chevron-down Created with Sketch Beta.
March 09, 2018 Practice Points

PayPal Pays the Piper with FTC Settlement Over Venmo’s Disclosure, Privacy, and Security Practices

Important lessons for businesses on privacy, security, and functionality

by Edward A. Marshall and Bradford Kelley

The growth and innovation of Fintech firms over the past several years has been exciting to watch, especially in the realm of peer-to-peer payments. Venmo, Zelle, and similar services have revolutionized the way consumers transfer funds between one another, offering a level of convenience and speed that has been lacking in traditional payment channels. But these new entrants to the market are not immune from the regulatory oversight that has long been present in the payments landscape. A recent settlement between the Federal Trade Commission (FTC) and PayPal underscores that reality.

Specifically, on February 27, 2018, the FTC announced that it had reached a settlement with PayPal, Inc., over allegations that Venmo misled customers regarding the ability to transfer funds and privacy and security practices. Venmo, a PayPal-owned mobile payment and social networking application, allows users to transfer money to one another and share information about such payments through a social news feed. According to the FTC’s complaint, Venmo failed to disclose that fund transfers could be delayed, frozen, or reversed after Venmo initially provided users with notifications indicating that Venmo had validated the financial transaction. The complaint alleged that oftentimes consumers were unable to transfer funds as promised, thus resulting in financial hardships for consumers such as being unable to pay their rent or other bills. Acting FTC Chairman Maureen K. Ohlhausen explained in a statement, “Consumers suffered real harm when Venmo did not live up to the promises it made to users about the availability of their money.”

The FTC further alleged that Venmo misled users about the privacy of information relating to their transactions. Under Venmo’s default settings, all peer-to-peer transactions were publicly displayed on Venmo’s social news feed. Even though Venmo provided information about how to customize a user’s privacy settings so users could limit who could view their transactions, it allegedly failed to inform users how those privacy settings actually work. The complaint contended that “Venmo exacerbates these problems by incorrectly describing its privacy settings in its Privacy FAQs.”

The FTC also claimed that Venmo misrepresented the extent of security it provided to consumer financial accounts and claimed it provided “bank grade security systems” when it did not. The FTC additionally complained that Venmo violated the Gramm-Leach-Bliley Act’s Privacy Rule by failing to provide customers with a clear initial privacy notice. Moreover, the FTC alleged that Venmo violated the act’s Safeguards Rule by failing to have a comprehensive written information security program and by failing to implement safeguards to protect consumer information.

The proposed administrative settlement prohibits Venmo from misrepresenting any material restrictions on the use of its service, the extent of control provided by any privacy settings, and the extent to which Venmo implements or adheres to a particular level of security. The settlement further requires Venmo to make certain disclosures about the company’s transaction and privacy practices, and mandates compliance with the Safeguards Rule and the Privacy Rule. Moreover, the proposed settlement requires Venmo to undergo third-party assessments of its compliance with these rules every two years for the next 10 years.

There are several lessons to be learned from the settlement. First, it shows that new players in the payments space, for all their innovation and outside-the-box thinking, are still subject to the same consumer protection laws, regulations, and oversight as their more traditional counterparts. Second, it reinforces that all businesses need to make clear disclosures about privacy, security, and functionality to consumers. And, third, it underscores that privacy and security safeguards cannot be pushed to the end of a Fintech company’s innovation queue. As acting FTC chairman Ohlhausen notes, “This case sends a strong message that [Fintech firms] need to focus on privacy and security from day one.”

To help achieve these goals, businesses should ensure that privacy options are accurate and clearly conveyed. If businesses provide privacy options, these options should be straightforward for consumers so they can select the settings that meet their preferred privacy level. Furthermore, businesses should strive to make sure that reasonable data defaults are in place. To do so, companies should routinely review disclosures and data defaults to ensure they are accurate and consistent with reasonable consumer expectations. Finally, businesses need to know whether they are covered by the Gramm-Leach-Bliley Act’s Safeguards Rule and Privacy Rule. The act applies to “financial institutions,” but this term is defined in a broad manner so the scope of the act is fairly expansive. As such, it is important to know whether your company is subject to these rules.

Edward A. Marshall is a partner in Arnall Golden Gregory LLP’s Atlanta, Georgia, office. Bradford J. Kelley is an associate in the firm’s Washington, D.C. office.

Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).