FTC Recommends Consumer Protections for Mobile Payment Industry

by Wilson Sonsini Goodrich & Rosati

The Federal Trade Commission (FTC) has released a staff report on mobile payments, which identifies and makes recommendations for three key issues in the mobile payment industry that the FTC believes present consumer protection concerns: dispute resolution, data security, and privacy.1 The March 2013 report follows an April 2012 mobile payment workshop that was convened by the FTC and attended by mobile payment companies, credit card companies, and consumer advocates.

The report signals the FTC's increased focus on the mobile payment sector, which the FTC attributes to its commitment to ensure consumer protections keep pace with newer technologies and business models. The FTC examined various technologies and practices involved in the mobile payment ecosystem for the purposes of the report, including Near Field Communication (NFC) technologies, mobile apps, online checkout wallets, and mobile carrier billing.

Dispute Resolution

The FTC expressed strong concerns about how users of mobile payments can resolve disputes in the case of fraudulent payments or unauthorized charges. The report observes that consumer protections can vary greatly depending on the underlying funding source utilized by a mobile payment service and consumers remain largely unaware of this variation. For example, mobile payment services may link to a consumer's credit card, debit card, bank account, or mobile phone account as payment sources. The report highlights that while there are federal statutes protecting consumers from unauthorized credit card and debit card transactions,2 similar federal statutes do not exist with respect to pre-funded accounts, stored-value cards (such as gift cards, general purpose reloadable cards (GPR), and pre-paid debit cards), or mobile carrier bills.

With respect to GPRs, the report explains that there are currently no federal statutes that protect consumers from unauthorized charges other than the FTC Act, which prohibits unfair and deceptive acts or practices in or affecting commerce.3 However, the Consumer Financial Protection Bureau (CFPB) is considering whether to extend certain statutory protections to cover GPRs.4 The report describes a comment filed by the FTC to the CFPB in support of extending to GPRs the protections currently applicable to other types of payment cards, namely liability limits, disclosure requirements for fees and expiration dates, error resolution procedures, and authorization standards for recurring payments.5

In the report, the FTC applauds mobile payment service providers that have, through their agreements with consumers, offered certain consumer protections for payment disputes. The report recommends that providers develop clear policies regarding fraudulent and unauthorized charges and clearly convey these policies to consumers in order to assist them in determining whether to pay using a mobile device, and if so, which mobile payment service and funding system to use. However, the report also expressed concerns that these voluntary consumer protections can be withdrawn or modified by providers. The FTC recommended that, should these protections turn out to be insufficient, policymakers weigh the benefits of providing consistent consumer protection across mobile payment service providers with the costs of implementing consistent consumer protection.

Carrier Billing Dispute Resolution

The report identifies special dispute resolution issues with mobile carrier billing, which is the practice of charging payments directly to mobile phone bills. The FTC expressed concern that the practice of third parties placing fraudulent charges onto consumers' phone bills, known as "cramming," is on the rise. If allowed to proliferate, the report predicts that cramming could undermine mobile carrier billing as a legitimate and trusted payment option.

According to the FTC, outside of the FTC statute prohibiting unfair and deceptive acts and practices, there are no federal statutes that govern consumer disputes involving fraudulent or disputed transactions placed on their mobile phone bills. When disputes arise, consumers' recourse is their agreements with or the goodwill of mobile carriers. In a comment to the Federal Communications Commission (FCC) that is cited in the report, the FTC recommended that consumers receive statutory or regulatory protection from crammed charges that appear on their mobile phone bill. The FTC recommended that:

  • consumers should have the ability to block all third-party charges on their mobile accounts, including on individual accounts operated by minors;
  • mobile carriers should clearly and prominently inform their customers that third-party charges may be placed on their accounts and explain how to block such charges at the time of account establishment and renewal; and
  • mobile carriers should establish a clear and consistent process for customers to dispute suspicious charges placed on their account and obtain reimbursement.6

The report also describes a number of other potential approaches that have been proposed to protect against mobile cramming and reveals that the FTC is in the process of organizing a roundtable for stakeholders in May 2013 to discuss the efficacy of current efforts to stop mobile cramming, the need for new approaches (whether voluntary, regulatory, or statutory), and the costs and benefits of any new approaches.7

Consumer Data Security

According to the report, both the FTC and consumers identify data security as another key concern with regard to mobile payments. The report notes that nearly 42 percent of U.S. consumers who have not made a mobile payment cited concerns about security as their primary reason for not doing so.8

The report expresses optimism regarding mobile payments' potential to increase data security for financial information over traditional payment systems. For example, mobile payment technology permits end-to-end encryption, while under the traditional payment system, financial data often is stored or transmitted unencrypted at some point during the payment process. Mobile payment systems also can use dynamic data authentication, which generates a unique set of payment information for each transaction, whereas credit card magnetic stripes contain static account information that can be used repeatedly for unauthorized transactions.

The report urges companies in the mobile payment chain to employ available technologies to adopt stronger security measures in order to avoid consumer harm, protect the reputation of the mobile payment industry, and comply with federal and state laws that impose data security requirements on businesses that collect and use financial information and other sensitive data.9 The FTC also encourages all stakeholders to raise consumer awareness about mobile payment security and outlines practical steps consumers can take to help secure their financial information.10

Consumer Privacy

Finally, the report expresses the FTC's concerns regarding privacy issues raised by two attributes of mobile payment systems that are not present with traditional payment systems. First, more companies typically are involved in a single mobile payment transaction than in traditional credit card transactions. In addition to the banks, merchants, and payment card networks involved in a traditional payment system, hardware and operating system manufacturers, mobile phone carriers, application developers, and coupon and loyalty program administrators often are involved in a mobile payment system. Second, much more personal data, as well as purchase data, can be collected and consolidated by some or all of these companies than what typically is collected in traditional point-of-sale credit card transactions. The report acknowledges that while increased data collection and consolidation raise privacy issues, these activities also may provide consumers with potential benefits in the forms of more targeted advertising and less fraud.

