Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

FTC Staff Report Shines a Light on the Treacherous Road Ahead for Mobile Payments

Posted By Cynthia Larose on Posted in Data Compliance & Security, Privacy Regulation, Security

Written by Jake Romero

Perhaps we are being cynical, but if we imagine the current conversation between consumers and the makers of mobile payment applications, it would be something along the lines of:

Mobile Payment Industry: “Hello Consumer, would you like to start using your mobile device to transmit payments and make purchases?

Consumer: “Thank you, but no . . . I have serious concerns about my privacy and the security of my financial and purchasing data.  I’m just not comfortable with mobile device payments.

Mobile Payment Industry: “I see, but did you know that you can use mobile payments to more easily purchase Girl Scout Cookies  and Starbucks coffee ?

Consumer: “mmmm . . . . Thin Mints.

In other words, the willingness of consumers to bargain away an increasing amount of their privacy and accept certain data security risks in exchange for the latest in mobile device services suggests that widespread acceptance of mobile payments is inevitable.  The Federal Trade Commission (the “FTC”), in a Staff Report titled “Paper, Plastic . . . or Mobile?” (the “Staff Report”), agrees.  The Staff Report cites a survey of industry executives in which 83% of those surveyed agree that mainstream consumer adoption of mobile payments will be achieved by 2015, and notes that in the past year, a number of the mobile industry’s largest companies, as well as many start-ups, have taken actions to claim a portion of the mobile payment market.

The main purpose of the Staff Report is to highlight certain primary issues affecting the mobile payment industry that, if not addressed early, could potentially cause great harm to consumers and hinder the industry’s development.  For example, the FTC points out that the payment source that underlies a mobile payment (such as a credit card, debit card, bank account or mobile phone account) can have a significant impact on the potential liability of consumers who wish to dispute fraudulent charges, and in some cases leave consumers with no statutory protection.  The FTC also discusses the difficulties involved in international transactions.  Not surprisingly, however, the bulk of the FTC’s discussion of key issues addresses data security and privacy.

Data Security

A study conducted by the Federal Reserve found that data security, and specifically the theft or interception of financial information, was the reason most cited by consumers who have chosen not to adopt mobile payments.  However, the FTC’s discussion of data security in connection with mobile payments is noteworthy because the FTC argues that if this issue is addressed correctly at the outset, the use of mobile payments could ultimately benefit consumers by allowing for greater security in the transmission of information.

Under a traditional payment regime, the FTC argues, the financial information of the consumer is at some point transmitted or stored in an unencrypted format.  In addition, if the information on the magnetic strip of a payment card is acquired, it can be used repeatedly to make purchases.  Mobile payments, on the other hand, can implement technology that allows for “end-to-end encryption” (meaning that at no point in the process would the data not be encrypted) and utilize an authentication system that generates unique payment information for each transaction (which would prevent thieves from being able to use stolen information on multiple transactions).  As a result, mobile payments can not only reduce the likelihood that financial information will be acquired, but also minimize potential losses in connection with stolen or intercepted information.

The Staff Report urges mobile payment providers to adopt strong data security measures by all companies in the mobile payment chain, and warns that the industry as a whole may suffer if the lax measures of any provider result in widespread harm to consumers.  The FTC also advocates that consumers be educated to ensure that they utilize certain common sense security measures, such as using password protection to unlock each mobile device, and setting separate passwords to access mobile payment applications.

Privacy

Although the FTC argues that mobile payments, if implemented correctly, could increase data security, there is no denying the adverse effect that mobile payments will have on consumer privacy.  The privacy concerns raised by mobile payments are significant for a number of reasons.  The number of third parties that will have access to the consumer’s information is much greater than in a traditional payment system where only banks, merchants and payment card networks are involved.  As the Staff Report notes, mobile payments potentially involve the aforementioned third parties, as well as operating system manufacturers, hardware manufacturers, mobile phone carriers, application developers and coupon and loyalty program administrators.    Also, mobile payments will likely increase the amount of information that can be collected by each third party involved in the payment process.  Under a traditional point-of-sale process, the FTC argues, merchants and financial institutions receive access to some, but not all, of the information generated by the purchase.  Mobile payments, on the other hand, will generate data that could potentially be broadly collected and consolidated by third party processors.

The FTC’s recommendations for addressing the privacy concerns associated with mobile payments are set forth in its report “Protecting Consumer Privacy in an Era of Rapid Change” :

  • • Use a “privacy by design” approach to the development of applications and services.  “Privacy by design” means that a consumer’s privacy has been considered at each step in developing, designing and implementing a website, service or application.  This typically includes providing consumers with warnings when highly sensitive information is being collected, making easy-to-understand resources available that describe what is being collected, and limiting the collection of information to only what is necessary to deliver the product or service.  In mobile applications, privacy by design is particularly important because mobile devices generate a greater amount of sensitive data.
  • • Simplify the choices that are presented to consumers in connection with the collection of personal information.  The FTC warned that the solution to privacy issues cannot be to inundate the consumer with lengthy disclosures where the collection of information is obvious, but in all other instances the consumer should be permitted to restrict how and when data is collected by third parties.
  • • Increase transparency and educate consumers about the transaction process.  Without greater transparency through meaningful disclosures, the mobile payment industry will be unlikely to win over the trust of the general public.

It is worth noting that the FTC’s recommendations for addressing data security and privacy in mobile payments follow a strategy similar to the FTC’s recent recommendations regarding mobile applications  in that the FTC is advocating for a combination of industry self-regulation and consumer education.  This approach suggests that the FTC believes that the development and adoption of technology moves too quickly to rely solely, or even primarily, on a statutory framework.  Knowing how much you love Girl Scout cookies, the FTC is likely correct.