Skip to main content

Privacy Monday: July 14, 2014

FTC Sues Amazon Over In-App Purchases Made by Children

 Written by Jake Romero, CIPP

Children, according to Whitney Houston, are our future, but they are also, according to the Federal Trade Commission, willing to spend unlimited amounts of money to purchase virtual items within mobile applications.  In a lawsuit filed after, Inc. resisted a settlement offer similar to the FTC’s settlement with Apple, Inc., the FTC claims that Amazon allowed millions of dollars of in-app purchases from children on the mobile application store installed on its Kindle Fire devices and on mobile devices running the Android operating system.  In response to the alleged unfair practices, the FTC is seeking an injunction against Amazon and restitution to Amazon consumers.

The FTC’s lawsuit alleges that Amazon permits users to make purchases within applications that generally range from $0.99 to $99.99 in unlimited amounts, including in applications likely to be played by children.  Although Amazon appends a note to app descriptions that references in-app charges, the FTC alleges that such notifications are often “below the fold” (meaning the user has to scroll down to see it) and do not sufficiently explain how or when Amazon seeks account-holder authorization for charges.  Initially when a user wanted to take an action within the app that would require a charge, a pop-up notification would be displayed that provided information containing the amount of the charge.  Once a user cleared the charge (by clicking “get item” or a similar message), that response would be “cached” so that the user would not have to click through a pop-up each time he or she wanted to make an in-app purchase.  In March 2012, the FTC alleges that Amazon implemented a password entry requirement for charges above $20 to ensure that charges over $20 were not authorized by someone without permission, but continued to allow charges for less than $20 without entering the Amazon account password.  Although Amazon updated its in-app purchase procedures in 2013 to increase password entry requirements and shorten the period of time in which cached approvals would authorize subsequent charges, the FTC alleges that the new standards were not consistently imposed and in some cases continued to not provide sufficient information.  For example, the FTC claims that some notifications failed to describe the period of time during which cached authorizations would validate subsequent purchases or did not include an explanation of the amount of actual currency involved (“5 acorns and a slice of cake” seems like a small amount until someone lets you know that each virtual acorn costs $10 and the virtual slice of cake costs $25).   More importantly, the FTC argues that because within the app these transactions look and feel like transactions with virtual currency (as opposed to real money), children generally don’t understand when purchases are made with cash, and when they are not.

Amazon, in a letter to the FTC commission, has argued that it has operated within the bounds of the law and that its in-app purchase mechanisms already meet or exceed the requirements of the Apple consent order.  That consent order requires, among other things, that consent requests for in-app charges disclose all “material information” including:

  • if consent is sought for a specific in-app charge: (i) the in-app activity associated with the charge, (ii) the specific amount of the charge; and (iii) the account that will be billed for the charge; or
  • if consent is sought for potential future charges: (i) the scope of the charges (including the duration of consent and the apps to which it applies; (ii) the account that will be billed for the charge and (iii) method(s) through which the account holder can revoke or modify the scope of consent.

The FTC’s lawsuit quotes a number of Amazon internal documents that show that Amazon observed issues with in-app purchasing and responded by implementing changes.  Ultimately, the end result for Amazon and the FTC may depend on how consistent Amazon was in implementing its fixes and updates and how stringently those requirements were enforced for mobile app developers.  In the meantime, this lawsuit will be watched closely by mobile application developers because for every virtual rainbow, acorn or gold coin that is purchased by a child, there are many more that are legitimately purchased by adults who favor seamless and easy game play.  After all, these apps aren’t like Facebook games where you can just keep inviting your friends to play Mob City Dragon Zoo Farm over and over for the sake of getting to the next level.  For those mobile application developers looking to stay in the good graces of platform providers, there is no time like the present to re-evaluate processes for obtaining consent for in-app charges to ensure that consumers, no matter what age, understand the real world implications of their virtual purchases.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.