As the saying goes, it is never a good idea to mess with the Lone Star State. And the online service PayPal learned this lesson the hard way recently. It entered a settlement with Texas Attorney General Ken Paxton to resolve complaints about the privacy practices of PayPal’s Venmo mobile phone app.
The settlement resulted from an investigation by the Texas AG’s office looking into potential violations of the Texas Trade Deceptive Act. This is from the AG’s press release:
The Texas Attorney General’s Consumer Protection Division conducted an investigation for potential violations of the Texas Trade Deceptive Act (DTPA) and found a number of issues regarding the safety and security of the Venmo app. According to investigators, Venmo used consumers’ phone contacts without clearly disclosing how the contacts would be used, did not clearly disclose how consumers’ transactions and interactions with other users would be shared, and misrepresented that communications from Venmo were actually from particular Venmo users. As a result, consumers may have publically exposed private information regarding their payments. In January 2016 alone, Venmo processed $1 billion in transactions.
While PayPal does not admit any wrongdoing, as part of the settlement, it agreed to more accurately describe to users how it will use their information and will clearly and conspicuously disclose to new customers its data handling practices. It will also ensure that any representations about its security practices will be accurate. Apparently, PayPal’s assurances that it used “bank-grade security” may not have been completely warranted. PayPal promised that going forward, it would send an e-mail with full disclosures about privacy and data handling within 24 hours of a user enrolling in Venmo.
Finally, PayPal agreed to pay $175,000 to the state of Texas. The payment seems pretty modest as these things go, but the agreements relating to its business practices will be more onerous.
The lessons from the settlement are obvious. If your organization collects personally identifiable information, get an understanding of what your organization does with it. Think through what information you really need to collect and think through whether and under what circumstances you plan to share it. Then let your customers know your practices – clearly and conspicuously. And whatever you say do to ensure the security of your customers’ information – DO IT. I know this advice sounds like it came directly from Captain Obvious. But PayPal’s Texas adventure suggests it may not be as obvious as it looks.