Last week at the IAPP Global Privacy Summit, Federal Trade Commission Chair Edith Ramirez spoke on how, under her watch, the Commission intends to focus on regulating the mobile space going forward. True to her word, the FTC continues its laser-focus on all things mobile. We previously blogged on this mobile concentration through FTC guidance (the FTC’s best practice guidelines for the mobile industry), enforcement (a recent settlement with Path, a mobile social network app), and education (instructional materials for consumers using mobile apps and the businesses that market them).
Now, following an April 2012 workshop on mobile payments, the Commission has released a Mobile Payments Staff Report: “Paper, Plastic of Mobile? An FTC Workshop on Mobile Payments,” (the “Report”) which focuses on three significant consumer protection concerns for mobile payments: dispute resolution, data security and privacy. According to the Commission, the variety of industries involved in the mobile payment space – which includes banks, merchants, payment card networks, mobile carriers, operating system manufacturers, application providers, and coupon and loyalty program administrators – increases potential privacy and data security risks and creates dispute resolution challenges for consumers making mobile payments.
The Report notes that dispute resolution, associated with fraudulent or unauthorized mobile charges, represents significant challenges for consumers because of the variety of methods that can be used to make mobile payments. Mobile payment platforms typically allow consumers to pay with a credit or debit card, bank account or mobile phone account. However, consumer’s dispute resolution rights vary significantly with each payment type. To address these differences, the FTC advises that companies in the mobile payment space should develop clear policies regarding fraudulent and unauthorized charges and to convey these policies to consumers clearly. Moreover, policy makers should consider the need for additional protections to consumers using mobile payments and weigh those benefits against the cost of implementation.
In the Report, the FTC acknowledges that many consumers are not using mobile payments because they are concerned about the security of their sensitive financial information and to address this, companies should employ security technologies including: (i) encryption of financial information throughout the entire payment chain; (ii) use of unique payment information for each transaction, referred to as “dynamic data authentication;” and (iii) storage of payment information on a “secure element that is separate from the rest of a phone’s memory” to prevent hackers from procuring the information. The Commission further notes that consumers should also take proactive steps to secure their sensitive information, such as using a password to unlock their phone and a second password to use payment apps.
Finally, Staff recognizes that privacy is a significant concern in the mobile space because of the multitude of different players that will have access to consumer financial information, and because of the vast array of personal information that is contained on a mobile device. In light of these privacy concerns, the Commission noted that the three major privacy principles of the FTC’s March 2012 Privacy Report – privacy by design, simplified notice and choice and greater transparency about the collection and use of data – apply to companies in the mobile arena. Thus, all companies in this space should carefully consider these principles while designing their mobile payment applications and in their notices and disclosures to consumers.
This Report is yet another development in the ever evolving mobile regulatory landscape. As more and more consumers and businesses rely on their mobile devices for purchases and payments, we expect the attention of federal and state regulators on mobile privacy and security issues to expand. Companies that wish to build consumer trust and avoid regulatory pitfalls should carefully review this Report.