On August 1, 2014, the Federal Trade Commission (“FTC”) issued a study called “What’s the Deal? An FTC Study on Mobile Shopping Apps,” with recommendations concerning pre-download disclosures. FTC staff surveyed and reviewed 121 mobile shopping apps that fell into three categories: price comparison apps, deal apps, and in-store purchase apps. FTC staff focused their analysis on (1) the in-store purchase apps’ pre-download disclosures concerning payment disputes, and (2) all of the surveyed apps’ pre-download disclosures concerning how the apps collect and handle consumer data.

FTC staff surveyed disclosures related to payment disputes for the in-store purchase apps because transactions processed through these apps can implicate consumers’ rights and liability limits in different ways, depending on the source of the funds. The study noted differences in statutory protections for various payment methods. Federal law limits consumers’ liability for credit and debit card transactions, particularly for unauthorized payments. These statutory protections apply to “pass-through” payments made through mobile apps. However, statutory protections do not apply to pre-paid cards, gift cards, and stored value accounts (i.e. an account maintained by the app provider). Consumers using these payment methods must instead rely on the payment apps’ contractual protections. Consumers are likely unaware of their rights when a payment dispute arises, whether statutory or contractual, unless their rights are disclosed by the app. Moreover, FTC staff found it difficult to distinguish between pass-through and stored value apps, adding to consumer confusion. In fact, FTC staff found that many of the surveyed in-store purchase apps were completely silent as to their dispute resolution and liability limits policies.

The FTC study recommends that the in-store purchase apps disclose consumers’ rights and protections before the service is used to make a payment via a mobile device. The study also reiterates its recommendation from an earlier report that companies clearly explain customers’ dispute resolution and liability limits, particularly for apps implementing pre-paid cards, gift cards, and stored value accounts, which do not afford statutory protections.

FTC staff surveyed the privacy policies of all three categories of apps for information on how the consumer data would be collected, shared, used, and secured. The study noted that the overwhelming majority of the apps surveyed had privacy policies and that almost every privacy policy disclosed what data the app might collect, demonstrating progress in FTC’s privacy initiatives. However, FTC staff found that the privacy policies used vague statements for how the apps would use and share the collected data, preserving broad rights and suggesting that the app developers may not be limiting the collection of data based on business needs (i.e. to effectuate a requested service or transaction). The study also found that while the apps claimed to utilize various methods to safeguard consumer data, it was unclear whether all the apps were honoring their representations.

As with the in-store payment services, the FTC study recommends that consumers be able to evaluate an app’s data practices before signing up to use an app’s service. The study also reiterated that mobile shopping app companies “should clearly describe how they collect, use, share, and secure consumers’ personal and financial data.” The addition of information about how financial and personal data is “used” and “secured” constitutes an expansion of the FTC’s prior recommendations for just in time notice contained in its “Mobile Privacy Disclosures: Building Trust Through Transparency: A Federal Trade Commission Staff Report” (dated February 1, 2013) which only called for short form notice to disclose the collection and sharing of sensitive data. Therefore, companies releasing mobile shopping apps should consider this broader guidance when developing policies and disclosures for those apps. The new recommendations for shopping apps to address use and security in privacy notices, amplifies the recent FTC focus on mobile app security as articulated through publicly announced consent orders released in 2013 and 2014.