The FTC’s complaint against Google alleges that the company offered free and paid apps through its Play store. Many of these apps are rated for kids and offer “in-app purchases” ranging from $0.99 to $200, which can be incurred in unlimited amounts. The FTC alleges that many apps invite children to obtain virtual items in a context that blurs the line between what costs virtual currency and what costs real money.

At the time Google introduced in-app charges in March 2011, users were notified of an in-app charge with a popup containing information about the virtual item and the amount of the charge. A child, however, could clear the popup simply by pressing a button labeled “CONTINUE.” In many instances, once a user had cleared the popup, Google did not request any further action before billing the account holder for the corresponding in-app charge.

It was not until mid- to late-2012 that Google begin requiring password entry in connection with in-app charges. The complaint alleges, however, that once a password was entered, it was stored for 30 minutes, allowing a user to incur unlimited in-app charges during that time period. Regardless of the number or amount of charges incurred, Google did not prompt for additional password entry during this 30 minute period.

Google controls the billing process for these in-app charges and retains 30 percent of all revenue. For all apps, account holders can associate their Google accounts with certain payment mechanisms, such as a credit card, gift card, or mobile phone billing. The complaint highlights that Google received thousands of complaints related to unauthorized in-app charges by children and that unauthorized in-app purchases was the lead cause of chargebacks to consumers.

The FTC alleges that Google’s billing practices were unfair and violated Section 5 of the FTC Act. Under the terms of the proposed settlement order, Google must pay at least $19 million in refunds to consumers. Google is also required to obtain the “prior express, affirmative consent of the account holder” before billing a consumer for an in-app charge.

In instances where consent is sought for a specific in-app charge, the settlement requires Google to clearly and conspicuously disclose: (1) the in-app activity associated with the charge; (2) the specific amount of the charge; and (3) the account that will be billed for the charge. In addition, if consent is sought for potential future in-app charges, Google must clearly and conspicuously disclose: (1) the scope of the charges for which consent is sought, including the duration, devices, and apps to which consent applies; (2) the account that will be billed for the charge; and (3) the method(s) through which the account holder can revoke or otherwise modify the scope of consent.

The settlement with Google is a good reminder that app developers and mobile platforms should continue to review their advertising, marketing, and game experience (as well as consumer complaints), and determine whether existing disclosures may benefit from disclosure and process enhancements in line with the terms set forth in this latest settlement.

The FTC’s complaint alleges that Amazon offers free and paid apps through its App store, many of which are rated for kids and allow in-app charges ranging from $0.99 to $99.99. Amazon controls the billing process for these in-app charges and retains 30 percent of all in-app revenue. For all apps, Amazon requires its users to link their mobile device to an Amazon account, which is funded by a credit card or Amazon gift card.

At the time Amazon introduced in-app charges to the App store in November 2011, users were notified of an in-app charge with a pop-up containing information about the app virtual item identified for purchase and the amount of the charge. The FTC asserts, however, that a child user could clear the pop-up notification by pressing the “Get Item” button. Once the user clears the pop-up, the FTC asserts that Amazon did not request further action before billing users’ accounts.

The complaint highlights internal communications among Amazon employees from December 2011 noting that unlimited in-app charges without requiring a password were causing problems for a large percentage of its customers. According to the complaint, in March 2012, Amazon updated its in-app charge system to require a password for any single in-app charge over $20, but continued allowing an unlimited number of lesser in-app purchases with no password.

In early 2013, Amazon implemented further updates to require a password entry for all in-app charges. The complaint alleges, however, that once the password was entered, the password was stored from 15 minutes up to one hour, allowing the user to incur unlimited in-app charges during that time period.

The complaint contends that Amazon received thousands of consumer complaints relating to unauthorized in-app purchases by kids, amounting to millions of dollars of charges. Amazon, however, has an express policy stating that all in-app charges are final. To the extent that parents sought an exception from the policy, the FTC’s complaint states that Amazon’s refund process is unclear and confusing.

The FTC alleges that Amazon’s billing practices were unfair and violated Section 5 of the FTC Act. The complaint seeks a permanent injunction to prevent future violations of the FTC Act, a court order to refund users for the unauthorized charges, and the costs of the action.

The guidance, “Making Your Privacy Practices Public,” is intended to help companies comply with recent revisions to the California Online Privacy Protection Act (“CalOPPA”), which requires that each privacy policy disclose how the website operator responds to mechanisms, such as DNT signals, that provide consumers with the ability to exercise choice regarding the collection of personally identifiable information (“PII”) over time and across third-party websites. In addition to best practices on DNT signals, the guidance also provides general recommendations to make privacy policies “more effective and meaningful” to consumers.

