What are legal issues for companies offering mobile commerce services?

There are two aspects to m-commerce. The first is the purchasing of goods or services via a mobile device. While the way in which such services are procured may be novel, such as using a mobile phone to pay for parking, the good news for suppliers is that they do not raise many new legal issues that the internet has not already raised.

The second aspect concerns the use of a mobile device as a payment mechanism, either by adding the price of goods to a mobile phone bill or as a stored credit card.

Are there any security risks that are unique to m-commerce?
The security risks of m-commerce are no different to those of other forms of e-commerce. The device is, by definition, mobile and so more prone to loss or theft. But the key questions the service provider has to answer are the same: how do I ensure that any payment or personal data is kept secure? How do I know with whom I am dealing?

Who is liable in the event of a security breach – the customer or the company providing the service?
In most cases the risks will lie with the service provider. However, where a mobile device is used to store value, such as where it is used as a form of electronic purse or travel card, the risk falls on the customer.

What, if any, are the differences between standard online commerce legal issues and m-commerce legal issues?
The main difference is that there is an additional layer of regulation if payment is taken via a premium-rate call or text. PhonepayPlus regulates phone-paid services in the UK and suppliers must comply with its code of practice when delivering phone-paid services.

The code requires organisations offering these services to provide clear and accurate pricing information and clear advertising. It also requires certain information to be provided to customers, in a certain format and at certain times. PhonepayPlus has the power to fine organisations that do not comply with the code.

M-commerce allows use of location data to push offers to customers. What are the privacy or legal issues around this?
Mobile phone companies, mobile phone application providers and mobile technology providers offer technology and applications that allow a user’s location to be tracked, either by using geotracking technology on the mobile device, or through mobile social applications, such as Foresquare and MyTown, which invite users to provide location-based information.

The key legal issue raised in using location data is transparency and whether or not the company tracking your location has your consent to have this data and to use it. Many people do not want their location to be tracked or used for any purpose.

The Apple iPhone terms and conditions contain a section that states: “Apple and our partners may collect, use and share precise location data, including real-time geographic location of your Apple computer or device.”

Some sites such as Sense Networks and Placecast aggregate location-based data to determine trends and use this data for advertising.

The Data Protection Act 1998 regulates the use of personal data. Personal data is data that in itself, or with other information held, identifies a living individual. Therefore, tracking information, in particular if held with other information about the individual, could be personal data and regulated by the act.

In order to use a person’s data the person collecting it – the “data controller” – must give that person enough clear information on what will be done with that information and how it will be used. The data controller must also have satisfied certain conditions within the act for using the data, for example obtaining the consent of the person to use their data. If a data controller wants to collect location information for themself or to pass it on to advertising companies, they will need to satisfy the requirements of the act, which in many cases will require the consent of the individual. In these circumstances consent must be fully informed and freely given.

If an organisation wishes to use location data to push or target offerings to customers, it raises issues under the Privacy and Electronic Communications Regulations 2003 in that a consumer cannot be sent an unsolicited marketing email or SMS without expressly consenting or opting in to receiving these advertisements.
This is subject to a limited exception where the person has previously contracted for services from a supplier and certain conditions have been met.

In each electronic marketing message the supplier must include a means by which a customer can request that they are not sent further electronic marketing messages.
Some customers will no doubt see this as an undue invasion of their privacy. Others may not be aware that they are being tracked if they have not read their terms and conditions.

This is a rapidly developing area and the law may not be able to adapt as quickly as the technology. However, there are already safeguards in place for consumers. Just as important as safeguards is awareness – suppliers need to make it clear to customers as to how new technology works and the implications for the customer.