Ad Law Access Updates on advertising law and privacy law trends, issues, and developments Tue, 14 Nov 2023 23:56:14 -0500 60 hourly 1 Google to Refund at Least $19 Million Over Kids’ In-App Purchases Mon, 08 Sep 2014 11:52:35 -0400 On September 4, 2014, the FTC announced a settlement with Google Inc., which requires the search giant to pay at least $19 million in refunds to consumers that the Commission alleges were billed for unauthorized in-app charges incurred by kids. The settlement follows a similar settlement in January with Apple (which required Apple to pay a minimum of $32.5 million in refunds), and a recent complaint filed by the FTC in federal court against Amazon.

The FTC’s complaint against Google alleges that the company offered free and paid apps through its Play store. Many of these apps are rated for kids and offer “in-app purchases” ranging from $0.99 to $200, which can be incurred in unlimited amounts. The FTC alleges that many apps invite children to obtain virtual items in a context that blurs the line between what costs virtual currency and what costs real money.

At the time Google introduced in-app charges in March 2011, users were notified of an in-app charge with a popup containing information about the virtual item and the amount of the charge. A child, however, could clear the popup simply by pressing a button labeled “CONTINUE.” In many instances, once a user had cleared the popup, Google did not request any further action before billing the account holder for the corresponding in-app charge.

It was not until mid- to late-2012 that Google begin requiring password entry in connection with in-app charges. The complaint alleges, however, that once a password was entered, it was stored for 30 minutes, allowing a user to incur unlimited in-app charges during that time period. Regardless of the number or amount of charges incurred, Google did not prompt for additional password entry during this 30 minute period.

Google controls the billing process for these in-app charges and retains 30 percent of all revenue. For all apps, account holders can associate their Google accounts with certain payment mechanisms, such as a credit card, gift card, or mobile phone billing. The complaint highlights that Google received thousands of complaints related to unauthorized in-app charges by children and that unauthorized in-app purchases was the lead cause of chargebacks to consumers.

The FTC alleges that Google’s billing practices were unfair and violated Section 5 of the FTC Act. Under the terms of the proposed settlement order, Google must pay at least $19 million in refunds to consumers. Google is also required to obtain the “prior express, affirmative consent of the account holder” before billing a consumer for an in-app charge.

In instances where consent is sought for a specific in-app charge, the settlement requires Google to clearly and conspicuously disclose: (1) the in-app activity associated with the charge; (2) the specific amount of the charge; and (3) the account that will be billed for the charge. In addition, if consent is sought for potential future in-app charges, Google must clearly and conspicuously disclose: (1) the scope of the charges for which consent is sought, including the duration, devices, and apps to which consent applies; (2) the account that will be billed for the charge; and (3) the method(s) through which the account holder can revoke or otherwise modify the scope of consent.

The settlement with Google is a good reminder that app developers and mobile platforms should continue to review their advertising, marketing, and game experience (as well as consumer complaints), and determine whether existing disclosures may benefit from disclosure and process enhancements in line with the terms set forth in this latest settlement.

FTC Files Suit Against Amazon Over Kids’ In-App Purchases Mon, 14 Jul 2014 09:45:17 -0400 On July 10, 2014, the FTC filed a complaint in federal court alleging that Amazon unlawfully billed parents and other Amazon account holders for unauthorized in-app charges incurred by kids. The complaint follows a similar FTC settlement with Apple and a similar class action lawsuit against Google.

The FTC’s complaint alleges that Amazon offers free and paid apps through its App store, many of which are rated for kids and allow in-app charges ranging from $0.99 to $99.99. Amazon controls the billing process for these in-app charges and retains 30 percent of all in-app revenue. For all apps, Amazon requires its users to link their mobile device to an Amazon account, which is funded by a credit card or Amazon gift card.

At the time Amazon introduced in-app charges to the App store in November 2011, users were notified of an in-app charge with a pop-up containing information about the app virtual item identified for purchase and the amount of the charge. The FTC asserts, however, that a child user could clear the pop-up notification by pressing the “Get Item” button. Once the user clears the pop-up, the FTC asserts that Amazon did not request further action before billing users’ accounts.

The complaint highlights internal communications among Amazon employees from December 2011 noting that unlimited in-app charges without requiring a password were causing problems for a large percentage of its customers. According to the complaint, in March 2012, Amazon updated its in-app charge system to require a password for any single in-app charge over $20, but continued allowing an unlimited number of lesser in-app purchases with no password.

