On January 15, the FTC announced that a major mobile technology company agreed to resolve allegations that it violated Section 5 of the FTC Act by failing to inform account holders that entering their password on their mobile device would open a 15-minute window in which children could incur unlimited charges within certain mobile applications with no further action from the account holder (in-app purchases). The settlement is open to public comment through February 14, 2014. Once finalized, the proposed settlement will require the company to refund at least $32.5 million to consumers who allegedly were billed for accidental or unauthorized in-app purchases by minors. The company will manage the remuneration process, including by providing notice to consumers and providing refunds promptly upon consumer request. Any funds remaining after 12 months of the final agreement must be remitted to the FTC. The company also must alter its billing practices to ensure it obtains express, informed consent before charging accountholders for in-app purchases.
On April 17, the FTC announced it is seeking additional public comments on issues explored during a 2013 forum on mobile security. The announcement includes a series of specific questions within the following categories: (i) secure platform design; (ii) secure distribution channels; (iii) secure development practices; and (iv) security lifecycle and updates. The announcement indicates that the FTC is planning a report based on the forum and this subsequent information request. Comments are due by May 30, 2014.
On September 27, California became the first state to enact online tracking legislation, which requires website operators to disclose how they respond to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across different sites or online services. The bill requires operators to disclose whether other parties have access to a consumer’s personally identifiable information when a consumer uses the operator’s site or service. The state also enacted SB 46, which expands the state’s data breach notice law (i) to apply to certain personal information that would permit access to an online account—user name or email address, in combination with a password or security question and answer, and (ii) to require that in such cases, security breach notification be made by sending notice using a method other than email. Both bills take effect on January 1, 2014.
On October 1, three payment network providers proposed that industry stakeholders collaborate on a token-based global security standard for online and mobile commerce. To meet growing consumer demand for secure digital transactions, the providers propose replacing traditional account numbers with a digital payment “token” for online and mobile transactions. They argue that tokens provide an additional layer of security and eliminate the need for merchants, digital wallet operators or others to store account numbers. The proposed standard used to generate tokens would be based on existing industry standards and would be available to all payment networks and other payment participants. The providers identify the following as key elements of the proposed standard: (i) new data fields to provide richer information about the transaction, which can help improve fraud detection and expedite the approval process, (ii) consistent methods to identify and verify a consumer before replacing the traditional card account number with a token, and (iii) a common standard designed to simplify the process for merchants for contactless, online or other transactions. The proposed standard incorporates comments from card issuers and merchants, and the participants intend to seek further collaboration from standard-setting bodies and other stakeholders.
On September 23, California Governor Jerry Brown signed SB 568, which prohibits an operator of a website, online service, online application, or mobile application from (i) marketing or advertising certain products or services to a minor and (ii) knowingly using, disclosing, compiling, or allowing a third-party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising specified types of products or services. The provisions apply to marketing provided by an advertising service if the operator notifies the service that the website, online service, or application is directed to minors. The bill also requires operators to permit a minor, who is a registered user of the operator’s website, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted on the operator’s website, service, or application by the minor. The law provides exceptions for content or information posted by a third-party, or if (i) any other provision of state or federal law requires the operator or third party to maintain the content or information or (ii) the operator anonymizes the content or information. The law is effective January 1, 2015.
As the technology continues to grow and become a part of day-to-day life, smartphones and tablets are reshaping the delivery of financial services to consumers. The mobile device is quickly becoming a full-fledge platform for electronic financial services, especially for mobile payments.
The variety and number of mobile devices and service providers to support them has introduced new and different stakeholders – all of whom are competing with traditional financial institutions for dominance in the mobile commerce/mobile payment space. This new and rapidly evolving environment presents new and operational risks for consumers, payment providers, and the recipients of the payments. It will be vital to identify who has legal responsibility and liability for the various risks associated with payment platforms and payment transactions.
To learn more about the mobile technology issues impacting the financial services industry, please review some of our recent articles on the issue. BuckleySandler attorneys Margo Tank and David Whitaker raise legal considerations surrounding the regulatory uncertainty in mobile payments in their article, “Is Regulatory Uncertainty an Impediment to Mobile Payments?” earlier this year. In “Federal Regulators Issue Guidance on Social Media and Mobile Privacy” Margo, David, and Ian Spear discuss the recent guidance and flexible guidelines issued by the FFIEC and FTC. Another recent article by Margo and David provides a list of the accessibility items financial services companies should consider when developing their websites and mobile apps.
