On February 27, 2018, the Federal Trade Commission (“FTC”) announced a proposed administrative settlement with PayPal, Inc. over allegations that the company failed to make adequate disclosures to users regarding its Venmo peer-to-peer payment service. The settlement underscores the importance of effectively disclosing material information to consumers, including accurately communicating privacy and security practices and user control over optional settings.
Specifically, the FTC alleged that Venmo
- Failed to adequately inform users that fund transfers could be delayed, frozen, or even reversed after Venmo provided users with notifications suggesting that Venmo had validated the financial transaction, such as “Money credited to your Venmo balance. Transfer to your bank overnight.” Venmo allegedly knew about, but failed to address, the confusion caused by the notifications. Many users relied on the validity of that notification (e.g., to pay bills, complete sales transactions, or transfer funds to their bank accounts), and suffered financial hardships when Venmo’s later review of the transaction resulted in the funds being unavailable or delayed or the transaction being reversed..
- Misled users about keeping their transactions private. By default, Venmo transactions are displayed on Venmo’s social news feed (including names of sender and recipient, and, if provided purpose of transaction and accompanying message). Although Venmo provided information about customizable privacy settings, it allegedly did not adequately inform users about the multiple changes required to limit current and future visibility and to avoid having their own settings overridden by those of the other party to the transaction.
- Misrepresented the security of users’ financial accounts, including that it provided “bank-grade security systems” when it did not and allegedly did not even provide basic safeguards during part of the period covered by the Complaint
- Violated the Gramm-Leach-Bliley Act’s Privacy Rule by failing to provide customers with an accurate, clear, and conspicuous initial privacy notice and the Safeguards Rule by failing to have a written comprehensive information security program, risk assessment process, and reasonable security safeguards for the period until approximately August 2014, as well as the Privacy Rule. The Safeguards Rule requires financial institutions to implement measures to protect the security, confidentiality, and integrity of customer information. The Privacy Rule requires financial institutions to explain their privacy practices to customers through a privacy notice.
The proposed administrative settlement, which is open for public comment until March 29, 2018, prohibits PayPal from misrepresenting the operations, security, and privacy of its payment and social media systems, requires it to disclose specific types of material information, and mandates compliance with the Privacy Rule and the Safeguards Rule. In addition to the usual housekeeping provisions, PayPal must also undergo a third-party assessment of its data security practices within 6 months of the Order being entered, and every two years thereafter for the next ten years.