The FTC stressed in the report that the consumer privacy recommendations set forth in the FTC's March 2012 staff report on privacy (FTC Privacy Report)11 apply equally to companies in the mobile payment marketplace. In short, the FTC Privacy Report's key recommendations are to (i) practice "privacy by design," which calls for companies to consider and address privacy at every stage of product development; (ii) provide simplified choices for businesses and consumers about data collection and use; and (iii) provide greater transparency about data practices. Given mobile devices' ability to store and transmit precise geolocation information and facilitate increased levels of data collection, the report emphasizes the need for companies in the mobile ecosystem to implement reasonable data collection and security practices in practicing "privacy by design." The report references a recent FTC workshop and report12 as resources for companies to understand how to provide greater transparency about data practices on mobile devices,13 but acknowledges that effective privacy disclosures may be further complicated by the many entities involved in the mobile payment marketplace.


The FTC has made clear through its recent report that it is monitoring the mobile payment space and is interested in strengthening consumer protection to address dispute resolution, data security, and privacy concerns. The FTC has been particularly active in the mobile space this past year, both in terms of policy recommendations and enforcement actions, and we expect this trend to continue. Companies involved in the mobile payment ecosystem should consider the FTC's recommendations and determine how to best implement reasonable data collection and security practices and weave "privacy by design" into their business practices.

Wilson Sonsini Goodrich & Rosati's attorneys routinely help clients manage risks relating to the collection, use, and disclosure of consumer data by mobile applications, along with attending to other rapidly changing domestic and international privacy and data security issues. For more information, please contact Lydia Parnes at lparnes@wsgr.com or (202) 973-8801; Tracy Shapiro at tshapiro@wsgr.com or (415) 518-9273; Matt Staples at mstaples@wsgr.com or (206) 883-2583; Sharon Lee at shlee@wsgr.com or (650) 849-3307; or any of the many members of our privacy and data security practice.

1 See FTC Workshop, "Paper, Plastic...or Mobile?: An FTC Workshop on Mobile Payments" (March 2013), staff report available at http://www.ftc.gov/opa/2013/03/mobilepymts.shtm.

2 In the report, the FTC notes that credit cards typically provide the highest level of statutory protection for unauthorized transactions, with debit cards providing a lesser level. Specifically, with credit cards, consumer liability for unauthorized use is limited to $50; in contrast, with debit cards, consumer liability for unauthorized transfers is limited to $50 if reported within two business days, $500 if reported within 60 days after the consumer's statement is mailed, and potentially unlimited thereafter.

3 5 U.S.C. § 45.

4 According to the report, addressing the lack of statutory protections related to general purpose reloadable cards is relevant to mobile payments because students and the underbanked are among the greatest users of such cards and more than 91 percent of such consumers have mobile phones.

5 See Comment of the Staff of the FTC Bureau of Consumer Protection in Consumer Financial Protection Bureau, Docket No. CFPB-2012-0019 (July 23, 2012), available at http://www.ftc.gov/os/2012/07/120730cfpbstaffcomment.pdf.

6 See Reply Comment of the Federal Trade Commission in Federal Communications Commission CG Docket No. 11-116 (July 20, 2012), available at http://www.ftc.gov/os/2012/07/120723crammingcomment.pdf.

7 Information about the proposed roundtable is available at http://www.ftc.gov/opa/2013/03/mobilecramming.shtm.

8 See Board of Governors of the Federal Reserve System, Consumers and Mobile Financial Services (March 2012), available at http://www.federalreserve.gov/econresdata/mobile-device-report-201203.pdf.

9 The FTC cites the following statutes as examples of laws that impose these data security requirements: (a) the FTC Safeguards Rule, 16 C.F.R. § 314.1, which requires financial institutions to implement reasonable security for financial information, and (b) California Civil Code § 1798.81.5, which requires business that own, license, or maintain personal information about California residents to maintain reasonable data security procedures and practices.

10 The report suggests educating consumers to set password protection for unlocking their phones, to set up a second password for payment apps, and to contact their mobile carriers immediately to disable their mobile phones and all payment apps.

11 The full FTC report, "Protecting Consumer Privacy in an Era of Rapid Change" (March 2012), is available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf. Please see the WSGR Alert discussing this report at http://www.wsgr.com/publications/PDFSearch/wsgralert-FTC-final-privacy-report.pdf.

12 See FTC Workshop, "In Short: Advertising and Privacy Disclosures in a Digital World" (May 30, 2012), transcript available at http://www.ftc.gov/bcp/workshops/inshort/index.shtml; FTC Staff Report, "Mobile Privacy Disclosures: Building Trust Through Transparency" (February 2013), available at http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf.

13 The report also notes that the U.S. Department of Commerce currently is addressing effective privacy disclosures on mobile devices in a multi-stakeholder process, as contemplated by the White House's privacy report that is available at http://www.whitehouse.gov/sites/default/files/privacy-final.pdf.


Written by:

Wilson Sonsini Goodrich & Rosati

Wilson Sonsini Goodrich & Rosati on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.