On February 19, the Electronic Transactions Association’s (ETA) Mobile Payments Committee released three resources to help firms navigate emerging issues in the mobile payments market. The Committee is an industry-wide task force of representatives from credit card networks, processors, mobile network operators, developers, financial institutions, and device manufacturers. The first resource, “Best Practices and Guidelines for Mobile Payment Solutions,” addresses security, privacy and competition issues relevant to merchants, consumers, federal and state legislators, federal regulators, merchant acquirers, credit card issuers, and infrastructure providers. In the second, a white paper entitled “Beyond the Hype: Mobile Payments for Merchants,” the Committee provides a comprehensive overview of the current state of mobile payments, as well as analysis of the risks and costs for merchants to consider before deploying mobile payments solutions. Finally, the Committee issued a “Mobile Payments Glossary of Terms.”

On February 14, the PCI Security Standards Council, the open global forum responsible for setting payment security standards, issued guidelines for merchants on the factors and risks they must address to protect card data when using mobile devices. The guidance addresses the three main risks associated with mobile payment transactions: account data entering the device, account data residing in the device, and account data leaving the device. The guidance also (i) provides recommended measures for merchants regarding the physical and logical security of mobile devices used for payment acceptance, and (ii) recommendations regarding the different components of the payment acceptance solution, including the hardware, software, the use of the payment acceptance solution, and the relationship with the customer. The PCI Security Standards Council also recently released guidance for securing payment card data in cloud environments, and guidance regarding security for payment transactions conducted over the Internet.

On February 5, a federal district court in California approved a settlement recently obtained by the FTC, which (i) requires a California-based firm that operates a cord blood bank to establish a comprehensive information security program and submit to security audits by independent auditors every other year for 20 years, and (ii) prohibits the company from misrepresenting its privacy and security practices. The FTC alleged that the firm violated the FTC Act by failing to use reasonable and appropriate procedures for handling customers’ personal information, despite its privacy policy claims to the contrary. Further, the FTC charged that the firm created unnecessary risks to personal information by transporting portable data storage devices containing personal information in a way that made the information vulnerable to theft, and failed to prevent, detect, and investigate unauthorized access to computer networks. According to the FTC, this resulted in a December 2010 breach in which certain portable devices were stolen from an employee’s personal vehicle and the names, gender, Social Security numbers, dates and times of birth, drivers’ license numbers, credit and debit card numbers, and other personal information of nearly 300,000 customers were compromised. The FTC also alleged that certain of the portable devices could have permitted an intruder to access the firm’s network, which contained sensitive personal health information.

Recently, NACHA – The Electronic Payments Association’s Council for Electronic Billing and Payment, released final guidelines to facilitate the use of Quick Response (QR) codes for a variety of consumer bill payment functions, including viewing bills, making payments, enrolling for eBills, and setting up payees in online banking. The guidelines provide voluntary standards for using QR codes in both biller direct and consolidator/aggregator billing and payment models, and provides recommends for (i) QR code size, (ii) data to be included in the QR code, and (iii) layout of the data represented in the QR code. The guidelines are intended to establish a single QR code format that can be printed on a paper bill and scanned by a consumer’s mobile phone using a biller, mobile banking, or generic QR code reader to allow billers and service providers to enable QR encoding in a standardized format, provide certainty for biller and banking clients, and ensure a consistent consumer experience.

On February 4, the California Supreme Court held, in a 4-3 split ruling, that the personal privacy protections afforded consumers by the Song-Beverly Credit Card Act do not apply when the item purchased is downloaded via the Internet. Apple Inc. v. Sup. Ct. Los Angeles Cty., No. S199384, 2013 WL 406586 (Cal. Feb. 4, 2013). However, the court did not consider whether the Song-Beverly Act privacy provisions apply to the broader category of online transactions that do not involve a downloadable product. In this case, a customer filed a putative class action against an online digital media retailer, alleging that the retailer’s practice of requiring customers to provide their telephone number and address before accepting credit card payment for downloadable media purchases violates Section 1747.08 of the Song-Beverly Act, which prohibits retailers from requiring personal information as a condition to completing credit card transactions. Citing the statutory language and legislative history, the court explained that while Song-Beverly was intended to protect personal privacy, it was not meant to do so at the risk of increasing fraud. Further, the court determined that fraud protections provided in Song-Beverly, which allow retailers to request proof of identification, are not available to online retailers selling downloadable products. The court also reasoned that in later enacting the California Online Privacy Protection Act, the state legislature demonstrated that it can unambiguously address online transactions, and that it sought to strike a different balance between privacy protections and online commerce than did the Song-Beverly Act. Therefore, the court held, online transactions involving downloadable products fall outside the scope of Song-Beverly. The court invited the legislature to revisit consumer privacy in connection with online transactions.