In early 2013, Amazon implemented further updates to require a password entry for all in-app charges. The complaint alleges, however, that once the password was entered, the password was stored from 15 minutes up to one hour, allowing the user to incur unlimited in-app charges during that time period.

The complaint contends that Amazon received thousands of consumer complaints relating to unauthorized in-app purchases by kids, amounting to millions of dollars of charges. Amazon, however, has an express policy stating that all in-app charges are final. To the extent that parents sought an exception from the policy, the FTC’s complaint states that Amazon’s refund process is unclear and confusing.

The FTC alleges that Amazon’s billing practices were unfair and violated Section 5 of the FTC Act. The complaint seeks a permanent injunction to prevent future violations of the FTC Act, a court order to refund users for the unauthorized charges, and the costs of the action.

California Releases Guidance on DNT Disclosures for Privacy Policies Thu, 22 May 2014 13:41:06 -0400 Yesterday, the California Attorney General Kamala Harris released much-anticipated guidance providing website and mobile app operators recommended best practices when disclosing how the operator responds to Do Not Track (“DNT”) signals in its online privacy policy.

The guidance, “Making Your Privacy Practices Public,” is intended to help companies comply with recent revisions to the California Online Privacy Protection Act (“CalOPPA”), which requires that each privacy policy disclose how the website operator responds to mechanisms, such as DNT signals, that provide consumers with the ability to exercise choice regarding the collection of personally identifiable information (“PII”) over time and across third-party websites. In addition to best practices on DNT signals, the guidance also provides general recommendations to make privacy policies “more effective and meaningful” to consumers.

The guidance provides the following 10 key recommendations:

  1. Scope of Policy: Privacy policies should explain whether it covers online or offline data collection, or both, and to what entities the privacy policy applies.
  2. Availability: A conspicuous link to the privacy policy should be provided on the homepage of the website, and every webpage where PII is collected. For mobile apps, the link should be provided both on the app’s platform page and within the app.
  3. Readability: Privacy policies should be written in plain, straightforward language that is meaningful to, and can easily be understood by consumers. For smaller screens, such as privacy policies read through mobile apps, the guidance suggests using a layered format that highlights the most relevant privacy issues.
  4. Data Collection: Privacy policies should describe how PII is collected (including through the use of cookies or web beacons) and the kind of PII collected. Any information collected from children under the age of 13 should comply with COPPA.
  5. Do Not Track: Privacy policies should have a clearly identified section which describes the policy regarding online tracking. A header, such as “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures,” can be used to call out the specific section. In addition, privacy policies should describe how the website responds to a browser’s DNT signal or similar mechanism. The guidance recommends describing this information in the privacy policy, over linking to a related program or protocol that offers consumers a choice about online tracking.
  6. Data Use and Sharing: Privacy policies should explain how PII is used and shared with other entities, including affiliates and marketing partners, and provide a link to the privacy policies of such third parties.
  7. Individual Choice and Access: Privacy policies should describe the choices a consumer has regarding the collection, use, and sharing of his or her personal information
  8. Security Safeguards: Privacy policies should explain how the website or app operators protect consumers’ PII from unauthorized or illegal access.
  9. Effective Date: The effective date of the privacy policy should be provided, and the privacy policy should explain how consumers will be notified about material changes.
  10. Accountability: Contact information should also be provided in case consumers have questions or concerns about the privacy policy or practices.

