The murkier side of apps and ecommerce


The Office of Fair Trading is the UK’s competition watchdog. This is how they describe their work

The OFT’s mission is to make markets work well for consumers. Markets work well when businesses are in open, fair and vigorous competition with each other for the consumer’s custom.

Note the words open and fair. Note too there is no distinction between the offline and the online worlds. The OFT covers both physical and web based commerce.

Last month the OFT announced they were beginning an investigation into

…..whether children are being unfairly pressured or encouraged to pay for additional content in ‘free’ web and app-based games, including upgraded membership or virtual currency such as coins, gems or fruit. Typically, players can access only portions of these games for free, with new levels or features, such as faster game play, costing money.

Bravo OFT. Welcome to my world.

Apps get a bad press

There are two types of apps out there. Free and paid for. Free in this context means that at the point where the app is downloaded no charge is levied, and  paid for means there is. The OFT’s announcement came hot on the heels of a number of stories that appeared in the press where Mum or Dad discovered that, while playing a free app on their mobile phone, iPad or laptop, one of their children had spent thousands of pounds on extras or enhancements for the game, sometimes in a very short period of time.

How could this happen? Typically, when setting up a mobile phone or other device for first use you will be asked to provide credit or debit card details. Kids don’t usually have plastic so a parent has to step up. Fairly obviously the card will be used to pay for anything that is later bought using the device and a password is needed to authorise the payment but, at least on Apple devices, the same password is needed when downloading something that is described as free.

Many parents didn’t realise the ease with which a child could switch seamlessly between free and paid for environments. They blithely gave the password away. Equally many children didn’t fully understand that clicking on that shiny button to get a new sonic shield, laser gun or pink wallpaper would end up costing such large sums of money, or indeed any money at all. 

It’s a freemium world

The free app – or freemium as it is often called – is a hugely important source of revenue for app developers. For the vast majority it is the single most important source. A report published in Tech Crunch in March showed that, in the USA, on the iPhone a massive 71% of all revenues from apps came from in-app purchases made from so-called free apps. Only 5% of total revenues were derived from paid for apps. Of the 250 top grossing apps only 27 were paid for apps.

According to the OFT’s announcement in the UK 80 of the 100 top-grossing Android apps,  were free to install and raised revenue through in-app purchases. They gave an example of single purchases of virtual currency where the range ran from a few pence to £70 or more.

George Holmer of Nottinghamshire was appalled to find his 11 year old son had forked out £3,500 buying gold in a game called Arcane Empires, a free app. Then there was the bizarre case of Doug Crossan from Bristol. He discovered that his 13 year old son had spent £3,700 on 300 purchases made in games such as Hungry Shark and Gun Builder (both free) and Plants v Zombies (69p). Mr Crossan is a police officer. He reported his son to the police, in effect for fraud.

There are tons of other examples which must have driven countless UK parents to distraction. For families living on a tight budget the arrival of bills of this sort most decidedly raises issues which can go directly to the welfare of children in that family.

The FTC looks at kids’ apps

The apps industry has form. In February of last year the USA’s Federal Trade Commission published their report entitled Mobile Apps for Kids: Current Privacy Disclosures are Disappointing. It was followed up by a second report published in December called Mobile Apps for Kids: Disclosures Still Not Making the Grade. The title of the second report almost tells you all you need to know about the first one.

Here the focus was on data collection habits within the apps industry but these are closely tied to companies’ broader commercial practices. In the December report the FTC said

…..most apps failed to provide basic information about what data would be collected from kids, how it would be used, and with whom it would be shared. It is clear that more needs to be done in order to provide parents with greater transparency in the mobile app marketplace.

If I had to award marks out of ten for apps developers as a group – there are shining and honourable exceptions -for how they regard or treat kids, they would get around a four. Most of the four would be for high entertainment value, a widening range of information based services and technical innovation. But they would score low for child internet safety and business ethics.

Not accidental

The people running these companies by and large are really smart, although a number may have little knowledge of some jurisdictions’ national laws or conventions. However, most of them know perfectly well what they are doing when it comes to piling up the cash as they seek to grow their businesses as fast as they possibly can. They probably know or have a hunch that a spoilsport (a regulator) is going to come along and slay the goose that lays their golden eggs but if they delay that denouement as far into the future as they can they might just get that third Porsche into the garage.

