PayPal, Inc.; Analysis To Aid Public Comment, 9316-9318 [2018-04331]
Download as PDF
<![CDATA[
9316
*
Federal Register / Vol. 83, No. 43 / Monday, March 5, 2018 / Notices
*
*
*
complaint and the terms of the consent
order—embodied in the consent
agreement—that would settle these
allegations.
*
Federal Communications Commission.
Marlene H. Dortch,
Secretary.
BILLING CODE 6712–01–P
FEDERAL ELECTION COMMISSION
Sunshine Act Meeting
Thursday, March 8,
2018 at 10:00 a.m.
PLACE: 999 E Street NW, Washington,
DC (Ninth Floor).
STATUS: This meeting will be open to
the public.
MATTERS TO BE CONSIDERED:
Correction and Approval of Minutes for
December 7, 2017
Correction and Approval of Minutes for
December 14, 2017
Correction and Approval of Minutes for
January 11, 2018
REG 2011–02: Draft Notice of Proposed
Rulemaking on internet
Communication Disclaimers and
Definition of ‘‘Public
Communication’’
REG 2011–02: Draft Notice of Proposed
Rulemaking on internet
Communication Disclaimers
Management and Administrative
Matters
CONTACT PERSON FOR MORE INFORMATION:
Judith Ingram, Press Officer, Telephone:
(202) 694–1220.
Individuals who plan to attend and
require special assistance, such as sign
language interpretation or other
reasonable accommodations, should
contact Dayna C. Brown, Secretary and
Clerk, at (202) 694–1040, at least 72
hours prior to the meeting date.
TIME AND DATE:
Dayna C. Brown,
Secretary and Clerk of the Commission.
[FR Doc. 2018–04555 Filed 3–1–18; 4:15 pm]
BILLING CODE 6715–01–P
FEDERAL TRADE COMMISSION
[File No. 162 3102]
PayPal, Inc.; Analysis To Aid Public
Comment
Federal Trade Commission.
Proposed consent agreement.
sradovich on DSK3GMQ082PROD with NOTICES
AGENCY:
ACTION:
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices. The attached
Analysis to Aid Public Comment
describes both the allegations in the
SUMMARY:
VerDate Sep<11>2014
19:25 Mar 02, 2018
Jkt 244001
Comments must be received on
or before March 29, 2018.
ADDRESSES: Interested parties may file a
comment online or on paper, by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write: ‘‘In the Matter of PayPal,
Inc.’’ on your comment, and file your
comment online at https://
ftcpublic.commentworks.com/ftc/
venmoconsent by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, write ‘‘In the Matter of PayPal,
Inc.’’ on your comment and on the
envelope, and mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex D), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Ben
Rossen (202–326–3679) and Lisa
Rothfarb (202–326–2602), Bureau of
Consumer Protection, 600 Pennsylvania
Avenue NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for February 27, 2018), on
the World Wide Web, at https://
www.ftc.gov/news-events/commissionactions.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before March 29, 2018. Write ‘‘In the
Matter of PayPal, Inc.’’ on your
comment. Your comment—including
your name and your state—will be
placed on the public record of this
proceeding, including, to the extent
practicable, on the public Commission
DATES:
[FR Doc. 2018–04446 Filed 3–2–18; 8:45 am]
PO 00000
Frm 00058
Fmt 4703
Sfmt 4703
website, at https://www.ftc.gov/policy/
public-comments.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
venmoconsent by following the
instructions on the web-based form. If
this Notice appears at https://
www.regulations.gov/#!home, you also
may file a comment through that
website.
If you prefer to file your comment on
paper, write ‘‘In the Matter of PayPal,
Inc.’’ on your comment and on the
envelope, and mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex D), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024. If possible,
submit your paper comment to the
Commission by courier or overnight
service.
