The FTC’s complaint against Google alleges that the company offered free and paid apps through its Play store. Many of these apps are rated for kids and offer “in-app purchases” ranging from $0.99 to $200, which can be incurred in unlimited amounts. The FTC alleges that many apps invite children to obtain virtual items in a context that blurs the line between what costs virtual currency and what costs real money.
At the time Google introduced in-app charges in March 2011, users were notified of an in-app charge with a popup containing information about the virtual item and the amount of the charge. A child, however, could clear the popup simply by pressing a button labeled “CONTINUE.” In many instances, once a user had cleared the popup, Google did not request any further action before billing the account holder for the corresponding in-app charge.
It was not until mid- to late-2012 that Google begin requiring password entry in connection with in-app charges. The complaint alleges, however, that once a password was entered, it was stored for 30 minutes, allowing a user to incur unlimited in-app charges during that time period. Regardless of the number or amount of charges incurred, Google did not prompt for additional password entry during this 30 minute period.
Google controls the billing process for these in-app charges and retains 30 percent of all revenue. For all apps, account holders can associate their Google accounts with certain payment mechanisms, such as a credit card, gift card, or mobile phone billing. The complaint highlights that Google received thousands of complaints related to unauthorized in-app charges by children and that unauthorized in-app purchases was the lead cause of chargebacks to consumers.
The FTC alleges that Google’s billing practices were unfair and violated Section 5 of the FTC Act. Under the terms of the proposed settlement order, Google must pay at least $19 million in refunds to consumers. Google is also required to obtain the “prior express, affirmative consent of the account holder” before billing a consumer for an in-app charge.
In instances where consent is sought for a specific in-app charge, the settlement requires Google to clearly and conspicuously disclose: (1) the in-app activity associated with the charge; (2) the specific amount of the charge; and (3) the account that will be billed for the charge. In addition, if consent is sought for potential future in-app charges, Google must clearly and conspicuously disclose: (1) the scope of the charges for which consent is sought, including the duration, devices, and apps to which consent applies; (2) the account that will be billed for the charge; and (3) the method(s) through which the account holder can revoke or otherwise modify the scope of consent.
The settlement with Google is a good reminder that app developers and mobile platforms should continue to review their advertising, marketing, and game experience (as well as consumer complaints), and determine whether existing disclosures may benefit from disclosure and process enhancements in line with the terms set forth in this latest settlement.
]]>The FTC’s complaint alleges that Amazon offers free and paid apps through its App store, many of which are rated for kids and allow in-app charges ranging from $0.99 to $99.99. Amazon controls the billing process for these in-app charges and retains 30 percent of all in-app revenue. For all apps, Amazon requires its users to link their mobile device to an Amazon account, which is funded by a credit card or Amazon gift card.
At the time Amazon introduced in-app charges to the App store in November 2011, users were notified of an in-app charge with a pop-up containing information about the app virtual item identified for purchase and the amount of the charge. The FTC asserts, however, that a child user could clear the pop-up notification by pressing the “Get Item” button. Once the user clears the pop-up, the FTC asserts that Amazon did not request further action before billing users’ accounts.
The complaint highlights internal communications among Amazon employees from December 2011 noting that unlimited in-app charges without requiring a password were causing problems for a large percentage of its customers. According to the complaint, in March 2012, Amazon updated its in-app charge system to require a password for any single in-app charge over $20, but continued allowing an unlimited number of lesser in-app purchases with no password.
In early 2013, Amazon implemented further updates to require a password entry for all in-app charges. The complaint alleges, however, that once the password was entered, the password was stored from 15 minutes up to one hour, allowing the user to incur unlimited in-app charges during that time period.
The complaint contends that Amazon received thousands of consumer complaints relating to unauthorized in-app purchases by kids, amounting to millions of dollars of charges. Amazon, however, has an express policy stating that all in-app charges are final. To the extent that parents sought an exception from the policy, the FTC’s complaint states that Amazon’s refund process is unclear and confusing.
The FTC alleges that Amazon’s billing practices were unfair and violated Section 5 of the FTC Act. The complaint seeks a permanent injunction to prevent future violations of the FTC Act, a court order to refund users for the unauthorized charges, and the costs of the action.
]]>The guidance, “Making Your Privacy Practices Public,” is intended to help companies comply with recent revisions to the California Online Privacy Protection Act (“CalOPPA”), which requires that each privacy policy disclose how the website operator responds to mechanisms, such as DNT signals, that provide consumers with the ability to exercise choice regarding the collection of personally identifiable information (“PII”) over time and across third-party websites. In addition to best practices on DNT signals, the guidance also provides general recommendations to make privacy policies “more effective and meaningful” to consumers.
The guidance provides the following 10 key recommendations:
Although the FTC’s order does not include any monetary remedy, Snapchat must comply with a 20-year FTC administrative order. This means that if the company violates a term of its settlement agreement with the FTC, it can be liable for a civil penalty of up to $16,000 for each violation, which the FTC can construe as each day of non-compliance. The settlement is a continued reminder that the FTC remains focused on protecting the privacy of consumers and will closely scrutinize companies’ practices as they relate to the handling and security of consumers’ personal information.