The guidance provides the following 10 key recommendations:

1. Scope of Policy: Privacy policies should explain whether it covers online or offline data collection, or both, and to what entities the privacy policy applies.
2. Availability: A conspicuous link to the privacy policy should be provided on the homepage of the website, and every webpage where PII is collected. For mobile apps, the link should be provided both on the app’s platform page and within the app.
3. Readability: Privacy policies should be written in plain, straightforward language that is meaningful to, and can easily be understood by consumers. For smaller screens, such as privacy policies read through mobile apps, the guidance suggests using a layered format that highlights the most relevant privacy issues.
4. Data Collection: Privacy policies should describe how PII is collected (including through the use of cookies or web beacons) and the kind of PII collected. Any information collected from children under the age of 13 should comply with COPPA.
5. Do Not Track: Privacy policies should have a clearly identified section which describes the policy regarding online tracking. A header, such as “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures,” can be used to call out the specific section. In addition, privacy policies should describe how the website responds to a browser’s DNT signal or similar mechanism. The guidance recommends describing this information in the privacy policy, over linking to a related program or protocol that offers consumers a choice about online tracking.
6. Data Use and Sharing: Privacy policies should explain how PII is used and shared with other entities, including affiliates and marketing partners, and provide a link to the privacy policies of such third parties.
7. Individual Choice and Access: Privacy policies should describe the choices a consumer has regarding the collection, use, and sharing of his or her personal information
8. Security Safeguards: Privacy policies should explain how the website or app operators protect consumers’ PII from unauthorized or illegal access.
9. Effective Date: The effective date of the privacy policy should be provided, and the privacy policy should explain how consumers will be notified about material changes.
10. Accountability: Contact information should also be provided in case consumers have questions or concerns about the privacy policy or practices.

• Disappearing “Snaps” – Snapchat represents to users that their snaps (i.e., photos and videos) will “disappear forever” after the user-set time period expires, thereby ensuring users’ privacy and safeguarding against data collection. According to the FTC’s complaint, however, recipients could circumvent the settings to save or access the snaps in a number of ways. For example, recipients could open Snapchat messages in third-party apps, take a screen shot of the snaps on an iPhone, or access videos by connecting their mobile device to a computer and retrieving the files through the device directory. The complaint alleges that these types of workarounds were highly publicized.
• Misrepresenting Data Collection Practices – Snapchat’s privacy policy represented to users that the app did not access or track users’ geolocation information. The FTC complaint asserts that in October 2012, Snapchat integrated an analytics tracking service in the Android system, which transmitted Wi-Fi based and cell-based location information from users’ mobile devices. Snapchat continued representing in the privacy policy that it did not collect or use geolocation information until February 2013. In addition, the app allows users to “Find Friends” by entering their mobile number or by accessing the Find Friends feature in the apps menu options. The privacy policy implied that the user’s mobile phone number was the only information Snapchat collected to find the user’s friends. The FTC contends, however, that when the user chose to Find Friends, Snapchat also collected the names and phone numbers of all the contacts in users’ address books.
• Security Design Flaws: The FTC complaint alleges that Snapchat failed to securely design its Find Friends feature by failing to verify the phone number of the user upon registration. In such case, an individual could create an account using a phone number belonging to another consumer. The FTC contends that Snapchat received a number of complaints that users’ snaps were being sent to strangers who had registered with friends’ numbers, or that their phone number had been used to send inappropriate or offensive snaps. In addition, Snapchat represents in its privacy policy that it takes “reasonable steps” or “reasonable measures” to protect users information. The FTC asserts, however, that Snapchat failed to implement any restrictions on serial and automated account creation, which allowed attackers to create multiple accounts and send millions of Find Friends requests using randomly generated phone numbers. According to the complaint, the attackers were able to compile a database of 4.6 million Snapchat usernames and associated mobile phone numbers.

Although the FTC’s order does not include any monetary remedy, Snapchat must comply with a 20-year FTC administrative order. This means that if the company violates a term of its settlement agreement with the FTC, it can be liable for a civil penalty of up to $16,000 for each violation, which the FTC can construe as each day of non-compliance. The settlement is a continued reminder that the FTC remains focused on protecting the privacy of consumers and will closely scrutinize companies’ practices as they relate to the handling and security of consumers’ personal information.

Specifically, the FTC alleged that Fandango and Credit Karma disabled the SSL (Secure Sockets Layer) certification validation procedure for each of their mobile apps. By doing so, the FTC claims that the apps were open to attackers positioning themselves between the app and the online service by presenting an invalid SSL certificate to the app – i.e., “man-in-the-middle” attacks. The FTC contends that Fandango and Credit Karma engaged in a number of practices that, when taken together, failed to provide reasonable and appropriate security in the development and maintenance of its mobile app, including:

• Overriding the default SSL certificate validation settings provided by the iOS and Android application programming interfaces (APIs) without implementing other security measures to compensate for the lack of SSL certificate validation;
• Failing to appropriately test, audit, assess, or review the apps, including failing to ensure that the transmission of sensitive personal information was secure;
• Failing to maintain an adequate process for receiving and addressing security vulnerability reports from third parties (Fandango only); and
• Failing to reasonably and appropriately oversee its service providers’ security practice (Credit Karma only).