Because your comment will be placed
on the publicly accessible FTC website
at https://www.ftc.gov, you are solely
responsible for making sure that your
comment does not include any sensitive
or confidential information. In
particular, your comment should not
include any sensitive personal
information, such as your or anyone
else’s Social Security number; date of
birth; driver’s license number or other
state identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
responsible for making sure that your
comment does not include any sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including in particular competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
E:\FR\FM\05MRN1.SGM
05MRN1
Federal Register / Vol. 83, No. 43 / Monday, March 5, 2018 / Notices
and must comply with FTC Rule 4.9(c).
In particular, the written request for
confidential treatment that accompanies
the comment must include the factual
and legal basis for the request, and must
identify the specific portions of the
comment to be withheld from the public
record. See FTC Rule 4.9(c). Your
comment will be kept confidential only
if the General Counsel grants your
request in accordance with the law and
the public interest. Once your comment
has been posted on the public FTC
website—as legally required by FTC
Rule 4.9(b)—we cannot redact or
remove your comment from the FTC
website, unless you submit a
confidentiality request that meets the
requirements for such treatment under
FTC Rule 4.9(c), and the General
Counsel grants that request.
Visit the FTC website at https://
www.ftc.gov to read this Notice and the
news release describing it. The FTC Act
and other laws that the Commission
administers permit the collection of
public comments to consider and use in
this proceeding, as appropriate. The
Commission will consider all timely
and responsive public comments that it
receives on or before March 29, 2018.
For information on the Commission’s
privacy policy, including routine uses
permitted by the Privacy Act, see
https://www.ftc.gov/site-information/
privacy-policy.
sradovich on DSK3GMQ082PROD with NOTICES
Analysis of Proposed Consent Order To
Aid Public Comment
The Federal Trade Commission
(‘‘Commission’’) has accepted, subject to
final approval, an agreement containing
a consent order from PayPal, Inc.
(‘‘PayPal’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After 30 days, the
Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
This matter involves Venmo, a peerto-peer payment service owned and
operated by PayPal. Venmo has offered
its peer-to-peer payment service to
consumers since 2011, and was
acquired by PayPal in 2013. Consumers
can use Venmo to transfer money to one
another using a mobile application or
through a website at www.venmo.com.
Venmo’s payment service incorporates a
social networking component through a
social ‘‘news feed’’ that shares
VerDate Sep<11>2014
19:25 Mar 02, 2018
Jkt 244001
information about a consumer’s Venmo
transactions.
The Commission’s proposed
complaint alleges that PayPal, through
its operation of Venmo, has violated
Section 5 of the FTC Act and the
Gramm-Leach-Bliley (‘‘GLB’’) Act’s
Privacy and Safeguards Rules.
First, the proposed complaint alleges
that Venmo has represented to
consumers that money is credited to
their Venmo account and can be
transferred to an external bank account
after other Venmo users have sent funds
to those consumers, but has failed to
disclose, or failed to disclose
adequately, that funds could be frozen
or removed because Venmo has not yet
approved the underlying transaction. As
alleged in the proposed complaint,
Venmo has made representations to
consumers that they have been paid and
they can transfer money from Venmo to
an external bank account. For example,
Venmo has sent users notifications that
have stated ‘‘Money credited to your
Venmo balance. Transfer to your bank
overnight.’’ Despite these claims, the
proposed complaint alleges that, in
numerous instances, consumers have
been unable to transfer funds to their
bank accounts as promised. Venmo has
waited until a consumer attempts to
transfer funds to an external bank
account to review the transaction for
certain issues. This review has resulted
in Venmo delaying the transfer or
reversing the transaction in numerous
instances.
Second, the proposed complaint
alleges that Venmo has failed to disclose
material information to consumers
about the operation of Venmo’s privacy
settings. As alleged in the proposed
complaint, by default, all Venmo
transactions are shared on Venmo’s
social news feed, which displays the
names of the payer and recipient, the
date of the transaction, and a message
written by the user that initiated the
transaction. Venmo offers privacy
settings that consumers can use to limit
the visibility of their transactions.
