BUILDING PRIVACY INTO MOBILE WALLETS
The use of mobile wallets is set to increase in 2014, with many big players in the mobile, financial and technology sectors due to launch own branded wallets later this year: Zapp (provided by an alliance of Santander, Nationwide, HSBC, First Direct and Metro Bank) and Smart Pass (provided by Vodafone) are both set to launch in the UK in Spring 2014. Whilst the benefits of mobile wallets for individuals are well publicised (essentially a faster and more convenient payment option), companies launching mobile payments, and users, need to be aware of the privacy implications of such technologies and build privacy into their design.
What are mobile wallets?
A mobile wallet refers to the use of mobile or tablet devices to carry out financial transactions, such as purchasing an item, transferring money between bank accounts or checking account balances. Increasingly, mobile wallets incorporate additional features such as the ability to store personal account details, electronic tickets such as boarding passes or concert tickets, or loyalty points or vouchers. Mobile wallets may be provided directly by the financial institution that holds the individual’s current account, or by third parties, such as Google Wallet and Amazon.com Payments.
Security is the biggest concern for mobile wallets. The wealth of personal information stored in a mobile wallet makes it a key target for hackers and cyber criminals who may access not just financial information but also gain valuable insight into an individual’s day to day activities, through the transaction details, loyalty cards, vouchers and tickets, that may be stored on the device. Although mobile wallets may raise the level of security risk, such risks are not unique. Electronic payments, whether at the point of sale or online also raise similar security risks and none can ever be entirely secure. In some instances, however, mobile wallets may reduce security risk as once the mobile wallet is activated, a user does not have to re-enter payment information when making purchases online. Either way, security will be key to the success of a mobile wallet.
There are a host of technologies which mobile wallets may utilise, such as Near Field Communication (which allows devices to interact via radio communication when in close proximity to one another), Quick Response Codes (bar codes which link to websites and emails), bluetooth or mobile remote technology (which allow a transaction to be conducted over a mobile telecommunication network). Whichever technology is utilised, mobile wallet providers must ensure that appropriate security measures are implemented, including user identification and authentication, access controls encryption and anti-virus software to prevent mobile malware. Individuals too must take responsibility for security. They should be provided with guidance on the steps they need to take to ensure the security of their mobile wallet and what to do, for example, if a device is lost or stolen.
Mobile wallet providers are legally required to give individuals information on what data are utilized, by whom and for what purposes. Mobile wallet providers typically reflect this in their Terms and Conditions as well as in pop ups or FAQs. Individuals should ensure that they read these notices carefully, and in particular, the information provided on the processing of their personal data, including with whom their data will be shared as well as other purposes for which the data may be processed.
The rise of mobile wallets goes hand in hand with the explosion of Big Data. Traditionally mobile wallets have focussed purely on financial transactions, but increasingly mobile wallets are utilised for other purposes, such as to dispense store vouchers and administer loyalty programs. Such uses go beyond the transactional nature of mobile wallets and provide an example of Big Data in practice, i.e., using algorithms and analytical tools to process and consolidate data generated from individuals’ use of their mobile wallet. The results can then be used to customise an individual’s mobile wallet to their preferences and habits, provide intuitive recommendations to purchase similar products, offer relevant promotions, or to store multiple loyalty cards so they can be used at the relevant time. Such activities are clearly beneficial to individuals, but it is essential that they understand how their data will be used. Individuals wishing to utilise their mobile wallet for financial transactions only should ensure they select the appropriate mobile wallet provider which utilises data for this purpose only. Those individuals wishing to take advantage of the other benefits that a mobile wallet offers should ensure they fully understand how their data will be analysed and harnessed to in order to generate the benefits they receive.
Mobile wallets are rapidly increasing in popularity in the market, but the privacy implications are often not well understood. The data privacy challenges can be mitigated, ultimately the popularity of mobile wallets will come down to the benefits they offer consumers over current methods of payment. Providing mobile wallets in a secure and transparent way will feed into these benefits.
Bridget Treacy, Managing Partner and head of the UK Privacy and Cybersecurity practice at Hunton & Williams, London – http://www.hunton.com/Bridget_Treacy/
Anita Bapat, Associate in the UK Privacy and Cybersecurity practice at Hunton & Williams, London - http://www.hunton.com/anita_bapat/