique privacy concerns due to the high number of companies involved in the mobile payments ecosystem and the large volume of data being collected,” they wrote. “In addition to the banks, merchants, and payment card networks present in traditional payment systems, mobile payments often involve new actors such as operating system manufacturers, hardware manufacturers, mobile phone carriers, application developers, and coupon and loyalty program administrators.
In their February 2013 report “Mobile Privacy Disclosures: Building Trust Through Transparency,” FTC staff made recommendations to improve transparency in the mobile environment, including recommending that app developers provide “just-in-time” disclosures and obtain affirmative express consent from consumers before collecting sensitive information about consumers or sharing such sensitive data with third parties. They built on those recommendations in its recently issued “Mobile Shopping Apps Report.”
“While most of the apps reviewed had privacy policies, staff found that those policies often used vague terms, reserving broad rights to collect, use, and share consumer data without explaining how the apps actually handled the information,” the comments noted. “Staff recommended that companies clearly describe how they collect, use and share consumer data so that consumers can make informed choices about the apps they use.”\
In the past several years, the FTC has brought a number of enforcement actions alleging deceptive and unfair conduct by mobile app developers in the collection or sharing of consumers’ data, including children’s data. The FTC’s website, staff noted, also features many materials educating consumers about potential concerns related to mobile privacy.
The FTC is addressing mobile security through enforcement, policy initiatives, and consumer and business education. For example, in two recent cases against Fandango and Credit Karma, the FTC alleged that, despite their security promises, the companies failed to take reasonable steps to secure their mobile apps, leaving consumers’ sensitive personal information at risk, staff noted in their comments.
“The complaints charged that Fandango and Credit Karma disabled a critical default process, known as SSL certificate validation, which would have verified that the apps’ communications were secure,” they said.
In addition, last year mobile-device manufacturer HTC agreed to settle charges that the company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed at risk the sensitive information of millions of consumers, staff wrote.
FTC staff said they also released guidance directed to businesses operating in the mobile arena to help educate them on best practices to handle sensitive information. Likewise, because mobile apps and devices often rely on sensitive consumer data, FTC staff developed “Mobile App Developers: Start with Security,” a guidance piece that provides tips to help mobile app developers approach mobile apps security.
Use of consumer data
The commission has focused on the practices of data brokers since the enactment of the FCRA, which imposes obligations on consumer-reporting agencies that provide data for credit, employment, insurance and other defined eligibility determinations, staff noted. “As mobile services have grown in capabilities and popularity, so has the potential for new companies operating in this environment to violate traditional laws governing collection and use of consumer data, such as the FCRA,” they wrote.
In 2012, the commission issued warning letters to marketers of six mobile applications that provided background-screening apps that they may be violating the FCRA. Further, the FTC settled charges last year with one enterprise that marketed its mobile apps as employment-screening tools, alleging it operated as a consumer-reporting agency without taking consumer protection measures required by the FCRA, FTC staff noted.
Mobile services raise other data broker-related concerns. When data are sold to these entities, often outside the protections of specific privacy laws, questions arise regarding how the data may be used to either benefit or disadvantage low-income and underserved communities. The FTC recently concluded a study of the data broker industry that found data brokers make inferences about consumers and create data segments that group consumers based on the information they collect.
“The inferences made about consumers can involve potentially sensitive information,” staff noted in the comments.
The FTC will host a public workshop, “Big Data: A Tool for Inclusion or Exclusion?” on Sept. 15 to examine the use of big data and its impact on consumers, including low-income consumers and underserved communities. Among the issues, the workshop will explore the potential uses of big data as well as the potential benefits and harms for particular populations of consumers, according to the agency.