However, to ensure that all future
payments remain private, a consumer
must change two similarly labeled
settings. The first setting, referred to in
the proposed complaint as the ‘‘Default
Audience Setting,’’ would lead a
reasonable consumer to believe that
they can restrict the visibility of their
future transactions on the news feed to
specific groups, such as ‘‘Participants
Only’’ or ‘‘Friends.’’ In fact, however, a
consumer must also change a second
setting, referred to in the proposed
complaint as the ‘‘Transaction Sharing
Setting,’’ to ensure that all of her
transactions are private. If a consumer
PO 00000
Frm 00059
Fmt 4703
Sfmt 4703
9317
fails to restrict this second setting, in
some circumstances, transactions will
still be published publicly even if the
consumer has chosen a ‘‘private’’
default audience.
Venmo also offers a privacy setting to
control the visibility of an individual
transaction, referred to in the proposed
complaint as the ‘‘Individual Audience
Setting.’’ The proposed complaint
alleges that Venmo failed to disclose, or
failed to disclose adequately, that the
Individual Audience Setting does not
ensure that an individual transaction
remains private unless a consumer also
separately restricts the Transaction
Sharing Setting described above. If a
consumer has not changed both settings,
there are circumstances where the other
participant in the transaction can
retroactively change a transaction from
private to public.
Third, the proposed complaint alleges
that Venmo represented until
approximately March 2015 that it
protected consumers’ financial
information with ‘‘bank grade security
systems’’ but in fact failed to implement
basic safeguards necessary to secure
consumer accounts from unauthorized
transactions and did not provide ‘‘bank
grade security.’’ For example, Venmo
failed to provide consumers with
security notifications about changes to
account settings from within the
consumer’s Venmo account, such as
when a consumer’s email address or
password had been changed. The
proposed complaint alleges that
Venmo’s representation that it provided
‘‘bank grade security systems’’
constitutes a deceptive act or practice
under Section 5 of the FTC Act.
Fourth, the proposed complaint
alleges that Venmo violated the GLB
Act’s Privacy Rule and Regulation P by
failing to provide users with a clear and
conspicuous initial privacy notice,
disseminating an initial privacy notice
that does not accurately reflect its
policies and practices, and failing to
deliver the initial privacy notice so that
each customer could reasonably be
expected to receive actual notice.
Finally, the proposed complaint
alleges that Venmo violated the GLB
Act’s Safeguards Rule by failing to have
a comprehensive written information
security program before August 2014,
failing to identify reasonably foreseeable
internal and external risks to the
security, confidentiality, and integrity of
customer information, and assessing the
sufficiency of any safeguards in place to
control those risks before September
2014, and failing to design and
implement information safeguards to
control the known risks to the security,
E:\FR\FM\05MRN1.SGM
05MRN1
sradovich on DSK3GMQ082PROD with NOTICES
9318
Federal Register / Vol. 83, No. 43 / Monday, March 5, 2018 / Notices
confidentiality, and integrity of
customer information.
The proposed order contains
injunctive provisions addressing the
alleged deceptive conduct and Rule
violations in connection with PayPal’s
operation of a payment and social
networking service. Part I of the
proposed order prohibits PayPal from
making misrepresentations regarding
material restrictions, limitations, or
conditions to use any payment and
social networking service. It also
prohibits misrepresentations about data
security and privacy, including
misrepresentations regarding the extent
of control provided by any privacy
settings and the extent to which PayPal
implements or adheres to a particular
level of security.
Part II of the proposed order requires
PayPal, when making any
representations through any payment
and social networking service about the
availability of funds to be transferred or
withdrawn to a bank account, to provide
clear and conspicuous disclosures that
transactions are subject to review and, if
true, that funds could be frozen or
removed as a result of transaction
reviews. Part II also requires PayPal to
issue a one-time notice informing
current Venmo users that when they
attempt to transfer or withdraw funds to
a bank account, Venmo will perform
transaction reviews and based on such
review, may block or delay the transfer
or withdrawal, and/or reverse a
payment transaction.
