PayPal Enters Consent Decree with FTC over Venmo Breaches

Venmo, a peer-to-peer mobile payment app acquired by PayPal, reached a consent decree over deceptive practices and privacy and data security issues.

Funds Availability Policy

The FTC charged that Venmo falsely represented that once a user credited their account the money could be freely transferred to your bank account.  In reality, despite many complaints, Venmo did not transfer the funds until after the transaction was reviewed which occurred only when the consumer attempted to transfer the funds.

As explained by the FTC,

[E]ven in the face of mounting consumer complaints, Venmo continued to claim – without any qualifiers – that once money was credited to consumers’ Venmo accounts, users could transfer it to their bank accounts. The FTC alleges that Venmo’s failure to adequately disclose to consumers that funds could be frozen or removed from their accounts was deceptive.

Privacy/Data Security

c9orqgpuaaattuhVenmo also displayed user transactions on their profile page in a way that was viewable to users and non-users alike.  A consumer could alter their default audience settings, but this was effective only if consumers also took a third “inadequately disclosed” step.

The FTC also challenged Venmo’s false claim that it protected consumers’ financial information with “bank grade security systems,” when Venmo didn’t notify consumers about changes to their settings from within their Venmo account – for example, that their email address or password had been changed.

The FTC also contended that these privacy/data security shortcomings violated the Gramm-Leach-Bliley Privacy Rule by failing to provide users with a clear initial privacy notice, by failing to deliver it in a way that each consumer could reasonably be expected to receive it, and by distributing a notice that didn’t accurately reflect its practices.

Under the consent decree, Venmo is prohibited from misrepresenting any material restrictions on the use of its service, the extent of control provided by any privacy settings, and the extent to which Venmo implements or adheres to a particular level of security.