Online payment company settles with FTC over false financial claims

Coinster

Think of Venmo as the Napster of online payments.

Back when Napster walked the earth, its peer-to-peer network was a novel take on file sharing. The central Napster service would monitor users and the files that they were willing to share. When a user requested to download a particular file, the service would draw on different pieces of the file held by other Napster patrons and assemble it on the user’s local machine.

Venmo followed a similar model: account holders could attach their account to multiple debit cards, credit cards and bank accounts. After assembling an account balance by drawing on these accounts, the user could pay out funds to other Venmo users or receive payment in turn.

By handling the funds in their own holding accounts, Venmo decentralized payment systems, opening up myriad payment opportunities.

Triple Complaint

PayPal liked the Venmo approach enough to snap up the company in 2013, only two years after it launched. But PayPal landed in hot water with the Federal Trade Commission in February 2018, when it was named in a complaint alleging several infractions.

First, Venmo users were told through several of the company’s channels, including the Venmo app itself, that funds they received from other users were available for transfer “overnight.” Despite this assurance, the FTC claimed that “Venmo [waits] until a consumer attempts to transfer funds to his or her external bank account to review the transaction for fraud, insufficient funds, or other problems.” The funds were often frozen, delayed or reversed if the service suspected fraud or questionable activity, often allegedly taking longer than overnight.

Additionally, the Commission accused Venmo of misleading its users about the privacy of their transactions. By default, the service posts a public feed of all transactions that can be read by users and non-users alike, in real time. The Commission claimed that the settings that allowed users to opt-out of this public feed, and other public postings such as on user profiles, were unnecessarily confusing and could lead to the exposure of information they would rather conceal – potentially sensitive information about how much was paid to whom, when, and because the message sent to the recipient was also publicly posted, sometimes for what. In addition, each Venmo user was given a public profile page that publicly posted their last five incoming and outgoing transactions for the world to see. In order to opt-out, users, the FTC contends, had to change two separate and hard-to-find settings, and a user’s settings could also be overridden by the other person in a transaction. Further, the FTC pointed to Venmo’s Privacy FAQs that were not consistent with how privacy defaults and setting options worked. Examples of specifics the FTC found to be explicitly deceptive, or to constitute deceptions by omission of material information, included:

The Default Audience Setting had three options: public, friends or participants. However, selecting participants did not, in fact, have the effect of making all aspects of transactions private. Users would also need to go into Transaction Sharing Settings and change the “Everyone” default to “Only Me.” Otherwise, if the other party (User B) to a transaction had not limited their privacy settings, they would publicly publish the information unless the first party (User A) had set both settings to private mode. Further, User B could retroactively make a transaction public even if User A had set both settings to privatode. Similar issues were alleged to apply to per-transaction privacy setting tools.

These privacy problems were alleged to be not only deceptive under Section 5 of the FTC Act but to also violate the privacy obligations of financial institutions under the Gramm-Leach-Bliley Act, which, among other things, requires affirmative acknowledgement of and a compliant initial privacy notice as a necessary step of obtaining financial services. Merely posting the notice “By signing up, you agree to Venmo’s User Agreement and Privacy Policy” “in grey text on a light grey background” at the bottom of the page – when the sign-up action buttons were at the top of the page – was, the complaint alleges, insufficient.

The complaint also included allegations that Venmo’s security systems were insufficient to fulfill its obligations under the Gramm-Leach-Bliley Act or its promise of “bank grade security,” specifically by:

Failing to have a written information security program; Failing to assess reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information; Failing to provide security notifications to the consumer, such as notifications that their password or email address has changed, or that a new device was added to the consumer’s account; and Failing to maintain adequate customer support to timely investigate and respond to user’s reports concerning account compromise or unauthorized transactions.

The Takeaway

PayPal settled the suit and entered into a 20-year consent order.

The settlement and consent order binds Venmo from making misrepresentations about the three general “buckets” of allegations: restrictions on fund transfers, privacy levels and security initiatives. On the security front, the company is also bound to adhere to the Gramm-Leach-Bliley Act’s Safeguards Rule – which mandates security, confidentiality and information integrity safeguards – and the Privacy Rule, which requires privacy notices to be given to customers.

All online services should learn from the FTC allegations regarding privacy, transparency and choice. The FTC concluded that the public sharing of transaction data by default, and the cryptic and difficult to effectively use privacy settings were “directly contrary to the expectations of a reasonable consumer,” and Venmo’s “failure to disclose or disclose adequately the material information [regarding what transaction was shared under what circumstances and how it could and could not be limited] is a deceptive act or practice.” Transparency failure can constitute deception. Inadequate explanation of choice, or ineffective choice, can also be deceptive. Also, beware of other statements you make that are inaccurate. Here, Venmo’s Privacy FAQs were alleged to be inaccurate and thus explicitly deceptive. Finally, security assurances that do not live up to their promises are a deceptive practice.

Because Venmo is a financial institution, the Gramm-Leach-Bliley Act holds it to higher standards of privacy and security than apply to non-financial institutions, and the FTC used that law rather than the more general limitation on deceptive and unfair practices under Section 5 of the FTC Act to pick apart other Venmo practices. However, all companies should take note that the FTC took issue with unexpected privacy practices concerning public financial information sharing buried in a privacy policy and the lack of consent to those when the closest thing to affirmative acceptance was an inconspicuous notice on the registration page that account set-up would be deemed consent. Unexpected privacy practices should be highlighted at the point of consent or collection, and an online consent should be configured in a way that the user must take actions that unequivocally indicate an intent to accept terms that are made available for viewing. A better approach would have been “[_] By checking the box and clicking AGREE, I confirm I have read and accept the Terms and Privacy Policy. [AGREE]”

Another interesting takeaway is that although the FTC alleged actual financial harm had been incurred by users due to not completely accurate representations about “instant” funds availability (e.g., users sold event tickets based on a Venmo transaction, only to later learn it was completed after the person was gone and the event concluded), it limited its unfairness authority claims to inadequate security allegations. This shows the new FTC is shying away from the efforts by the Commission under the prior administration to expand unfairness authority into the realm of privacy and marketing and sales claims.