Part III of the proposed order requires
PayPal to provide clear and conspicuous
disclosures to users related to how any
payment and social networking service
shares transaction information with
other users and how a consumer can
limit the visibility or sharing of
transaction information through privacy
settings.
Part IV of the agreement prohibits
violations of the GLB Privacy and
Safeguards Rules.
Part V requires PayPal to obtain
biennial data security assessments for
ten years.
Parts VI through IX of the proposed
order are reporting and compliance
provisions, which include
recordkeeping requirements and
provisions requiring PayPal to provide
information or documents necessary for
the Commission to monitor compliance.
Part X states that the proposed order
will remain in effect for 20 years, with
certain exceptions.
The purpose of this analysis is to aid
public comment on the proposed order.
It is not intended to constitute an
official interpretation of the complaint
VerDate Sep<11>2014
19:25 Mar 02, 2018
Jkt 244001
or proposed order, or to modify in any
way the proposed order’s terms.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2018–04331 Filed 3–2–18; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Disease Control and
Prevention
[60Day–18–18MY; Docket No. CDC–2018–
0018]
Proposed Data Collection Submitted
for Public Comment and
Recommendations
Centers for Disease Control and
Prevention (CDC), Department of Health
and Human Services (HHS).
ACTION: Notice with comment period.
AGENCY:
The Centers for Disease
Control and Prevention (CDC), as part of
its continuing effort to reduce public
burden and maximize the utility of
government information, invites the
general public and other Federal
agencies to take this opportunity to
comment on proposed and/or
continuing information collections, as
required by the Paperwork Reduction
Act of 1995. This notice invites
comment on ‘‘Network Epidemiology of
Syphilis Transmission (NEST)’’. The
purpose of the NEST study is to address
knowledge gaps in the transmission of
syphilis among men who have sex with
men (MSM) in the United States by
exploring the role of sexual and social
networks. Specifically, the goal of NEST
is to pilot the use of survey instruments
to collect complex longitudinal sexual
network data among MSM at high risk
for syphilis in the United States.
DATES: Written comments must be
received on or before May 4, 2018.
ADDRESSES: You may submit comments,
identified by Docket No. CDC–2018–
0018 by any of the following methods:
• Federal eRulemaking Portal:
Regulations.gov. Follow the instructions
for submitting comments.
• Mail: Leroy A. Richardson,
Information Collection Review Office,
Centers for Disease Control and
Prevention, 1600 Clifton Road NE, MS–
D74, Atlanta, Georgia 30329.
Instructions: All submissions received
must include the agency name and
Docket Number. All relevant comments
received will be posted without change
to Regulations.gov, including any
personal information provided. For
SUMMARY:
PO 00000
Frm 00060
Fmt 4703
Sfmt 4703
access to the docket to read background
documents or comments received, go to
Regulations.gov.
Please note: Submit all Federal
comments through the Federal
eRulemaking portal (regulations.gov) or
by U.S. mail to the address listed above.
FOR FURTHER INFORMATION CONTACT: To
request more information on the
proposed project or to obtain a copy of
the information collection plan and
instruments, contact Leroy A.
Richardson, Information Collection
Review Office, Centers for Disease
Control and Prevention, 1600 Clifton
Road NE, MS–D74, Atlanta, Georgia
30329; phone: 404–639–7570; Email:
omb@cdc.gov.
SUPPLEMENTARY INFORMATION: Under the
Paperwork Reduction Act of 1995 (PRA)
(44 U.S.C. 3501–3520), Federal agencies
must obtain approval from the Office of
Management and Budget (OMB) for each
collection of information they conduct
or sponsor. In addition, the PRA also
requires Federal agencies to provide a
60-day notice in the Federal Register
concerning each proposed collection of
information, including each new
proposed collection, each proposed
extension of existing collection of
information, and each reinstatement of
previously approved information
collection before submitting the
collection to OMB for approval. To
comply with this requirement, we are
publishing this notice of a proposed
data collection as described below.
