The Federal Trade Commission (“FTC”) settled with PayPal over allegations that Venmo, a peer-to-peer payment service that PayPal owns, offered deceptive privacy choices, misrepresented the availability of user funds, and failed to abide by its security promises. The proposed settlement and corresponding complaint offer useful lessons for companies within and outside of the financial sector.
Make Your Privacy Settings Simple and Easy to Understand
In its complaint, the FTC alleged, among other claims, that Venmo deceived consumers by failing to make clear that to change the default settings – which publicized a user’s transactions with a brief narrative on Venmo’s social feed and a public profile – the user had to take multiple steps. According to the FTC, Venmo’s labeling of its Default Audience setting likely led reasonable consumers to believe that they could ensure that their transactions remained private by changing the default on this setting alone. Users who set the Default Audience setting to “Participants Only” would likely assume that, by making this selection, all of their transactions would be viewable only by the participants in their transactions. In fact, however, users needed to change both this setting and a second setting (the Transaction Sharing setting) in order to ensure that their transactions remained private. Otherwise, the settings or actions of one user in the transaction could override the clearly expressed attempt of the second user to keep the transaction private. According to the FTC, “[t]hese results are directly contrary to the expectations of a reasonable consumer” and Venmo’s inadequate representations amounted to a deceptive act. The FTC stressed that Venmo exacerbated the issue by incorrectly describing its privacy settings in its Privacy FAQs. This case highlights potential risks with multi-step privacy settings, and is a good reminder to review privacy settings carefully to ensure that they are clearly labeled, easy to use, and accurately described in all representations to consumers.
Ensure That Your Representations to Consumers Set Reasonable Expectations
The FTC also alleged that Venmo represented to users (both in transaction-specific notifications as well as statements on their website and in mobile app stores) that they could transfer their Venmo funds to their bank account “overnight.” However, as Venmo reviews transactions for fraud, insufficient funds, or other problems after the user initiates a request to transfer funds, some peer-to-peer transactions would be significantly delayed or even reversed, making those funds unavailable for transfer. The FTC claimed that these delays harmed some consumers, preventing them, for example, from paying rent on time. The FTC did not find fault in Venmo’s transaction-review practices, but rather considered the failure to provide sufficient caveats and disclaimers in statements about the availability of funds deceptive. Moreover, despite receiving thousands of complaints about the delays or loss of funds, Venmo never modified its representations. The FTC’s approach here demonstrates the importance of reviewing all consumer-facing communications – not just the Terms of Service but also FAQs, text messages, emails, and push notifications – to ensure that they are accurate and do not create misimpressions.
Be Mindful of Your Security-Related Promises
The FTC’s complaint also asserted that Venmo, until at least March 2015, misrepresented the extent of security it provided to its users’ accounts. Although Venmo claimed to utilize “bank-grade security systems,” its practices did not adhere to this promise. Venmo did not have a written information security program and failed to implement sufficient safeguards to protect their consumers’ information. For example, the company failed to notify users when their password or email address was changed or when a new device was added to their account. Additionally, because Venmo failed to maintain adequate customer support capabilities, consumers were often unable to reach support representatives. Furthermore, as Venmo is significantly engaged in “transferring money” and the processing and transmission of financial data, the FTC claimed that it is a “financial institution” under the Gramm-Leach-Bliley Act (“GLBA”), and its failure to maintain a comprehensive written security program with certain enumerated safeguards violated the Safeguards Rule. The settlement is a good reminder that the FTC expects companies’ security safeguards to include consumer-facing practices such as security notifications and customer support. Additionally, the FTC’s focus on Venmo’s promise of “bank grade security systems” highlights the need to carefully consider the precise terms that companies use in their security representations.