Now I agree that parents who don’t take great care to check out how their credit or debit cards could be accessed and used by their kids when they go online are being foolish but who amongst us has not committed the sin of foolishness? We all live busy, pressured lives. The apps guys know this. We don’t always read the small print and in part that is sometimes, as the FTC reports referred to earlier imply, because the print is eye-wateringly microscopic, often well hidden and incomprehensible anyway.

Clear obligations

There should be a clear obligation on any business selling into kids’ markets to spell out prominently, in a timely way, in bold, easy to read and easy to understand language what the potential costs associated with the use of any app (free or otherwise) might be and how to impose upper limits or zero limits on expenditure associated with using the app.

Apps providers and above all their publishers (the Apps Stores or platforms) should be obliged to provide a succinct explanation of data collection and privacy policies, wherever possible illustrated through the use of intuitive icons. These could be standardised across the industry but will need to fit different access devices whether laptops, games consoles, smartphones, TVs or whatever.  Linked to that the Apps Stores must satisfy themselves, certify and declare that a full and proper explanation has been given of the potential costs associated with use of the app once it has been downloaded.

Default to zero

Following the download maybe the default should stop any additional expenditure on any in app purchases without a subsequent express authorisation being given or an upper limit being set. Perhaps all apps need to have multiple passwords. If a kid enters one password he or she can spend up to £10 in a month, but if they try to exceed that limit or any single purchase exceeds, say, £1, an alternative password is needed either instead or in addition.

Finally, the difference between the free app and versions of the same app which utilise paid for extras should not be so large as, effectively, to make the free app no more than a teaser or a marketing device for all the paid stuff. The point is the free app should be interesting or playable in a meaningful way and not be merely a thinly disguised piece of advertising. Because that makes it a cynical con. Of a child.

I appreciate that some of these things can be highly subjective but, if there was a will to solve the problem and a sound self-regulatory framework was developed, in time a body of knowledge and good practice would emerge.

The Apps Stores are the key

Apple, Google, Blackberry and Windows therefore should not allow an app on to any of their platforms unless they are satisfied it covers the points made above and meets certain minimum, independently determined standards. The rules by which the platforms operate should be fully transparent so as to guard against accusations of unfair commercial bias. Discriminating against new or existing apps because they may compete with rival apps should be regarded as a serious offence.

The apps provider, indeed anyone in the value chain that derives any financial benefit from the sale of an app or the add-ons, should accept they have a shared responsibility to ensure that all products or services sold to children and other legal minors are sold properly and fairly. No one should be able to do a Pontius Pilate. If a breach is established everyone in the value chain should be penalised. That will ensure everyone pays attention to what their business partners are doing before and after they engage with them.


Which brings us to the thorny question of authentication and age verification. This could present a way of avoiding the multiple password scenario I mentioned earlier.

I think by now all apps on the major platforms are age rated.  Each account on every device could be linked to a given age bracket and upper limit of expenditure. Apps which were not consonant with the age rating should not be downloadable or playable on that account. All or most games consoles can already be set like that so presumably it would not be too difficult to transfer this to other gadgets.

Companies cannot continue to evade responsibility for this age dimension. We all know there is no easy way of verifying sub-18s. That will not provide a perpetual excuse for not coming up with a solution. I appreciate that no single company can do this on its own but someone needs to mobilise the industry and, right now, no one seems to be in any great hurry to do that.

The bigger picture

I hate the idea of calling for institutional reform but perhaps we do need to rethink how we approach this whole policy area. Returning to the OFT enquiry, I fear the OFT acting alone may struggle to scale up to the international reach, knowledge and resources available to the leading apps companies.

Don’t get me wrong. It’s great that the OFT decided to dive in. Perhaps when it reports it will spark a larger debate but, in the meantime in the course of the free apps enquiry, how will the OFT work with OFCOM and Phonepayplus to ensure all bases are properly understood and covered? Together will these three bodies be able, for example, to see any ways to build on existing telephony rules that may need updating for internet based commerce and policy enforcement? Are they separately or collectively talking to the EU and the FTC? In almost any area of internet oriented policy this type of Trans Atlantic and Trans Channel dialogue is essential.