The OMB is particularly interested in
comments that will help:
1. Evaluate whether the proposed
collection of information is necessary
for the proper performance of the
functions of the agency, including
whether the information will have
practical utility;
2. Evaluate the accuracy of the
agency’s estimate of the burden of the
proposed collection of information,
including the validity of the
methodology and assumptions used;
3. Enhance the quality, utility, and
clarity of the information to be
collected; and
4. Minimize the burden of the
collection of information on those who
are to respond, including through the
use of appropriate automated,
electronic, mechanical, or other
technological collection techniques or
other forms of information technology,
e.g., permitting electronic submissions
of responses.
5. Assess information collection costs.
Proposed Project
Network Epidemiology of Syphilis
Transmission (NEST)—New—National
E:\FR\FM\05MRN1.SGM
05MRN1
]]>Agencies
[Federal Register Volume 83, Number 43 (Monday, March 5, 2018)]
[Notices]
[Pages 9316-9318]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-04331]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 162 3102]
PayPal, Inc.; Analysis To Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis to Aid Public Comment describes both
the allegations in the complaint and the terms of the consent order--
embodied in the consent agreement--that would settle these allegations.
DATES: Comments must be received on or before March 29, 2018.
ADDRESSES: Interested parties may file a comment online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write: ``In the Matter of
PayPal, Inc.'' on your comment, and file your comment online at https://ftcpublic.commentworks.com/ftc/venmoconsent by following the
instructions on the web-based form. If you prefer to file your comment
on paper, write ``In the Matter of PayPal, Inc.'' on your comment and
on the envelope, and mail your comment to the following address:
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania
Avenue NW, Suite CC-5610 (Annex D), Washington, DC 20580, or deliver
your comment to the following address: Federal Trade Commission, Office
of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor,
Suite 5610 (Annex D), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Ben Rossen (202-326-3679) and Lisa
Rothfarb (202-326-2602), Bureau of Consumer Protection, 600
Pennsylvania Avenue NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreement, and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC Home Page (for February 27, 2018), on the World Wide Web,
at https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before March 29, 2018.
Write ``In the Matter of PayPal, Inc.'' on your comment. Your comment--
including your name and your state--will be placed on the public record
of this proceeding, including, to the extent practicable, on the public
Commission website, at https://www.ftc.gov/policy/public-comments.
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/venmoconsent by following the instructions on the web-based form.
If this Notice appears at https://www.regulations.gov/#!home, you also
may file a comment through that website.
If you prefer to file your comment on paper, write ``In the Matter
of PayPal, Inc.'' on your comment and on the envelope, and mail your
comment to the following address: Federal Trade Commission, Office of
the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D),
Washington, DC 20580, or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Constitution Center,
400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC
20024. If possible, submit your paper comment to the Commission by
courier or overnight service.
Because your comment will be placed on the publicly accessible FTC
website at https://www.ftc.gov, you are solely responsible for making
sure that your comment does not include any sensitive or confidential
information. In particular, your comment should not include any
sensitive personal information, such as your or anyone else's Social
Security number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure that your comment does not include
any sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2),
16 CFR 4.10(a)(2)--including in particular competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,''
[[Page 9317]]
and must comply with FTC Rule 4.9(c). In particular, the written
request for confidential treatment that accompanies the comment must
include the factual and legal basis for the request, and must identify
the specific portions of the comment to be withheld from the public
record. See FTC Rule 4.9(c). Your comment will be kept confidential
only if the General Counsel grants your request in accordance with the
law and the public interest. Once your comment has been posted on the
public FTC website--as legally required by FTC Rule 4.9(b)--we cannot
redact or remove your comment from the FTC website, unless you submit a
confidentiality request that meets the requirements for such treatment
under FTC Rule 4.9(c), and the General Counsel grants that request.
