On September 4, 2014, the FTC announced a settlement with Google Inc., which requires the search giant to pay at least $19 million in refunds to consumers that the Commission alleges were billed for unauthorized in-app charges incurred by kids.  The settlement follows a similar settlement in January with Apple (which required Apple to pay a minimum of $32.5 million in refunds), and a recent complaint filed by the FTC in federal court against Amazon.

The FTC’s complaint against Google alleges that the company offered free and paid apps through its Play store.  Many of these apps are rated for kids and offer “in-app purchases” ranging from $0.99 to $200, which can be incurred in unlimited amounts.  The FTC alleges that many apps invite children to obtain virtual items in a context that blurs the line between what costs virtual currency and what costs real money. 

At the time Google introduced in-app charges in March 2011, users were notified of an in-app charge with a popup containing information about the virtual item and the amount of the charge.  A child, however, could clear the popup simply by pressing a button labeled “CONTINUE.”   In many instances, once a user had cleared the popup, Google did not request any further action before billing the account holder for the corresponding in-app charge. 

It was not until mid- to late-2012 that Google begin requiring password entry in connection with in-app charges. The complaint alleges, however, that once a password was entered, it was stored for 30 minutes, allowing a user to incur unlimited in-app charges during that time period.  Regardless of the number or amount of charges incurred, Google did not prompt for additional password entry during this 30 minute period.

Google controls the billing process for these in-app charges and retains 30 percent of all revenue.  For all apps, account holders can associate their Google accounts with certain payment mechanisms, such as a credit card, gift card, or mobile phone billing.  The complaint highlights that Google received thousands of complaints related to unauthorized in-app charges by children and that unauthorized in-app purchases was the lead cause of chargebacks to consumers.
Continue Reading Google to Refund at Least $19 Million Over Kids’ In-App Purchases

On July 10, 2014, the FTC filed a complaint in federal court alleging that Amazon unlawfully billed parents and other Amazon account holders for unauthorized in-app charges incurred by kids.  The complaint follows a similar FTC settlement with Apple and a similar class action lawsuit against Google

The FTC’s complaint alleges that Amazon offers free and paid apps through its App store, many of which are rated for kids and allow in-app charges ranging from $0.99 to $99.99.  Amazon controls the billing process for these in-app charges and retains 30 percent of all in-app revenue.  For all apps, Amazon requires its users to link their mobile device to an Amazon account, which is funded by a credit card or Amazon gift card. 

At the time Amazon introduced in-app charges to the App store in November 2011, users were notified of an in-app charge with a pop-up containing information about the app virtual item identified for purchase and the amount of the charge.  The FTC asserts, however, that a child user could clear the pop-up notification by pressing the “Get Item” button.  Once the user clears the pop-up, the FTC asserts that Amazon did not request further action before billing users’ accounts.  

The complaint highlights internal communications among Amazon employees from December 2011 noting that unlimited in-app charges without requiring a password were causing problems for a large percentage of its customers.   According to the complaint, in March 2012, Amazon updated its in-app charge system to require a password for any single in-app charge over $20, but continued allowing an unlimited number of lesser in-app purchases with no password.
Continue Reading FTC Files Suit Against Amazon Over Kids’ In-App Purchases

Yesterday, the California Attorney General Kamala Harris released much-anticipated guidance providing website and mobile app operators recommended best practices when disclosing how the operator responds to Do Not Track (“DNT”) signals in its online privacy policy.  

The guidance, “Making Your Privacy Practices Public,” is intended to help companies comply with recent revisions to the California Online Privacy Protection Act (“CalOPPA”), which requires that each privacy policy disclose how the website operator responds to mechanisms, such as DNT signals, that provide consumers with the ability to exercise choice regarding the collection of personally identifiable information (“PII”) over time and across third-party websites.  In addition to best practices on DNT signals, the guidance also provides general recommendations to make privacy policies “more effective and meaningful” to consumers.

The guidance provides the following 10 key recommendations:
Continue Reading California Releases Guidance on DNT Disclosures for Privacy Policies

On May 8, 2014, the FTC announced a settlement with Snapchat resolving allegations that the popular mobile messaging app deceived consumers over the disappearing nature of users “snaps” and made false and misleading representations concerning its privacy and information security practices.  The FTC took issue with several of Snapchat’s practices and representations:

  • Disappearing “Snaps” – Snapchat represents to users that their snaps (i.e., photos and videos) will “disappear forever” after the user-set time period expires, thereby ensuring users’ privacy and safeguarding against data collection.  According to the FTC’s complaint, however, recipients could circumvent the settings to save or access the snaps in a number of ways.  For example, recipients could open Snapchat messages in third-party apps, take a screen shot of the snaps on an iPhone, or access videos by connecting their mobile device to a computer and retrieving the files through the device directory.  The complaint alleges that these types of workarounds were highly publicized. 
  • Misrepresenting Data Collection Practices – Snapchat’s privacy policy represented to users that the app did not access or track users’ geolocation information.  The FTC complaint asserts that in October 2012, Snapchat integrated an analytics tracking service in the Android system, which transmitted Wi-Fi based and cell-based location information from users’ mobile devices.  Snapchat continued representing in the privacy policy that it did not collect or use geolocation information until February 2013.  In addition, the app allows users to “Find Friends” by entering their mobile number or by accessing the Find Friends feature in the apps menu options.  The privacy policy implied that the user’s mobile phone number was the only information Snapchat collected to find the user’s friends. The FTC contends, however, that when the user chose to Find Friends, Snapchat also collected the names and phone numbers of all the contacts in users’ address books.
    Continue Reading Snapchat Captured in FTC Enforcement

On March 28, 2014, the FTC announced two new mobile app settlements – with Fandango and Credit Karma – based on allegations that the companies failed to secure the transmission of consumers’ sensitive personal information collected via their mobile apps and misrepresented the security precautions that the companies took for each app.

Specifically, the FTC

A class action lawsuit was filed last week in California against Google Inc., alleging that many apps in Google’s app marketplace permit children to make virtual purchases within the game without a parents’ knowledge or consent.

The complaint alleges that Google offers free and paid apps through its “Google Play” store, and that many are

On February 16, 2012, Kelley Drye & Warren LLP hosted the seminar and audiocast, “Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends.” The seminar highlighted regulatory and legislative developments in privacy and information security during the past year, with an emphasis on children’s online privacy

The year 2012 is certain to reflect U.S. consumers’ continued love affair with sophisticated smartphones and tablets. One of the driving forces in the popularity of these devices is their ability to run mobile apps using wireless location-based services (LBS). Among other benefits, LBS allow access to real-time and historical location information online – whether

Changes to privacy regulations, such as proposed revisions to the Children’s Online Privacy Protection Act (COPPA), and continuously evolving technologies, including mobile apps with location-based services, can make it difficult for businesses to ensure their privacy practices are up to par.

On February 16, Kelley Drye will gather government leaders from the FTC and FCC