On February 1, the FTC announced that it is requiring a social networking application company to pay $800,000 and make certain compliance enhancements to resolve allegations that the firm (i) misled and deceived users by automatically collecting and storing personal information from users’ mobile device address books even if the users had not selected that option and despite claims that the application collected only certain non-personal user information, and (ii) violated the Children’s Online Privacy Protection Act Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent. Pursuant to the consent decree, in addition to the monetary penalty, the company must establish a comprehensive privacy program, and obtain independent privacy assessments every other year for the next 20 years.

Concurrently, the FTC Read more…

On January 28, Maryland Attorney General (AG) Doug Gansler announced a new unit in his office dedicated to online privacy enforcement and policy. The AG stated that the new unit will (i) monitor companies to ensure they are in compliance with state and federal consumer privacy laws, (ii) examine weaknesses in online privacy policies and work alongside major industry stakeholders and privacy advocates to provide outreach and education to businesses and consumers to broaden awareness about privacy rights, and (iii) pursue enforcement actions where appropriate. The unit announced by the AG appears similar to one formed by California Attorney General Kamala Harris, which recently has been active with regard to mobile application privacy. Last year, AG Gansler announced “Privacy in the Digital Age” as his central initiative as President of the National Association of Attorneys General.

On January 22, the FFIEC proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by federally supervised financial institutions, as well as nonbanks supervised by the CFPB. With regard to compliance and legal risks, the guidance addresses (i) the applicability of existing federal laws and regulations to the use of social media for marketing and originating new deposit and lending products and the use of social media to facilitate consumer use of payment systems; (ii) the need to apply BSA/AML internal controls to customers engaging in electronic banking through the use of social media, and e-banking products and services offered in the context of social media, as well as BSA/AML risks emerging through the growing use of social media; (iii) CRA monitoring of social media sites run by an institution; and (vi) customer privacy issues associated with social media. The guidance also reviews reputational risks related to social media, including risks related to (i) fraud and brand identity; (ii) social media vendor monitoring; (iii) privacy; (iv) consumer complaints; and (v) employee use of social media. Finally, the guidance addresses the vulnerability of social media to malware and the resultant operational risk. The FFIEC is accepting comments for 60 days after publication in the Federal Register. After the comment period, the agencies will issue supervisory guidance and will urge state regulators to follow. 

On January 21, the Virginia Secretary of the Commonwealth released the Virginia Electronic Notarization Assurance Standard. Citing challenges faced by notaries to “preserve and strengthen the role of the notary in the rapidly emerging digital economy and to ensure reliability and cross-border recognition of notarized electronic documents in a global economy,” the standards are intended to support transition of notaries in Virginia to performing electronic notarizations that have the same legal effect as traditional notarizations. They set forth registration and performance requirements, electronic signature and seal requirements, online notarization procedures, and notarized electronic document requirements. According to the Secretary, the Virginia standards (i) reflect the National Association of Secretaries of State Electronic Notarization Standard for Document Security; (ii) incorporate aspects of standards previously adopted by seven other states; and (iii) are consistent with the federal ESIGN Act, the UETA, and the Uniform Real Property Electronic Recording Act.

