Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

FTC Settlement with PayPal Resolving Allegations That Venmo Made Misrepresentations to Consumers and Violated the Gramm-Leach-Bliley Act

Share

The FTC has entered into a Consent Agreement with PayPal, Inc., settling allegations that PayPal, through its operation of Venmo, had violated Section 5 of the FTC Act and the Gramm-Leach-Bliley Act’s (“GLBA”) Privacy and Safeguards Rules.   PayPal operates Venmo, a payment and social networking application and website that allows consumers to make peer-to-peer payments, which also shares information regarding such payments through a social network feed.  The agreement will be subject to public comment for 30 days.

The complaint alleges that PayPal violated Section 5 of the FTC Act.

  • First, the complaint alleges that Venmo represented to consumers that money is credited to their Venmo account and can be transferred to an external bank account after other Venmo users have sent funds to those consumers, but failed to disclose or disclose adequately that funds could be frozen or removed because Venmo had not yet approved the underlying transaction.  As a result, consumers were unable to transfer funds to their bank account as promised which, in some instances, resulted in overdrawn bank accounts.
  • Second, the complaint alleges that Venmo failed to adequately disclose material information about its privacy settings.  By default, all Venmo transactions are shared on Venmo’s social news feed, which displays the names of the payer and recipient, the date of the transaction, and a message written by the user who initiated the transactions.  In order to limit the visibility of future transactions to specific groups, consumers have been required to change two similarly labeled settings.
  • Third, the complaint alleges that until approximately March 2015, Venmo represented that it protected consumers’ financial information with “bank grade security systems” but failed to implement basic safeguards necessary to secure consumer accounts from unauthorized transactions.  

Next, the complaint alleges that the Respondents violated the GLBA Privacy Rule and the Federal Reserve Board’s Regulation P (“Reg. P”) by failing to provide users with a clear and conspicuous initial privacy notice, and did not deliver it in such a way that customers could be reasonably expected to receive it.  Specifically, the complaint alleges that providing an initial privacy notice on a screen in grey text on a light grey background that provides:  “[b]y signing up, you are agreeing to Venmo’s User Agreement and Privacy Policy” did not satisfy the Reg. P’s requirement of providing a clear and conspicuous initial privacy notice.  Further, requiring customers to click on a link to find a description of the company’s practices regarding the collection and sharing of personal information, did not satisfy the Reg. P’s requirement that consumers reasonably be expected to receive the actual notice.   

Finally, the complaint alleges that the respondents failed to comply with the GLBA Safeguards Rule by failing to (i) have a written information security program before August 2014, (ii) identify reasonably foreseeable internal and external risks to security, confidentiality, and integrity of customer information, and (iii) design and implement information safeguards to control the known risks to customer information.   

As an administrative matter, the settlement agreement does not require any monetary penalty.  Rather, it contains injunctive provisions designed to address the alleged deceptive conduct and Rule violations, requires that specific disclosures be provided to its customers and requires biennial audits related to its data security practices for ten years.

First, PayPal is prohibited from making misrepresentations regarding material restrictions, limitations, or conditions to use any payment and social networking service and prohibits misrepresentations about data security and privacy.

The settlement agreement includes specific requirements when making any representation through any Payment and Social Networking Service about the availability of funds to be transferred or withdrawn to a bank account.  For example, PayPal must provide a clear and conspicuous disclosure that the transaction is subject to review and that, if true, funds could be frozen or removed as a result of transaction reviews during the bank transfer or withdrawal process.   “[C]lear and conspicuous” is defined for a variety of medium and provides that when using an interactive electronic medium, the disclosure must be “unavoidable.”  The settlement agreement further specifies when such notices are to be provided and requires that they be separate from any privacy policy, terms of user end user license agreement or similar document.

The settlement agreement also includes additional clear and conspicuous privacy disclosures that describe how the User’s transaction information will be shared with others and how the user can use privacy settings to limit or restrict the visibility of sharing the user’s transaction information.

Finally, the settlement agreement requires that PayPal to comply with both the GLBA Privacy and Safeguards Rules and further requires that PayPal obtain initial and biennial assessments of the Venmo Payment and Social Networking Service from a qualified, objective, independent third-party professional for ten years.  As part of the assessment, PayPal must:

  1. Identify specific administrative, technical, and physical safeguards that PayPal has implemented and maintained,
  2. Demonstrate how such safeguards are appropriate to PayPal’s size and complexity, the nature and scope of PayPal’s activities, and the sensitivity of the covered information collected from or about consumers;
  3. Illustrate how the safeguards that have been implemented meet or exceed the protections required under the GLBA Safeguards Rule; and
  4. Certify that PayPal’s security program(s) is operating effectively to provide reasonable assurance that the confidentiality, security, and integrity of its customers’ information is protected.

Many FTC data security settlements require biennial assessments for 20 years, although the recent TaxSlayer settlement, which is also the most recent GLBA Safeguards Rule case, also limited the biennial assessments for ten years.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

March 7, 2018
Written by: Discerning Data Editorial Board
Category: FTC, Privacy
Tags: GLBA, venmo

Post navigation

Previous Previous post: New Initiative Examines Ethics of Research Using ‘Pervasive’ Data
Next Next post: Enforcement Actions Launched by Securities and Exchange Commission – Heightened Scrutiny of Blockchain and Cryptocurrency Companies

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT