Mobile applications have changed the way we shop. Instead of trekking from store to store or researching prices in advance, consumers can simply download an app to compare competing products and retailers in real-time. Apps also allow consumers to collect coupons and pay in store by waving their phone at the checkout counter instead of swiping a credit card. Although these apps have made life easier, they also raise important questions – who is responsible if a fraudulent payment is made using one of these apps? How do shopping app providers collect, use, and share information about what consumers buy and where they shop? Do the promises they make about security live up to their practices?
To address these questions, the FTC recently released a report titled “What’s the Deal? An FTC Study on Mobile Shopping Apps,” which examined three types of apps—price comparison apps, deal apps, and in-store purchase apps. FTC staff reviewed 121 of the most downloaded mobile shopping apps on Google Play and the iTunes App Store to evaluate the information presented to consumers before they download and use an app. Generally, the FTC found that most shopping apps provide insufficient information for consumers to make educated decisions. A brief overview of the FTC’s findings and recommendations is below. Companies that offer mobile shopping apps should assess their existing disclosures in light of these recommendations.
1) Companies should disclose consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions.
In-store purchase apps generally work in one of two ways. If they use the “pass-through” payments model, charges are passed directly through the app to a consumer’s payment method. Consumers who use this type of app should be afforded the same statutory and contractual protections as if they use a physical card. Of the 30 in-store purchase apps that the FTC examined, the majority did not disclose their policies on dispute resolution and liability limits in their pre-download information. Four disclaimed all liability.
The second type of in-store purchase apps use the “stored value” model, which requires users to transfer money into an account maintained by the app provider. Charges are deducted from the account when the app is used. Under this model, consumers may not have the same statutory and contractual protections as when they use their physical cards, and only three of the eight stored value apps offered consumers any protections in cases of unauthorized transactions.
In response to these findings, FTC staff concluded that it can be very difficult for consumers to determine whether a given app is a pass through app or a stored value app; sometimes that information is not even available prior to download. The FTC therefore recommends that companies should clearly disclose what payment method their app uses and whether they offer consumers protection in the case of a fraudulent or erroneous charge.
2) Companies should clearly describe how they collect, use, and share consumer data.
To evaluate this issue, FTC staff examined the apps’ privacy policies. The majority of apps had a privacy policy, and almost every policy described the personal information, including financial account data, that an app might collect. Nearly all of the policies included broad and vague statements regarding how the data would be used. Similarly, most of the policies reserved broad rights to share consumers’ data. The FTC recommends that companies move away from such broad and vague descriptions and instead provide consumers with clear information regarding their data practices so that consumers can compare different apps and make informed decisions about what app to use.
3) Companies should ensure data security promises translate into sound data security practices.
FTC staff found that over 80% of the reviewed privacy policies promised that the app providers took steps to secure consumer data, such as technical, organizational, and/or physical safeguards. Policies also contained language claiming their app was “more secure than a bank” or “even safer than writing a check or using a credit card.” The staff did not test the services to verify these promises; however the FTC has provided security standards for mobile apps in both enforcement actions and business guidance materials. The FTC re-emphasized (consistent with prior advice and enforcement proceedings) that companies should ensure that they honor any representations about security that they make to consumers.