As mobile privacy and security continues to be at the forefront of the FTC’s enforcement priorities, companies should keep abreast of developments in this area and regularly evaluate their mobile products and services. Stay tuned for a Kelley Drye client advisory discussing the enforcement trends for mobile and “red flags” that companies should watch out for.

The complaint alleges that Google offers free and paid apps through its “Google Play” store, and that many are targeted at children. Although some of the apps may be downloaded for free, the complaint further alleges that many allow the user to make in-app purchases (e.g., virtual supplies, ammunition, food, and fake “currency”), and that these games are “highly addictive,” and “tend to compel” children playing them to make large in-app purchases, including charges of $100 or more.

For all apps, Google requires its users to authenticate their accounts by entering a password prior to downloading an app or making an in-app purchase. The complaint alleges that once the password is entered, Google permits the user to make in-app purchases for up to 30 minutes without reentering the password. According to the complaint, this window of time allows minors to make large in-app purchases, without the knowledge or authorization of the parents. Google then automatically charges the customers’ credit or debit cards or PayPal accounts for the in-app purchase, through its online “Google Wallet.”

The lawsuit comes on the heels of the FTC settlement with Apple, which requires Apple to pay at least $32.5 million in refunds to consumers (for a more detailed assessment of the Apple settlement, please click here). Apple also settled a similar class action lawsuit in February 2013.

These recent developments are a good reminder for online platforms, app developers, and app providers to continue reviewing applicable advertising, marketing, and in-app purchases and experiences. We will continue to closely track these litigation and regulatory developments, and update this blog accordingly.

Peter Swire, a professor at The Ohio State University Michael E. Moritz College of Law and a Senior Fellow with the Center for American Progress, opened the seminar with a keynote address that gave historical context to the most recent regulatory efforts addressing consumer privacy. Professor Swire’s remarks were followed by two panel sessions that included six experts representing key industry representatives and the federal agencies integral to recent privacy initiatives. The first panel discussed children's online privacy and the Federal Trade Commission’s proposed revisions to the Children's Online Privacy Protection Rule. The second panel discussed various consumer privacy enforcement and regulatory initiatives relating to mobile apps.

For more on the seminar, including a synopsis of key takeaways, see the Kelley Drye client advisory. An audio recording of the full program is also available.

However, with these benefits also come privacy risks. And it is not uncommon for some popular LBS-enabled tools to lack clear disclosure about personal information collection, how that data is used, and the process for consumer consent.

Our article posted recently on Mashable, "5 Privacy Tips for Location-Based Services," discusses several privacy "do's and don'ts" for designing mobile apps.

For a more in-depth discussion of these issues, plus other privacy law trends, join us on February 16 for Kelley Drye’s seminar and teleconference, “Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends.”

On February 16, Kelley Drye will gather government leaders from the FTC and FCC, and thought leaders in the industry, for a discussion about new regulations, enforcement trends, and best practices to avoid consumer privacy risks. Please join us for "Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends."

Email [email protected] to register for the live seminar or teleconference.

KEYNOTE SPEAKER

Peter Swire, Professor of Law, Ohio State University; former Clinton Administration Chief Counselor for Privacy, U.S. Office of Management and Budget

PANEL 1: COPING WITH COPPA: CHILDREN'S PRIVACY AND PROPOSED REVISIONS TO THE COPPA RULE

Ellen Blackler, Vice President - Global Public Policy, The Walt Disney Company

Mamie Kresses, Senior Attorney, Division of Advertising Practices, Federal Trade Commission

Saira Nayak, Director of Policy, TRUSTe

Moderated by partners Dana Rosenfeld and Alysa Hutnik of Kelley Drye & Warren LLP

PANEL 2: MOBILE APPS: A PRIVACY AND CONSUMER PROTECTION HOT SPOT

Michael Altschul, Senior Vice President and General Counsel, CTIA

Jessica Rich, Associate Director, Division of Financial Practices, Federal Trade Commission

Jennifer Tatel, Associate General Counsel, Federal Communications Commission (invited)

Moderated by partners John Heitmann and Gonzalo Mon of Kelley Drye & Warren LLP

When:
February 16, 2012, 2:30 PM - 5:30 PM EST

Location:
Kelley Drye & Warren LLP
3050 K Street, NW, Suite 400
Washington, DC 20007-5108

And via audio webcast

RSVP:
Email [email protected] or contact Cassidy Russell at 202.342.8400.

This seminar is free of charge, but space is limited. Reserve your place today.

CLE and CPE credit may be available in certain jurisdictions.