On January 11, the U.S. District Court for the Northern District of California approved a settlement between a retailer and a class of customers to resolve allegations that the retailer violated the California Song-Beverly Credit Card Act by collecting customer zip codes as part of credit card purchase transactions and storing that information in a customer databases. Burdewick v. Kohl’s Dep’t Stores, Inc., No. 12-119, Final Order and Judgment (Jan. 11, 2013). The settlement is the most recent in a series following the California Supreme Court’s 2011 decision in Pineda v. Williams-Sonoma Stores Inc. that zip codes constitute “personal identification information” under the Act. In this case, class members can submit claims to obtain a gift card from a common $650,000 fund. The exact amount of the gift card will depend upon the number of valid claims, but actual payments are expected to far exceed the $10-$20 amounts typically provided by most similar settlements to date. Moreover, the settlement places no restriction on the use or transferability of the cards. The court also approved a $215,000 award to class counsel, and a $7,500 incentive award to the class representative.

On January 10, President Obama signed H.R. 6671, which amends the Video Privacy Protection Act to facilitate compliance for modern video service providers. The Act was originally passed in 1988 to limit the disclosure of information about consumers’ “video tape rental or sales records,” and its application to certain modern video service providers (e.g. Netflix) is not clear. The amendments allow such providers to obtain consumer consent to disclosure through electronic means using the Internet. Such consent must be in a form distinct and separate from any form setting forth other legal or financial obligations of the consumer. Consumers can provide consent in advance, but not for more than two years or until consent is withdrawn by the consumer, and service providers must provide an opportunity for the consumer to withdraw consent on a case-by-case basis or to withdraw from ongoing disclosures, at the consumer’s election.

On January 10, California Attorney General Kamala Harris (AG) issued recommended privacy practices for mobile application developers, mobile application platform providers, mobile advertising networks, operating system developers, and mobile carriers. The AG recommends a “surprise minimization” approach, which could include measures to (i) avoid collecting personally identifiable data that are not needed for basic functionality, (ii) make an app’s general privacy policy easy to understand and available before download, and (iii) supplement a legally required general privacy policy with enhanced measures to alert users and give them control over data practices that are not related to an application’s basic functionality or that involve sensitive information.  Supplemental policies could include “special notices” delivered in context and “just-in-time,” or short privacy statements made readily available within an application and that highlight potentially unexpected practices and allow users to make privacy choices. The issuance of the recommendations is the latest action by the AG as part of a broader privacy initiative and follows the state’s first mobile application privacy suit filed last month.

On December 28, the U.S. District Court for the Northern District of California dismissed a putative class action alleging that Google Inc.’s privacy policy violates the federal Wiretap Act and state consumer protection statutes. In re Google, Inc. Privacy Policy Litig., No. 12-01382, 2012 WL 6738343 (N.D. Cal. Dec. 28, 2012). The plaintiffs allege that Google’s universal privacy policy, which applies across its various products and allows Google to aggregate, store, and cross-reference certain personal information collected across those products, violates consumer privacy rights by allowing the company to collect information from one product where the consumer has an expectation of privacy, and use that information to, for example, target advertising to the consumer in other products. The court held that no precedent exists in the Ninth Circuit or any other appellate court to allow claims to proceed based on only the alleged unauthorized disclosure of personal information, let alone such disclosure of information by the defendant to itself, as is the case here. The court also held that the plaintiffs failed to support their claims under the federal Wiretap Act that a provider can intercept information when such information already is in its possession, particularly given that the Act excludes the provider’s own equipment from the definition of device. The court found that the plaintiffs had failed to plead sufficient injury to establish standing, and dismissed the plaintiffs’ claims with leave to amend.

On December 17, the FDIC published the Winter 2012 issues of Supervisory Insights. The two featured articles focus on mobile payments and high-yield checking. In “Mobile Payments: An Evolving Landscape,” FDIC staff (i) review mobile payment technology, (ii) provide guidance regarding understanding and managing risks, and (iii) include a chart explaining the applicability of various federal laws to mobile payments. The article states that, going forward, non-bank mobile payment providers may start to capture greater market share from financial institutions and alter bank/customer relationships. The article describes the potential for banks to gradually be pushed out of the payment transaction, and identifies potential impacts of such disintermediation, including loss of access to key customer data. A second article, “High-Yield Checking Accounts: Know the Rules,” reviews the features of high-yield checking accounts and identifies problematic disclosures that may accompany their promotion. The article identifies what examiners look for when examining high-yield account offerings and provides best practices for banks.