Business Blog
15 minutes of game: Getting to the core of the FTC's $32.5 million settlement with Apple
Update (3/27/14): Apple will notify people about how to get refunds by April 15. The settlement requires Apple to provide full refunds for in-app charges made by kids without parental permission.
It’s a simple concept really: Companies shouldn’t charge people for stuff without their express consent. That’s the law – and it’s always been the law. So when a company chooses to implement a billing process that, in effect, opens a tab for kids and lets them place “all sales final” charges on their parents’ credit cards with the click of a button – and without Mom or Dad’s express consent – it shouldn’t come as a surprise when law enforcement follows. That’s the story behind the FTC’s proposed settlement with Apple, which will return at least $32.5 million to consumers.
To paraphrase Andy Warhol’s quote about 15 minutes of fame, the FTC’s complaint focuses on 15 minutes of game – a built-in default period when those unauthorized charges could be racked up. But first, a bit of background on how Apple's billing process works. Before consumers can download anything from the iTunes Store, they have to link their account to a credit or debit card. When people download an app or buy something within an app, Apple bills their iTunes account and pockets 30% of the revenue. From start to finish, the billing process is Apple’s baby. The company controls exactly how it’s done.
Apple offers thousands of apps – including many games featured in the Kids or Family section of the iTunes Store – that let users buy things within the app. Maybe it’s “food” for an imaginary pet or “gold” that can rev up the gaming experience. The Magical Pixie Dust may be virtual, but it costs cold, hard cash in the form of charges to the device owner’s iTunes account. And Pixie Dust doesn’t come cheap these days; in-app charges can range from 99 cents up to almost $100 per click.
Here’s where that 15-minute window becomes critical. If a child is playing a game and wants to make an in-app charge, Mom or Dad typically has to key in their password and then hand the device back to the kid to continue playing. But according to the FTC's complaint, what Apple didn’t explain is that it stores the password for 15 minutes. That means all in-app charges made during that 15-minute window are incurred without the account holder having to re-enter the password. In effect, without telling parents, Apple set up a 15-minute "Put it on my tab" period where Moms and Dads were responsible for charges they didn't expressly authorize. That happened even in apps rated for, say, four-year-olds – not a group likely to grasp the concept that pressing a button or two can run up a bill rivaling what a family spends in a week on groceries. For example, the “Tiny Zoo Friends” app, which Apple has rated for kids 4 and up, lets players buy a quantity of “Zoo Bucks” at a cost of $99. And remember: Apple has an “all sales final” policy.
Furthermore, up until the release of Apple’s latest operating system in September 2013, when a child playing a game tried to make the first in-app charge, a BUY button appeared that the kid could click. What showed up next was a pop-up identical to the password prompt that appears before the installation of an app. The trouble is nowhere did that password prompt explain it was for a purchase. 
So if a kid clicked BUY and then passed the device to Mom or Dad for their password, the parent had no way of knowing that the routine act of entering their password resulted in a charge – much less that it opened that 15-minute window when unauthorized charges could be added. (Click on the picture to see how that worked.) That payment process isn’t entirely a thing of the past. For people who haven’t upgraded their operating system, that’s still what happens.
The financial injury in this case isn’t speculative. Apple received tens of thousands of complaints from consumers about unauthorized in-app charges by kids. For example, one Mom reported that her daughter’s clicks resulted in $2600 in unauthorized purchases in the “Tap Pet Hotel” app. Others reported $500 in surprise in-app charges when kids played “Dragon Story” and “Tiny Zoo Friends.”
The FTC's proposed order requires Apple to change its practices to make sure it has account holders’ express, informed consent before billing them for in-app charges. If people give their OK to be billed for future charges but then change their mind, the order gives them the right to withdraw their consent at any time. You'll want to check the order's definition of "express, informed consent" in this context, but here are some salient features: It requires an affirmative act communicating authorization for the in-app charge – like entering a password – that has to be close to both the in-app activity Apple is billing the user for and to a clear and conspicuous disclosure of material information about the charge. Apple must have those billing changes up and running by March 31, 2014.
As part of the proposed settlement, Apple will provide at least $32.5 million in refunds to people who were billed for accidental or unauthorized in-app charges incurred by kids. How will the refund program operate? Apple has to send an electronic notice to customers with directions on how to get their money back. And it's not just a "take Apple's word for it" provision. The order requires the company to hand over to the FTC records of refund requests, refunds paid, and any refunds denied.
What messages can other companies can take from the FTC’s proposed settlement?
First, get people’s express consent before billing them. That’s Consumer Protection 101 for app developers, app sellers, advertisers, payment processors, and anyone else in the marketing ecosystem who wants to avoid the scrutiny of law enforcers and the ire of outraged consumers.
Second, especially when it comes to merchandise geared toward kids, think through your processes in advance to minimize the risk that a child’s quick click could result in hefty unauthorized charges unknown to the parent until they get the bill.
The FTC is hosting a Twitter chat about the case at 2:00 ET today, January 15, 2014. Interested in commenting on the proposed settlement? File online by the February 14, 2014, deadline.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.