FTC Examines Pre-Download Consumer Disclosures of Mobile Shopping Applications; Makes Recommendations Applicable to All Consumer Data

by Davis Wright Tremaine LLP

Continuing its examination of consumer protection issues in the mobile payments sphere, on August 1, 2014, the FTC released a staff report examining the pre-download disclosures of mobile shopping applications to evaluate the information provided to consumers about: (1) their rights and protections in the event of a payment dispute; and (2) how their personal data will be collected, used, shared, and secured. The FTC found that only roughly half of the applications that it reviewed disclosed whether they had dispute resolution or liability limits prior to download. With respect to data practices, the FTC found that the majority of the applications made privacy policies available for review prior to download, but deemed the language of the policies to be vague and overbroad, “making it difficult for readers to understand how the apps actually used consumers’ information or to compare the apps’ data practices.” Accordingly, the FTC report calls for more information and greater transparency in pre-download mobile shopping app disclosures, and makes three key recommendations:

Recommendation 1: When offering consumers the ability to make payments through mobile devices, companies should disclose consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions.

The FTC’s 2014 report expands on its 2013 mobile payments report, Paper, Plastic . . . or Mobile, with respect to the protections and liability available to consumers for mobile purchases based on how the purchases are funded and processed. In the 2013 mobile payments report, the FTC explained that if a consumer purchases an item via an app that places a charge directly on the consumer’s credit or debit cards (i.e., a “pass-through” payment model), the consumer is protected by the liability limits that apply to physical credit and debit cards under federal law. If a consumer purchases an item via a stored value account, however, the statutory protections generally do not apply, and the consumers are limited to whatever contractual protections are provided, if any.

For its 2014 report, the FTC examined whether and to what extent mobile shopping apps explained the protections available to consumers in the event of a payment dispute in their pre-download disclosures. The FTC found that only 16 of the 30 in-store purchase apps that it reviewed provided pre-download disclosures addressing dispute resolution or limitation of liability policies, and only nine of those applications offered any written protections for users. The remaining seven apps disclaimed all liability for losses due to unauthorized or fraudulent transactions related to the use of the apps.

Moreover, the FTC considered the actual protections that may be available to users based on the payment models of the apps and funding sources and found that, in most cases, consumers may not be able to discern them. For example, the majority of apps reviewed employed a pass-through payment model, but the FTC found that most did not state in pre-download disclosures that users could receive the same statutory and contractual protections associated with their external funding sources used to pay for their purchases, and others expressly disclaimed all liability. Of the eight apps using stored value payment models, the FTC found that only three provided policies that offered consumers any protections.

Accordingly, the FTC report recommends that companies offering mobile shopping apps to provide consumers with clear pre-download information about dispute resolution and liability limits, particularly if an app uses a stored value payment model that may afford consumers less protection. The FTC also notes that, based on the information that it reviewed, it may not be easy for consumers to determine whether an app uses a pass-through or stored value payment model, and cautions consumers to look specifically for apps “that tell them upfront how the payment service works and what they can do if they encounter a problem,” stating that if an app does not provide this information, “consumers should consider taking steps to minimize their liability by choosing a different payment app or funding such payments with low-dollar amounts.”

Recommendation 2: Companies should clearly describe how they collect, use, and share consumer data.

The FTC’s guidance here with respect to how data practices should be described in privacy policies goes well beyond mobile apps. This recommendation focuses on the general concept of “transparency,” which is a core principle of the FTC’s privacy initiatives, and any privacy program built upon the Fair Information Practice Principles. In short, the FTC advises companies that, while having a privacy policy is good, if the policy is written in terms that are too vague or overbroad, it does not achieve the goal of “enabl[ing] consumers to learn how, and for what purposes, companies collect, use, and share their data.” To make this point, the FTC identifies several statements that it deemed to be overly vague and/or broad in the mobile shopping app policies that it reviewed, including some that appear to be fairly common in privacy policies generally. For example

  • Many of the privacy policies reviewed stated that personal data may be used to “enhance” or “improve” user experiences, without providing examples that may inform consumers of what the limits of those uses may be, or how they may go beyond what a consumer would reasonably expect.
  • Many of the privacy policies introduced sections describing how information may be shared with a general statement that the companies would not “sell or share” personal information “except as described” in the policy, followed by “vague language that reserved broad rights to share consumers’ data.”

The report also expresses a concern that if a company uses vague and broad language to describe its data practices in its privacy policy, its evaluation of whether it has a business need for the data being collected may be similarly vague and broad, resulting in unnecessary and excessive data collection. To this end, the FTC reminds companies to “build in privacy at every stage of product development” and organizational practices, i.e., to implement Privacy by Design, as described in its March 2012 Privacy Report.

Recommendation 3: Companies should ensure that their strong data security promises translate into strong data security practices.

The FTC’s report notes that many of the privacy policies that it reviewed assure consumers that the companies implement “technical,” “organizational,” and/or “physical” safeguards to protect their data, using general references to “reasonable” and “industry standard” measures, and more specific references to the use of encryption or SSL technology. The FTC did not test the data security practices of the mobile shopping apps that it reviewed, so the report does not dispute the security assurances made. The report simply reminds companies that the FTC has “addressed reasonable and appropriate security standards for mobile apps through both enforcement actions and business guidance materials,” and that companies are accountable to consumers for any security promises made in their privacy policies. Indeed, in addition to bringing enforcement actions against companies that allegedly fail to provide data security promised in consumer notices under the “deceptive acts and practices” prong of Section 5 of the FTC Act, in the Wyndham case, a federal court recently confirmed the FTC’s authority to bring enforcement actions to redress deficient corporate data security practices under the unfairness prong of Section 5. Wyndham’s petition to the U.S. Court of Appeals for the Third Circuit seeking to challenge this ruling in an interlocutory appeal has been granted.


Although issued in the context of reviewing the pre-download disclosures of mobile shopping applications, the findings in the FTC’s report with respect to data practices, and the description of those practices, are general in application. Accordingly, the report is ultimately an instruction to all companies collecting consumer data to “do a better job of considering reasonable data collection and use limitations and describing those activities clearly to consumers.” The FTC also urges providers of mobile shopping applications to do a better job of disclosing dispute resolution and liability limit information to users, and cautions consumers that if they cannot see information about how an apps’ payment system works in pre-download disclosures, or how their information may be collected, used, and shared, they should consider minimizing “their exposure by limiting the personal and financial data they provide, or by choosing a different app.”

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.