What about the privacy dimension? It is almost inevitable that in the course of the OFT investigation officials will come across substantial amounts of information about app developers’ data collection and processing practices. Indeed it is probably essential for them to understand how that side of things works because it is so completely intertwined with the app developers’ business model. In this context it makes no sense to try to see data collection and processing as being somehow detached, different or entirely separate from the rest of the business.

Should the Information Commissioner’s Office (ICO) be able or be expected to join an OFT-led multi-agency team of the sort referred to earlier? Or do we need a new legal basis and a new body that can straddle all of the issues or topics that have now become so closely intertwined as a result of the internet’s disruptive intrusion into the modern world?

Where children’s data are involved would the OFT or the ICO, or OFCOM for that matter, claim to have the full range of competencies needed to grasp confidently some of the issues which might be presented? Could the Children’s Commissioner for England or some of the children’s charities have a role to play in helping out on a case by case basis or should there be some sort of child oriented resource permanently on tap? The advice of CEOP might be important in some instances.

Trading standards

Trading standards officers and their national association, the Trading Standards Institute, do tremendous work. They are part of the front line for us as consumers. However, I think it is fair to say they have been struggling to keep up with the changes in consumer behaviour wrought by the internet. In this they are a long way from being alone.

Trading standards officers are rooted in local government. They have many important responsibilities which they exercise on behalf of their communities. All that was fine when most of us did all of our shopping and eating locally, but now we don’t. 

I am absolutely certain there is a need for trading standards operations to continue at local level but there is also a need for something that works more effectively to protect consumer interests in the age of cyberspace. Amazon is hardly going to shake in its boots if it gets a letter from Little Wallop Borough Council. Perhaps we need a single trading standards body or unit that can gather in cases from all over the country and act against individual firms or several firms simultaneously without necessarily having to invoke the sort of large scale investigation the OFT has started in relation to apps? If more trading standards officers around the UK had been on the case would there have needed to be an OFT investigation at all?

Maybe even restricting such operations to national boundaries is not ambitious enough? Perhaps the EU should have the ability to initiate consumer protection prosecutions based on facts established in a number of Member States, again rather than simply and only having to resort to the nuclear option of a full blown anti-trust investigation?

There appears to be a mechanism for the EU to fund Joint Actions between national authorities responsible for the enforcement of consumer protection laws but it seems a little ad hoc. What I had in mind at EU level is something permanent or long term, with the scope and powers of the FTC but with the whole of the EU as its field of operation. Would this require a whole raft of trading standards harmonisation or is there a sufficient framework in place now?

Consumer Bill of Rights

In the recent Queen’s Speech the Government announced its intention to bring forward a Consumer Bill of Rights. Inter alia it promises to improve and clarify substantive law and there is a specific reference to consumer rights in respect of digital content.

Do the Distance Selling Regulations, 2000 and the Sale of Goods Act, 1982 (as amended) need to be revisited? Probably, at least in respect of sales of products or services clearly intended to be consumed by legal minors. There should be a cooling off period which equates at least to the period of time it takes for a credit card or equivalent statement to arrive at home and be read. Six weeks? During the cooling off period, without the need to explain or justify the decision, it should be possible to rescind the purchase of a child’s app and for the funds to be fully restored to the card or payment mechanism from which they were taken.

Might this amount to giving kids six weeks playtime for nothing? It could. Maybe the apps industry will just need to factor that in to their business planning, alternatively they can come up with a better suggestion that convincingly proves they are not willing to risk taking liberties with a family’s finances.

Payments mechanisms

Then there’s the question of the payments mechanisms themselves. A cashless world may never happen in the lifetime of anyone reading this blog but there is no doubt we are moving closer to it every day. To state the totally obvious: this has all sorts of implications for children and young people and their families. I will return to this another time.This blog is already way too long (again).

About John Carr

John Carr is one of the world's leading authorities on children's and young people's use of digital technologies. He is Senior Technical Adviser to Bangkok-based global NGO ECPAT International and is Secretary of the UK's Children's Charities' Coalition on Internet Safety. John is now or has formerly been an Adviser to the Council of Europe, the UN (ITU), the EU and UNICEF. John has advised many of the world's largest technology companies on online child safety. John's skill as a writer has also been widely recognised.
This entry was posted in Advertising, Age verification, Apple, CEOP, Consent, Default settings, E-commerce, Google, Internet governance, Location, Microsoft, Privacy, Regulation, Self-regulation. Bookmark the permalink.