The FTC has entered into a Consent Agreement with PayPal, Inc., settling allegations that PayPal, through its operation of Venmo, had violated Section 5 of the FTC Act and the Gramm-Leach-Bliley Act’s (“GLBA”) Privacy and Safeguards Rules.   PayPal operates Venmo, a payment and social networking application and website that allows consumers to make peer-to-peer payments, which also shares information regarding such payments through a social network feed.  The agreement will be subject to public comment for 30 days.

The complaint alleges that PayPal violated Section 5 of the FTC Act.

  • First, the complaint alleges that Venmo represented to consumers that money is credited to their Venmo account and can be transferred to an external bank account after other Venmo users have sent funds to those consumers, but failed to disclose or disclose adequately that funds could be frozen or removed because Venmo had not yet approved the underlying transaction.  As a result, consumers were unable to transfer funds to their bank account as promised which, in some instances, resulted in overdrawn bank accounts.
  • Second, the complaint alleges that Venmo failed to adequately disclose material information about its privacy settings.  By default, all Venmo transactions are shared on Venmo’s social news feed, which displays the names of the payer and recipient, the date of the transaction, and a message written by the user who initiated the transactions.  In order to limit the visibility of future transactions to specific groups, consumers have been required to change two similarly labeled settings.
  • Third, the complaint alleges that until approximately March 2015, Venmo represented that it protected consumers’ financial information with “bank grade security systems” but failed to implement basic safeguards necessary to secure consumer accounts from unauthorized transactions.  

Next, the complaint alleges that the Respondents violated the GLBA Privacy Rule and the Federal Reserve Board’s Regulation P (“Reg. P”) by failing to provide users with a clear and conspicuous initial privacy notice, and did not deliver it in such a way that customers could be reasonably expected to receive it.  Specifically, the complaint alleges that providing an initial privacy notice on a screen in grey text on a light grey background that provides:  “[b]y signing up, you are agreeing to Venmo’s User Agreement and Privacy Policy” did not satisfy the Reg. P’s requirement of providing a clear and conspicuous initial privacy notice.  Further, requiring customers to click on a link to find a description of the company’s practices regarding the collection and sharing of personal information, did not satisfy the Reg. P’s requirement that consumers reasonably be expected to receive the actual notice.   

Finally, the complaint alleges that the respondents failed to comply with the GLBA Safeguards Rule by failing to (i) have a written information security program before August 2014, (ii) identify reasonably foreseeable internal and external risks to security, confidentiality, and integrity of customer information, and (iii) design and implement information safeguards to control the known risks to customer information.   

As an administrative matter, the settlement agreement does not require any monetary penalty.  Rather, it contains injunctive provisions designed to address the alleged deceptive conduct and Rule violations, requires that specific disclosures be provided to its customers and requires biennial audits related to its data security practices for ten years.

First, PayPal is prohibited from making misrepresentations regarding material restrictions, limitations, or conditions to use any payment and social networking service and prohibits misrepresentations about data security and privacy.

The settlement agreement includes specific requirements when making any representation through any Payment and Social Networking Service about the availability of funds to be transferred or withdrawn to a bank account.  For example, PayPal must provide a clear and conspicuous disclosure that the transaction is subject to review and that, if true, funds could be frozen or removed as a result of transaction reviews during the bank transfer or withdrawal process.   “[C]lear and conspicuous” is defined for a variety of medium and provides that when using an interactive electronic medium, the disclosure must be “unavoidable.”  The settlement agreement further specifies when such notices are to be provided and requires that they be separate from any privacy policy, terms of user end user license agreement or similar document.

The settlement agreement also includes additional clear and conspicuous privacy disclosures that describe how the User’s transaction information will be shared with others and how the user can use privacy settings to limit or restrict the visibility of sharing the user’s transaction information.

Finally, the settlement agreement requires that PayPal to comply with both the GLBA Privacy and Safeguards Rules and further requires that PayPal obtain initial and biennial assessments of the Venmo Payment and Social Networking Service from a qualified, objective, independent third-party professional for ten years.  As part of the assessment, PayPal must:

  1. Identify specific administrative, technical, and physical safeguards that PayPal has implemented and maintained,
  2. Demonstrate how such safeguards are appropriate to PayPal’s size and complexity, the nature and scope of PayPal’s activities, and the sensitivity of the covered information collected from or about consumers;
  3. Illustrate how the safeguards that have been implemented meet or exceed the protections required under the GLBA Safeguards Rule; and
  4. Certify that PayPal’s security program(s) is operating effectively to provide reasonable assurance that the confidentiality, security, and integrity of its customers’ information is protected.

Many FTC data security settlements require biennial assessments for 20 years, although the recent TaxSlayer settlement, which is also the most recent GLBA Safeguards Rule case, also limited the biennial assessments for ten years.