]]>Specifically, the FTC alleged that Fandango and Credit Karma disabled the SSL (Secure Sockets Layer) certification validation procedure for each of their mobile apps. By doing so, the FTC claims that the apps were open to attackers positioning themselves between the app and the online service by presenting an invalid SSL certificate to the app – i.e., “man-in-the-middle” attacks. The FTC contends that Fandango and Credit Karma engaged in a number of practices that, when taken together, failed to provide reasonable and appropriate security in the development and maintenance of its mobile app, including:
As mobile privacy and security continues to be at the forefront of the FTC’s enforcement priorities, companies should keep abreast of developments in this area and regularly evaluate their mobile products and services. Stay tuned for a Kelley Drye client advisory discussing the enforcement trends for mobile and “red flags” that companies should watch out for.
]]>The complaint alleges that Google offers free and paid apps through its “Google Play” store, and that many are targeted at children. Although some of the apps may be downloaded for free, the complaint further alleges that many allow the user to make in-app purchases (e.g., virtual supplies, ammunition, food, and fake “currency”), and that these games are “highly addictive,” and “tend to compel” children playing them to make large in-app purchases, including charges of $100 or more.
For all apps, Google requires its users to authenticate their accounts by entering a password prior to downloading an app or making an in-app purchase. The complaint alleges that once the password is entered, Google permits the user to make in-app purchases for up to 30 minutes without reentering the password. According to the complaint, this window of time allows minors to make large in-app purchases, without the knowledge or authorization of the parents. Google then automatically charges the customers’ credit or debit cards or PayPal accounts for the in-app purchase, through its online “Google Wallet.”
The lawsuit comes on the heels of the FTC settlement with Apple, which requires Apple to pay at least $32.5 million in refunds to consumers (for a more detailed assessment of the Apple settlement, please click here). Apple also settled a similar class action lawsuit in February 2013.
These recent developments are a good reminder for online platforms, app developers, and app providers to continue reviewing applicable advertising, marketing, and in-app purchases and experiences. We will continue to closely track these litigation and regulatory developments, and update this blog accordingly.
]]>Peter Swire, a professor at The Ohio State University Michael E. Moritz College of Law and a Senior Fellow with the Center for American Progress, opened the seminar with a keynote address that gave historical context to the most recent regulatory efforts addressing consumer privacy. Professor Swire’s remarks were followed by two panel sessions that included six experts representing key industry representatives and the federal agencies integral to recent privacy initiatives. The first panel discussed children's online privacy and the Federal Trade Commission’s proposed revisions to the Children's Online Privacy Protection Rule. The second panel discussed various consumer privacy enforcement and regulatory initiatives relating to mobile apps.
For more on the seminar, including a synopsis of key takeaways, see the Kelley Drye client advisory. An audio recording of the full program is also available.
]]>However, with these benefits also come privacy risks. And it is not uncommon for some popular LBS-enabled tools to lack clear disclosure about personal information collection, how that data is used, and the process for consumer consent.
Our article posted recently on Mashable, "5 Privacy Tips for Location-Based Services," discusses several privacy "do's and don'ts" for designing mobile apps.
For a more in-depth discussion of these issues, plus other privacy law trends, join us on February 16 for Kelley Drye’s seminar and teleconference, “Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends.”
]]>On February 16, Kelley Drye will gather government leaders from the FTC and FCC, and thought leaders in the industry, for a discussion about new regulations, enforcement trends, and best practices to avoid consumer privacy risks. Please join us for "Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends."
Email [email protected] to register for the live seminar or teleconference.
KEYNOTE SPEAKER
Peter Swire, Professor of Law, Ohio State University; former Clinton Administration Chief Counselor for Privacy, U.S. Office of Management and Budget
PANEL 1: COPING WITH COPPA: CHILDREN'S PRIVACY AND PROPOSED REVISIONS TO THE COPPA RULE
Ellen Blackler, Vice President - Global Public Policy, The Walt Disney Company
Mamie Kresses, Senior Attorney, Division of Advertising Practices, Federal Trade Commission
Saira Nayak, Director of Policy, TRUSTe
Moderated by partners Dana Rosenfeld and Alysa Hutnik of Kelley Drye & Warren LLP
PANEL 2: MOBILE APPS: A PRIVACY AND CONSUMER PROTECTION HOT SPOT
Michael Altschul, Senior Vice President and General Counsel, CTIA
Jessica Rich, Associate Director, Division of Financial Practices, Federal Trade Commission
Jennifer Tatel, Associate General Counsel, Federal Communications Commission (invited)
Moderated by partners John Heitmann and Gonzalo Mon of Kelley Drye & Warren LLP
When:
February 16, 2012, 2:30 PM - 5:30 PM EST
Location:
Kelley Drye & Warren LLP
3050 K Street, NW, Suite 400
Washington, DC 20007-5108
And via audio webcast
RSVP:
Email [email protected] or contact Cassidy Russell at 202.342.8400.
This seminar is free of charge, but space is limited. Reserve your place today.
CLE and CPE credit may be available in certain jurisdictions.
]]>