On Friday, Texas Attorney General Ken Paxton announced a settlement with PayPal, resolving allegations that its Venmo money transfer app violated the Texas Deceptive Trade Practices Act by failing to clearly disclose how consumers’ phone contacts would be used, or how consumers’ transactions and interactions with other users would be shared, and misrepresenting that communications from Venmo were from particular users. According to the state, these practices likely resulted in consumers publicly exposing private information.
Under the terms of the agreement, PayPal agreed to pay $175,000 (a $135,000 penalty and $40,000 in costs and attorneys’ fees) and to:
- Only access users’ contacts after clearly and conspicuously disclosing (1) the type of information that will be accessed, (2) the specific ways in which PayPal is authorized to use such information, and (3) how the autofriend feature works and how to disable it after enrollment.
- Before a consumer completes Venmo enrollment, disclose that, as part of enrollment, any user who has not disabled the autofriend feature and has the consumer listed as a contact will be notified that the consumer has joined Venmo.
- Ensure that its security disclosures are true and correct (e.g., not represent that it provides “bank-grade security” unless the statement is true and correct).
- Clearly and conspicuously disclose the audience setting for any transaction in close proximity to the transaction description or call to action.
- In the payment or withdrawal notice, clearly and conspicuously disclose (1) at what point the transaction may be final, and (2) any circumstances which may affect the ability to withdraw funds.
- Clearly and conspicuously disclose any available optional security features.
- Clearly and conspicuously disclose, via an in-app disclosure and via email, (1) the audience sharing settings available for transactions, and the fact that settings will be set to public unless the user takes affirmative action to change them; (2) whether or not PayPal offers buyer and seller protections relating to transactions; (3) the types of transactions that are prohibited; (4) circumstances which may affect the ability to withdraw funds; (5) any optional password security features; and (6) information about the autofriend feature and how to disable it once enrolled.
- Clearly and conspicuously disclose methods by which consumers may contact customer service, which must be available at reasonable hours.
- Not send an email or other messages that purport to be from or on behalf of a Venmo user without that user’s express authorization.
In a recent SEC filing, PayPal disclosed that it had received an FTC CID related to Venmo in March 2016, serving as a reminder that consumer protection investigations and enforcement may come from more than one regulator at a time.