FTC Settles with PayPal Over Venmo Privacy and Security Violations
The (Federal Trade Commission) FTC settled charges that PayPal subsidiary Venmo misled users by failing to disclose information to consumers about the ability to transfer money and well as misleading them about privacy settings in violation of the Gramm-Leach-Bliley Act Safeguards and Privacy Rules.
The FTC alleges that Venmo violated the Gramm-Leach-Bliley Act’s Safeguards Rule by no implementing safeguards to protect the security, confidentiality, and integrity of customer information. You know those privacy notices and “how we use your data” notices that you receive in the mail printed on flimsy paper from your credit card companies? Venmo also did not deliver those to their customers which is a violation of the Gramm-Leach-Bliley Act.
What is Venmo?
Venmo is a web and mobile app for Android and iPhones. It allows people to transfer money between each other. Venmo, LLC was founded in 2009 and is a subsidiary of PayPal, Inc. The app has over 10-million users as of the end of December 2017.
PayPal is the global online payment system recently spun-off from online marketplace eBay.com
In addition to the privacy and security accusations, The FTC maintained that PayPal, Inc did not adequately disclose that Venmo funds from transactions may not be immediately available for transfer to an external bank account. The Venmo transactions were subject to review and that funds could be frozen or the transfer reversed after the user was notified their money was available.
A common use for Venmo is to share the cost of a restaurant bill or bar tab amongst friends or co-workers. Consumers also use Venmo to receive payment for goods sold to other individuals through avenues such as the Facebook marketplace. In some instances, Venmo reversed money received by a seller after goods were delivered causing the seller to lose money or have in sufficient funds in their accounts.
Venmo also has social media functions integrated in the app. Details about user’s transactions were by default shared on Venmo’s social newsfeed unless a user shut the notifications off. The FTC complaint alleged that Venmo misled users on how to keep their transaction private. It was unclear that a user had to change two settings to keep their transactions off the social newsfeed and truly private. If the second setting was not edited then other people in the transaction could change the notifications to public even though a user had chosen to limit their “default audience” for transactions.
FTC Chairman Maureen Ohlhausen said, “This case sends a strong message that financial institutions like Venmo need to focus on privacy and security from day one.”
Because of the settlement, Venmo is compelled to disclose its transaction and privacy practices to consumers.
Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers