The Federal Trade Commission (FTC) reached a deal with PayPal, Inc., settling charges that the company violated Section 5 of the Federal Trade Commission Act by misleading consumers about the extent to which they could control the privacy of their Venmo transactions.

Adding to its problems, the company also failed to explain that money credited to a user’s balance was subject to review, with the possibility that funds could be frozen or removed.

The payment and social networking app permits consumers to make peer-to-peer payments. All transactions are displayed on the Venmo social news feed that is available even to visitors who do not have a Venmo account. Users may restrict the visibility of their transactions through the app’s privacy settings.

But the FTC took issue with Venmo’s “Default Audience Setting,” which the agency said would lead a reasonable consumer to believe that he or she could limit the visibility of all future transactions. In fact, consumers were required to make a second, additional change to their privacy settings in order to ensure that all transactions remain private, the FTC said.

“These results are directly contrary to the expectations of a reasonable consumer,” according to the FTC’s complaint.

Venmo also ran afoul of Section 5 by overstating its information security practices. The company made statements including, “Venmo uses bank-grade security systems and data encryption to protect your financial information” and “Venmo uses bank grade security systems and data encryption to protect you and guard against unauthorized transactions and access to your personal or financial information.”

Until March 2015, the company did not implement sufficient safeguards to protect the security, confidentiality and integrity of consumer information, the FTC said. Instead, Venmo failed to provide consumers with security notifications regarding changes to account settings (such as when a password or email address was changed or a new device was added), leading to instances where unauthorized users successfully took over consumers’ accounts, changed the password and/or email associated with them, and withdrew funds, all without any notification to the affected users.

In a third Section 5 hiccup, Venmo misrepresented how consumers could cash out a payment, the FTC said. When payments are made, the app notifies the recipients and informs them they can transfer money to their external bank accounts linked to the Venmo account. In numerous instances, the company has stated that consumers can “cash out to any bank overnight” or “[q]uickly transfer money to your bank.”

Despite these representations, Venmo does not verify or approve a transaction until after consumers initiate a transfer of funds to an external account, which could result in either substantial delays in the transfer or reversal of the transaction, the FTC alleged in its administrative complaint.

The company failed to disclose this fact, which resulted in financial hardships for consumers who were then unable to pay their rent or other bills, while some users incurred a loss after delivering an item to a purchaser only to find that the money that was purportedly credited had been removed from their account.

Additional violations of the Gramm-Leach-Bliley Act (GLBA) and accompanying regulations (including the Privacy Rule, Regulation P and the Safeguards Rule) were also cited by the FTC.

To settle the charges, Venmo—which neither admitted nor denied any of the allegations in the complaint—agreed not to misrepresent any material restrictions, limitations or conditions on its services, or make statements misrepresenting the extent of control provided by privacy settings.

Affirmatively, the company promised to clearly and conspicuously disclose that transactions are subject to review and that funds can be frozen or removed as a result of a transaction review. It will also provide users with information about using privacy settings to limit or restrict the visibility or sharing of their information.

Future violations of the GLBA and accompanying regulations are banned, with biennial assessments and reports from an independent third party required for a ten-year period.

To read the complaint and agreement containing the consent order in In the Matter of PayPal, Inc., click here.

Why it matters: “Consumers suffered real harm when Venmo did not live up to the promises it made to users about the availability of their money,” FTC Acting Chair Maureen K. Ohlhausen said in a statement about the action. “The payment service also misled consumers about how to keep their transaction information private. This case sends a strong message that financial institutions like Venmo need to focus on privacy and security from day one.” What other lessons can businesses take from the case? Be clear about consumers’ payments, think through data defaults, keep privacy options accurate, and check to see whether the company is covered by the GLBA and its accompanying regulations, the FTC advised in a blog post.