Caveat Vendor

FTC Issues Privacy and Security Recommendations for Mobile Payments Industry

March 12, 2013

Devon Winkles

On Friday, the Federal Trade Commission released a staff report examining the growing use of mobile payments and offering recommendations for the industry. The recommendations related to three areas of particular concern: dispute resolution, data security and privacy. The report acknowledged that the mobile payments industry is particularly ripe for privacy risks because of the large amount of data collected and the high number of companies involved in the mobile payments process—not only banks, merchants, and payment card networks, but also operating system manufacturers, hardware manufacturers, mobile phone carriers, application developers, and coupon and loyalty program administrators.

Thus, the FTC stressed the importance of “privacy by design”—that is, considering and addressing privacy at every stage of product development. “Privacy by design” incorporates concepts such as data security, reasonable collection limits, sound retention policies and data accuracy and is implemented through privacy controls including designation of personnel responsible for the privacy program, a risk assessment, implementation of controls designed to address the risks identified and appropriate oversight of service providers.

In addition, the FTC recommended that companies aim to increase consumer trust in the young-but-growing mobile payments marketplace. One way to do this is to provide appropriate choices to consumers about data collection and use related to mobile payments. For instance, use of payment data for other purposes or by third parties should not be pre-selected as default options. In addition, companies should develop ways to provide transparency about their data practices.

These recommendations should sound familiar to those who follow the FTC’s thinking on privacy and security issues. They largely echo the FTC’s privacy principles, announced in its March 2012 report titled Protecting Consumer Privacy in an Era of Rapid Change. Those principles also embodied “privacy by design,” simplified choice for business and customers, and greater transparency.

The report acknowledged that the mobile payments industry is still developing and placed the burden on the industry to craft consumer protections. Policymakers at the FTC and other agencies, as well as on the Hill, will continue to monitor the industry to determine whether those industry-led protections are adequate or whether regulations are necessary.

Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.