PayPal, FTC Settle Privacy, Security, Money Transfers Charges

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

PayPal Holdings Inc. settled Feb. 27 Federal Trade Commission allegations of misleading customers about the control they have over privacy settings in its Venmo Inc. mobile payment system.

The proposed administrative consent agreement alerts financial institutions operating peer-to-peer services of the need to set up their platforms from the outset with privacy and data security in mind, Acting FTC Chairman Maureen K. Ohlhausen said in a statement.

PayPal did not admit liability but agreed to not mislead customers about the subjects covered by the complaint, to accurately disclose its privacy and money transfer policies, and to undergo biennial independent audits of its specific security safeguards.

The FTC, in its complaint, alleged that PayPal failed to disclose that transfers to personal external bank accounts using Venmo were subject to a transaction review by Venmo—and could be frozen or removed based on the review. Some customers who relied on Venmo’s notice that money was available to transfer found themselves unable to pay their rent and other bills, the complaint alleged.

The FTC alleged that Venmo violated the Gramm-Leach-Bliley Act (GLBA) Privacy Rule by failing to deliver a clear, concise, and accurate privacy notice and violated the GLBA Safeguards Rule by failing to have a written security program and implement basic security safeguards.

Privacy settings that users placed on their “default audience” didn’t ensure the privacy of transactions without the user adjusting a second setting, and the second party to the transaction also had the ability to override the setting and make the transaction public, the FTC charged.

“We are pleased to conclude this process with the FTC in a cooperative way,” Amanda Miller, communications director for PayPal, told Bloomberg Law. “This brings to an end the investigation that primarily focused on Venmo platform issues and practices prior to acquisition by PayPal. Since then, as a core part of PayPal’s and Venmo’s business and operations, we’ve taken steps to significantly strengthen our privacy and data security practices.”

Companies in the peer-to-peer payment technologies sector should learn from the settlement that the FTC will apply consumer protection principles to them as vigorously as it does to other industries, Alex Pearce, privacy and data security of counsel at Ellis Winters LLP in Raleigh, N.C., told Bloomberg Law. Payment companies need to think about their customers’ reasonable privacy expectations, make their privacy settings straightforward, and assess how the GLBA applies to their non-traditional financial institution, Pearce said.

The FTC concurrently released a tip sheet on its blog for consumers who use peer-to-peer payment system apps.

To contact the reporter on this story: George Lynch in Washington at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security