Snapchat Captured in FTC Enforcement Sun, 11 May 2014 14:00:16 -0400 On May 8, 2014, the FTC announced a settlement with Snapchat resolving allegations that the popular mobile messaging app deceived consumers over the disappearing nature of users “snaps” and made false and misleading representations concerning its privacy and information security practices. The FTC took issue with several of Snapchat’s practices and representations:
  • Disappearing “Snaps” – Snapchat represents to users that their snaps (i.e., photos and videos) will “disappear forever” after the user-set time period expires, thereby ensuring users’ privacy and safeguarding against data collection. According to the FTC’s complaint, however, recipients could circumvent the settings to save or access the snaps in a number of ways. For example, recipients could open Snapchat messages in third-party apps, take a screen shot of the snaps on an iPhone, or access videos by connecting their mobile device to a computer and retrieving the files through the device directory. The complaint alleges that these types of workarounds were highly publicized.
  • Misrepresenting Data Collection Practices – Snapchat’s privacy policy represented to users that the app did not access or track users’ geolocation information. The FTC complaint asserts that in October 2012, Snapchat integrated an analytics tracking service in the Android system, which transmitted Wi-Fi based and cell-based location information from users’ mobile devices. Snapchat continued representing in the privacy policy that it did not collect or use geolocation information until February 2013. In addition, the app allows users to “Find Friends” by entering their mobile number or by accessing the Find Friends feature in the apps menu options. The privacy policy implied that the user’s mobile phone number was the only information Snapchat collected to find the user’s friends. The FTC contends, however, that when the user chose to Find Friends, Snapchat also collected the names and phone numbers of all the contacts in users’ address books.
  • Security Design Flaws: The FTC complaint alleges that Snapchat failed to securely design its Find Friends feature by failing to verify the phone number of the user upon registration. In such case, an individual could create an account using a phone number belonging to another consumer. The FTC contends that Snapchat received a number of complaints that users’ snaps were being sent to strangers who had registered with friends’ numbers, or that their phone number had been used to send inappropriate or offensive snaps. In addition, Snapchat represents in its privacy policy that it takes “reasonable steps” or “reasonable measures” to protect users information. The FTC asserts, however, that Snapchat failed to implement any restrictions on serial and automated account creation, which allowed attackers to create multiple accounts and send millions of Find Friends requests using randomly generated phone numbers. According to the complaint, the attackers were able to compile a database of 4.6 million Snapchat usernames and associated mobile phone numbers.
The FTC’s proposed consent order prohibits Snapchat from misrepresenting: (1) the extent to which a message is deleted after being viewed by the recipient; (2) the extent to which the company or its products or services are capable of detecting or notifying the sender when a recipient has captured a screenshot of, or otherwise saved, a message; (3) the categories of covered information collected; or (4) the steps taken to protect against misuse or unauthorized disclosure of covered information.

Although the FTC’s order does not include any monetary remedy, Snapchat must comply with a 20-year FTC administrative order. This means that if the company violates a term of its settlement agreement with the FTC, it can be liable for a civil penalty of up to $16,000 for each violation, which the FTC can construe as each day of non-compliance. The settlement is a continued reminder that the FTC remains focused on protecting the privacy of consumers and will closely scrutinize companies’ practices as they relate to the handling and security of consumers’ personal information.

Mobile Enforcement Continues to be APPealing to the FTC Wed, 02 Apr 2014 20:54:05 -0400 On March 28, 2014, the FTC announced two new mobile app settlements – with Fandango and Credit Karma – based on allegations that the companies failed to secure the transmission of consumers’ sensitive personal information collected via their mobile apps and misrepresented the security precautions that the companies took for each app.

Specifically, the FTC alleged that Fandango and Credit Karma disabled the SSL (Secure Sockets Layer) certification validation procedure for each of their mobile apps. By doing so, the FTC claims that the apps were open to attackers positioning themselves between the app and the online service by presenting an invalid SSL certificate to the app – i.e., “man-in-the-middle” attacks. The FTC contends that Fandango and Credit Karma engaged in a number of practices that, when taken together, failed to provide reasonable and appropriate security in the development and maintenance of its mobile app, including:

  • Overriding the default SSL certificate validation settings provided by the iOS and Android application programming interfaces (APIs) without implementing other security measures to compensate for the lack of SSL certificate validation;
  • Failing to appropriately test, audit, assess, or review the apps, including failing to ensure that the transmission of sensitive personal information was secure;
  • Failing to maintain an adequate process for receiving and addressing security vulnerability reports from third parties (Fandango only); and
  • Failing to reasonably and appropriately oversee its service providers’ security practice (Credit Karma only).
The FTC also asserts that the apps made deceptive privacy and security representations, including that the deception occurred in the companies’ in-app representations.

As mobile privacy and security continues to be at the forefront of the FTC’s enforcement priorities, companies should keep abreast of developments in this area and regularly evaluate their mobile products and services. Stay tuned for a Kelley Drye client advisory discussing the enforcement trends for mobile and “red flags” that companies should watch out for.

Lawsuit Filed Against Google Over Kids’ In-App Purchases Wed, 12 Mar 2014 08:51:39 -0400 A class action lawsuit was filed last week in California against Google Inc., alleging that many apps in Google’s app marketplace permit children to make virtual purchases within the game without a parents’ knowledge or consent.

The complaint alleges that Google offers free and paid apps through its “Google Play” store, and that many are targeted at children. Although some of the apps may be downloaded for free, the complaint further alleges that many allow the user to make in-app purchases (e.g., virtual supplies, ammunition, food, and fake “currency”), and that these games are “highly addictive,” and “tend to compel” children playing them to make large in-app purchases, including charges of $100 or more.

