On February 27, the Federal Trade Commission (FTC) reached a settlement with Paypal, Inc. relating to the privacy and security practices of Venmo, Paypal’s peer-to-peer payment service. The FTC alleged that Venmo failed to adequately disclose to its users that transfers of funds from their Venmo balances to external bank accounts were subject to review, and such funds could be frozen or removed in cases of suspected fraud. The FTC’s complaint also charges that Venmo misled users about the scope of Venmo’s “bank grade security systems,” as well as the extent to which users could control the visibility of their transactions.
Venmo allows individuals to send and receive payments to other Venmo users by using either a mobile app or Venmo’s website. To access these features, users are required to create an account, which they may link to an external bank or payment card account. When a user receives money, the funds they receive are credited to their “Venmo balance.” If a user attempts to make a payment and has insufficient funds in their Venmo balance to cover the payment, the user will be prompted to cover the difference by depositing funds through an external source. Users receive notifications via text message, email, or push notifications when they receive a payment through the service.
According to the FTC’s complaint, Venmo has previously represented that users may transfer funds from their Venmo balance to their bank overnight. However, in a number of instances, users were unable to access funds due to a delay in reviewing the underlying transactions for fraud or other issues. In addition to these problems, the FTC identified an ambiguity in Venmo’s privacy settings. By default, all Venmo transactions are made public, and users may view recent public transactions on the Venmo app. A setting within the Venmo app allows users to change the “default audience” for their transactions to either public (the default setting), friends of the user, or only the transaction participants. However, adjusting this setting affects only transactions that are initiated by the user; if the user receives a payment from a user with different privacy settings, the sender’s settings will determine how the transaction is shared. If the user wishes to restrict the audience of all transactions in which they are involved and not just those they initiate, the user must locate a second setting, labeled “Transaction Sharing,” that appears in a different section of the Venmo settings than the other privacy settings.
In addition to these concerns, the FTC alleged that Venmo was in violation of the Gramm-Leach-Bliley Act for failing to provide proper privacy notices or appropriately safeguard customer information. The FTC has authority to enforce these rules against certain financial institutions.
The FTC’s enforcement action is a reminder that the agency remains active in policing privacy practices, but it also serves as a warning that the FTC’s enforcement authority extends into sectors typically regulated by other federal agencies. The Gramm-Leach-Bliley Act applies broadly to “financial institutions,” and the FTC has authority to enforce the portions of the act governing privacy of customer information against a wide range of financial institutions, including those that may ordinarily be subject to the investigatory power of the SEC, CFTC, or CFPB. This can come as quite a surprise to companies that assume they only have one federal agency to worry about.
The FTC’s role in shaping the scope of data protection regulation in the United States is becoming more and more evident every day. Businesses in all sectors should take notice—even those that may believe they are outside the FTC’s jurisdiction.