On February 27, 2018, the Federal Trade Commission (“FTC”) announced an agreement with PayPal, Inc., to settle charges that its Venmo peer-to-peer payment service misled consumers regarding privacy and the extent to which consumers’ financial accounts were secured. This is the second significant FTC settlement in the past three months that addressed these issues, following the FTC’s action against TaxSlayer, Inc. and signals a renewed focus by the FTC on violations of the Gramm-Leach-Bliley Act’s (“GLBA’s”) Privacy and Safeguards Rules.
The FTC’s complaint alleged that Venmo violated the Privacy Rule in three separate ways. First, Venmo failed to provide a clear and conspicuous privacy notice that “did not call attention to the nature and significance of the nature of the notice.” Rather, the privacy notice in Venmo’s mobile application (the “Venmo App”) was in grey text on a light grey background that was not conspicuous to Venmo users. Second, Venmo did not provide an accurate notice that describes how Venmo shares the user’s personal information. Venmo’s privacy notice stated that it only shared users’ personal information with members of their Venmo “social web” if they designated their account transactions as “public.” Instead, Venmo shared this information by default with everyone online, including individuals who did not have a Venmo account. Finally, Venmo did not deliver the initial privacy notice in a manner that each customer could reasonably be expected to receive it. The privacy notice was included as a hyperlink in the Venmo App, but users were not required to acknowledge its receipt “as a necessary step to obtaining a financial product or service.”
The FTC complaint also alleged that Venmo misrepresented its information security practices by stating that it “uses bank-grade security systems and data encryption to protect your financial information.” Instead, the FTC alleged that Venmo violated the Safeguards Rule by failing to (1) have a written information security program; (2) assess the risks to the security, confidentiality and integrity of customer information; and (3) implement basic safeguards such as providing security notifications to users that their passwords were changed.
In the settlement, Venmo is prohibited from misrepresenting the level of protection provided by its privacy settings and the extent to which Venmo implements or adheres to a particular level of security. Venmo is also prohibited from violating the Privacy Rule and the Safeguards Rule and is required to obtain biennial third-party assessments of its compliance with these rules for 10 years.
In announcing the settlement, Acting FTC Chairwoman Maureen K. Ohlhausen noted that consumers suffered real harm from Venmo’s misrepresentations and stated that “this case sends a strong message that financial institutions like Venmo need to focus on privacy and security from day one.”