PayPal is a prominent payment service useable in most online transactions. It gained the attention of the FTC due to PayPal’s Venmo service misleading customers about the ability to transfer funds to external bank accounts as well as the privacy of Venmo transactions. PayPal also failed to disclose that they can freeze or remove funds based on the Venmo’s review of the transaction in question.
Many consumers ran into issues with using the core feature of PayPal’s Venmo, transferring money. This was due to Venmo’s ability to freeze funds without disclosing it to their users. Several different retailers would complete a transaction with a customer, send the product to the customer, then have the payment revoked by Venmo.
Venmo had a transaction privacy issue in addition to being able to revoke funds without notice. Some of their consumer’s transactions would show up on Venmo’s social news feed. They offered settings to limit who can view transaction history but mislead their consumers on how they functioned. A Venmo consumer can limit their default audience but for those changes to stick for future transactions, the user must change a second setting. In addition, the other party in the transaction can override the privacy settings and make the transaction public on their end thus negating any privacy settings in effect.
The bank grade security promised by Venmo mislead customers into thinking their finances were more secure than they were. Until August of 2014 Venmo did not even have a written information security program. Users were also not notified if their account password or email changed or when a new device was added to the account. This led to unauthorized users being able to withdraw funds from consumers’ accounts without their knowledge. The FTC alleged that PayPal breached the Gramm-Leach-Bliley Act’s Safeguards Rule. This Rule required financial institutions to implement safeguards to protect the security, confidentiality, and integrity of customer information. The FTC also found PayPal in violation of the Privacy Rule of the same act, that required financial institutions to give account notices to their userbase.
In a ruling of 2-0, the FTC prohibited Venmo from misrepresenting any restrictions regarding the use of its service, the degree of security used by Venmo, and the privacy settings of the user. Venmo was prohibit from violating any of the Rules listed in the Gramm-Leach-Bliley Act. Venmo was also tasked with sending disclosures pertaining to account updates, privacy settings and transaction practices. They are also subject to a third-party assessment for compliance to this agreement on a biennial basis for ten years.
Sources
PayPal Settles FTC Charges That Venmo Failed to Disclose Information to Consumers About the Ability to Transfer Funds and Privacy Settings; Violated Gramm-Leach-Bliley Act.” Federal Trade Commission, 24 May 2019, http://www.ftc.gov/news-events/press-releases/2018/02/paypal-settles-ftc-charges-venmo-failed-disclose-information.
-Aidan Kies
RIT Cyber Security Policy and Law Class Blog 