On June 25, the FTC announced updated guidance for the search engine industry on distinguishing paid search results from natural search results. The updated guidance was in the form of letters sent to seven general purpose search engines and 17 high traffic specialized search engines. The FTC noted that the principles of its original 2002 guidance still apply, but that changes in the search industry and requests from industry and consumer groups led the agency to issue the revised guidance. The guidance states that the failure to clearly and prominently distinguish advertising from natural search results, such as through visual cues, labels, or other techniques, could constitute a deceptive practice. The FTC also noted that the principles of the guidance should be applied to new means used by consumers to search for information, such as social media, mobile applications and voice assistants on mobile devices.
On June 25, the National Institute of Standards and Technology (NIST) released a mobile device management guide to help federal agencies centrally manage the security of mobile devices. While the NIST document was developed for use by federal agencies, the device management principles may be applicable to other organizations facing similar security concerns. The guide focuses on smart phones and tablets and provides recommendations for selecting, implementing, and using centralized management technologies. It also explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles. The recommendations aim to address security issues related to both organization-provided and personally-owned (“bring your own device”) mobile devices.
On May 15, the FTC announced that it sent letters to businesses to help them comply with new requirements under the revised Children’s Online Privacy Protection Act (COPPA) rule. The letters went to 90 businesses whose online services or mobile applications appear to collect personal information from children under 13, as defined by the revised rule. The letters differ depending on whether the business is domestic or foreign, and whether the business collects images or sounds of children, or collects persistent identifiers.
Court Dismisses California AG’s First Suit Against Mobile Application Provider Under Online Privacy Protection Act
On March 27, the Federal Reserve Board presented the findings of a November 2012 online survey of consumers’ use of mobile technology to access financial services and make financial decisions. The report follows a related March 2012 Federal Reserve Board report, and includes the Board’s general findings that (i) mobile phones and mobile Internet access are in widespread use, (ii) the ubiquity of mobile phones is changing the way consumers access financial services, (iii) mobile phones are also changing the way consumers make payments, (iv) security and usefulness concerns continue to be the main impediments to the adoption of mobile financial services, (v) smartphones are changing the way people shop, and (vi) mobile phones are prevalent among unbanked and underbanked consumers. The report points out that the use of mobile phones to make payments at the point of sale has increased more rapidly than the use of mobile phones for banking, and that there is “substantial growth potential” for mobile payments as the ability to make them becomes more widespread.
On February 22, the FTC announced that a mobile device manufacturer agreed to settle charges that it failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices. The settlement is the first of its kind obtained by the FTC. The FTC’s complaint alleged that the manufacturer failed to (i) provide its engineering staff with adequate security training, (ii) review or test the software on its mobile devices for potential security vulnerabilities, (iii) follow well-known and commonly accepted secure coding practices, and (iv) establish a process for receiving and addressing vulnerability reports from third parties. The complaint further described several resulting vulnerabilities that allegedly compromised sensitive device functionality and could have permitted malicious applications to send text messages, record audio, and install additional malware onto a consumer’s device. Such malware, according to the FTC, could be used to record and transmit information entered into or stored on the device. The settlement requires the device manufacturer to establish a comprehensive security program and deploy security patches to consumers’ devices. The manufacturer also is prohibited from making any false or misleading statements about the security and privacy of consumers’ data on its devices.
On February 1, the FTC announced that it is requiring a social networking application company to pay $800,000 and make certain compliance enhancements to resolve allegations that the firm (i) misled and deceived users by automatically collecting and storing personal information from users’ mobile device address books even if the users had not selected that option and despite claims that the application collected only certain non-personal user information, and (ii) violated the Children’s Online Privacy Protection Act Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent. Pursuant to the consent decree, in addition to the monetary penalty, the company must establish a comprehensive privacy program, and obtain independent privacy assessments every other year for the next 20 years.
Concurrently, the FTC Read more…