PayPal Settles FTC Charges Regarding Venmo’s Failure to Disclose Information to Consumers About the Ability to Transfer Funds and Misleading Consumers About the Extent to Which Consumers Could Control the Privacy of Their Transactions
The Federal Trade Commission announced that it has reached a settlement with PayPal, Inc. over allegations that PayPal told users of its Venmo peer-to-peer payment service that money credited to their Venmo balances could be transferred to external bank accounts without adequately disclosing that the transactions were still subject to review and that funds could be frozen or removed.
The FTC’s complaint also charges Venmo with misleading consumers about the extent to which they could control the privacy of their transactions. Additionally, PayPal-operated Venmo, “a payment and social networking application and website that allows consumers to make peer-to-peer payments and to share information regarding such payments through a social network feed,” allegedly, misrepresented the extent to which consumers’ financial accounts were protected by “bank grade security systems” and violated the Gramm-Leach-Bliley Act’s Safeguards and Privacy Rules.
Venmo Allegedly Aware of Consumer Confusion, “User Frustration,” and Financial Loss
According to the FTC’s complaint (In the Matter of PayPal, Inc.):
Many thousands of consumers have complained to Venmo about the delays or loss of funds from their Venmo balance when they tried to transfer funds to their bank accounts. News articles from several media outlets since at least 2015 have highlighted the harm to consumers, which is sometimes in the thousands of dollars. Many consumers have reported suffering significant financial hardship due to not being able to transfer funds, including the inability to pay rent or bills with funds they expected to transfer out of Venmo. Other consumers have relied on the notifications indicating a sender paid them and supplied event tickets or other valuable items to the sender in exchange for funds, and consequently incurred a financial loss when Venmo removed the funds from their balance. In numerous instances, consumers who have attempted to contact Venmo have been unable to reach a representative or have not been provided with an explanation for or resolution to the problem with their account.
Internal company emails also have demonstrated that at least as early as mid-2015 Venmo was aware of “user frustration” and confusion experienced by consumers whose accounts were frozen or who suffered financial loss when transactions were reversed. Nevertheless, Venmo has continued representing, without qualification, that once money is credited to consumers’ Venmo accounts, consumers can transfer the money to their bank accounts.
Venmo Allegedly Failed to Disclose that Consumer Funds Could Be Frozen or Removed Based on the Results of Venmo’s Review of the Underlying Transaction
According to the FTC’s complaint, Venmo sent its users notifications that money had been credited to their Venmo balances and was available for transfer to an external bank account. The FTC, however, says that Venmo failed to disclose that these funds could be frozen or removed based on the results of Venmo’s review of the underlying transaction. As a result, consumers complained that, at times, Venmo delayed the withdrawal of funds or reversed the underlying transactions after initially notifying them that the funds were available.
Venmo Allegedly Misled Consumers About the Extent of Transaction Privacy
The FTC also alleges that Venmo misled consumers about the extent to which they could keep transactions private. By default, some information about transactions between users is displayed on Venmo’s social news feed. Venmo offers privacy settings that enable consumers to limit who can view such transactions, but Venmo misled consumers about how those settings work.
According to the complaint, a Venmo consumer who limits their “default audience” for “future transactions” has not ensured that their transactions will remain private, unless they also change a second setting. Unless the consumer changes both settings, certain transactions may still be shared publicly. Also, unless that second setting is changed, where a consumer has specifically chosen to keep a particular transaction private, the other participant in the transaction can override the consumer’s privacy choices and retroactively make a private transaction public. According to the complaint, Venmo, at times, misrepresented what steps were necessary to keep transactions private and, in any case, failed to adequately disclose these facts to consumers.
Venmo Allegedly Misrepresented the Extent of Security Provided to Consumer Financial Accounts & Violated Gramm-Leach-Bliley Act’s Safeguards and Privacy Rules
The FTC also alleges that, until at least March 2015, Venmo misrepresented the extent of security it provided to consumer financial accounts, claiming that it utilized “bank-grade security systems.” The FTC alleges, however, that through at least August 2014, Venmo did not have a written information security program. Until at least March 2015, Venmo failed to notify users when their password or e-mail address had been changed, or when a new device had been added to their account. As a result, unauthorized users were able to withdraw funds from consumer accounts – without Venmo notifying consumers. In addition, Venmo lacked adequate customer support to respond to consumer complaints about these incidents.
Additionally, the FTC alleges that Venmo violated the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to implement safeguards to protect the security, confidentiality, and integrity of customer information, and Privacy Rule, which requires financial institutions to deliver privacy notices to customers.
As part of the proposed settlement with the FTC, Venmo is prohibited from misrepresenting any material restrictions on the use of its service, the extent of control provided by any privacy settings, and the extent to which Venmo implements or adheres to a particular level of security. Venmo is also required to make certain disclosures to consumers about its transaction and privacy practices, in addition to being prohibited from violating the Privacy and Safeguards Rules. Consistent with several past cases involving violations of Gramm-Leach-Bliley Act Rules, Venmo is required to obtain biennial third-party assessments of its compliance with these rules for 10 years.
For additional information, please see In the Matter of PayPal, Inc.