For all apps, Google requires its users to authenticate their accounts by entering a password prior to downloading an app or making an in-app purchase. The complaint alleges that once the password is entered, Google permits the user to make in-app purchases for up to 30 minutes without reentering the password. According to the complaint, this window of time allows minors to make large in-app purchases, without the knowledge or authorization of the parents. Google then automatically charges the customers’ credit or debit cards or PayPal accounts for the in-app purchase, through its online “Google Wallet.”

The lawsuit comes on the heels of the FTC settlement with Apple, which requires Apple to pay at least $32.5 million in refunds to consumers (for a more detailed assessment of the Apple settlement, please click here). Apple also settled a similar class action lawsuit in February 2013.

These recent developments are a good reminder for online platforms, app developers, and app providers to continue reviewing applicable advertising, marketing, and in-app purchases and experiences. We will continue to closely track these litigation and regulatory developments, and update this blog accordingly.

Insights from Kelley Drye's 4th Annual Privacy Seminar Wed, 22 Feb 2012 17:53:55 -0500 On February 16, 2012, Kelley Drye & Warren LLP hosted the seminar and audiocast, “Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends.” The seminar highlighted regulatory and legislative developments in privacy and information security during the past year, with an emphasis on children's online privacy and mobile applications.

Peter Swire, a professor at The Ohio State University Michael E. Moritz College of Law and a Senior Fellow with the Center for American Progress, opened the seminar with a keynote address that gave historical context to the most recent regulatory efforts addressing consumer privacy. Professor Swire’s remarks were followed by two panel sessions that included six experts representing key industry representatives and the federal agencies integral to recent privacy initiatives. The first panel discussed children's online privacy and the Federal Trade Commission’s proposed revisions to the Children's Online Privacy Protection Rule. The second panel discussed various consumer privacy enforcement and regulatory initiatives relating to mobile apps.

For more on the seminar, including a synopsis of key takeaways, see the Kelley Drye client advisory. An audio recording of the full program is also available.

5 Privacy Tips for Location-Based Services Mon, 30 Jan 2012 13:42:20 -0500 The year 2012 is certain to reflect U.S. consumers’ continued love affair with sophisticated smartphones and tablets. One of the driving forces in the popularity of these devices is their ability to run mobile apps using wireless location-based services (LBS). Among other benefits, LBS allow access to real-time and historical location information online – whether to facilitate a social interaction or event, play games, house-hunt or engage in many other activities.

However, with these benefits also come privacy risks. And it is not uncommon for some popular LBS-enabled tools to lack clear disclosure about personal information collection, how that data is used, and the process for consumer consent.

Our article posted recently on Mashable, "5 Privacy Tips for Location-Based Services," discusses several privacy "do's and don'ts" for designing mobile apps.

For a more in-depth discussion of these issues, plus other privacy law trends, join us on February 16 for Kelley Drye’s seminar and teleconference, “Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends.”

Join us Feb. 16 for "Privacy in 2012" Seminar and Teleconference Wed, 25 Jan 2012 10:39:07 -0500 Changes to privacy regulations, such as proposed revisions to the Children's Online Privacy Protection Act (COPPA), and continuously evolving technologies, including mobile apps with location-based services, can make it difficult for businesses to ensure their privacy practices are up to par.

On February 16, Kelley Drye will gather government leaders from the FTC and FCC, and thought leaders in the industry, for a discussion about new regulations, enforcement trends, and best practices to avoid consumer privacy risks. Please join us for "Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends."

Email [email protected] to register for the live seminar or teleconference.


Peter Swire, Professor of Law, Ohio State University; former Clinton Administration Chief Counselor for Privacy, U.S. Office of Management and Budget


Ellen Blackler, Vice President - Global Public Policy, The Walt Disney Company

Mamie Kresses, Senior Attorney, Division of Advertising Practices, Federal Trade Commission

Saira Nayak, Director of Policy, TRUSTe

Moderated by partners Dana Rosenfeld and Alysa Hutnik of Kelley Drye & Warren LLP


Michael Altschul, Senior Vice President and General Counsel, CTIA

Jessica Rich, Associate Director, Division of Financial Practices, Federal Trade Commission

Jennifer Tatel, Associate General Counsel, Federal Communications Commission (invited)

Moderated by partners John Heitmann and Gonzalo Mon of Kelley Drye & Warren LLP

February 16, 2012, 2:30 PM - 5:30 PM EST

Kelley Drye & Warren LLP
3050 K Street, NW, Suite 400
Washington, DC 20007-5108

And via audio webcast

Email dce[email protected] or contact Cassidy Russell at 202.342.8400.

This seminar is free of charge, but space is limited. Reserve your place today.

CLE and CPE credit may be available in certain jurisdictions.