Visit the FTC website at https://www.ftc.gov to read this Notice and
the news release describing it. The FTC Act and other laws that the
Commission administers permit the collection of public comments to
consider and use in this proceeding, as appropriate. The Commission
will consider all timely and responsive public comments that it
receives on or before March 29, 2018. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission (``Commission'') has accepted, subject
to final approval, an agreement containing a consent order from PayPal,
Inc. (``PayPal'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After 30 days, the Commission will again review the agreement
and the comments received, and will decide whether it should withdraw
from the agreement and take appropriate action or make final the
agreement's proposed order.
This matter involves Venmo, a peer-to-peer payment service owned
and operated by PayPal. Venmo has offered its peer-to-peer payment
service to consumers since 2011, and was acquired by PayPal in 2013.
Consumers can use Venmo to transfer money to one another using a mobile
application or through a website at www.venmo.com. Venmo's payment
service incorporates a social networking component through a social
``news feed'' that shares information about a consumer's Venmo
transactions.
The Commission's proposed complaint alleges that PayPal, through
its operation of Venmo, has violated Section 5 of the FTC Act and the
Gramm-Leach-Bliley (``GLB'') Act's Privacy and Safeguards Rules.
First, the proposed complaint alleges that Venmo has represented to
consumers that money is credited to their Venmo account and can be
transferred to an external bank account after other Venmo users have
sent funds to those consumers, but has failed to disclose, or failed to
disclose adequately, that funds could be frozen or removed because
Venmo has not yet approved the underlying transaction. As alleged in
the proposed complaint, Venmo has made representations to consumers
that they have been paid and they can transfer money from Venmo to an
external bank account. For example, Venmo has sent users notifications
that have stated ``Money credited to your Venmo balance. Transfer to
your bank overnight.'' Despite these claims, the proposed complaint
alleges that, in numerous instances, consumers have been unable to
transfer funds to their bank accounts as promised. Venmo has waited
until a consumer attempts to transfer funds to an external bank account
to review the transaction for certain issues. This review has resulted
in Venmo delaying the transfer or reversing the transaction in numerous
instances.
Second, the proposed complaint alleges that Venmo has failed to
disclose material information to consumers about the operation of
Venmo's privacy settings. As alleged in the proposed complaint, by
default, all Venmo transactions are shared on Venmo's social news feed,
which displays the names of the payer and recipient, the date of the
transaction, and a message written by the user that initiated the
transaction. Venmo offers privacy settings that consumers can use to
limit the visibility of their transactions. However, to ensure that all
future payments remain private, a consumer must change two similarly
labeled settings. The first setting, referred to in the proposed
complaint as the ``Default Audience Setting,'' would lead a reasonable
consumer to believe that they can restrict the visibility of their
future transactions on the news feed to specific groups, such as
``Participants Only'' or ``Friends.'' In fact, however, a consumer must
also change a second setting, referred to in the proposed complaint as
the ``Transaction Sharing Setting,'' to ensure that all of her
transactions are private. If a consumer fails to restrict this second
setting, in some circumstances, transactions will still be published
publicly even if the consumer has chosen a ``private'' default
audience.
Venmo also offers a privacy setting to control the visibility of an
individual transaction, referred to in the proposed complaint as the
``Individual Audience Setting.'' The proposed complaint alleges that
Venmo failed to disclose, or failed to disclose adequately, that the
Individual Audience Setting does not ensure that an individual
transaction remains private unless a consumer also separately restricts
the Transaction Sharing Setting described above. If a consumer has not
changed both settings, there are circumstances where the other
participant in the transaction can retroactively change a transaction
from private to public.
Third, the proposed complaint alleges that Venmo represented until
approximately March 2015 that it protected consumers' financial
information with ``bank grade security systems'' but in fact failed to
implement basic safeguards necessary to secure consumer accounts from
unauthorized transactions and did not provide ``bank grade security.''
For example, Venmo failed to provide consumers with security
notifications about changes to account settings from within the
consumer's Venmo account, such as when a consumer's email address or
password had been changed. The proposed complaint alleges that Venmo's
representation that it provided ``bank grade security systems''
constitutes a deceptive act or practice under Section 5 of the FTC Act.
Fourth, the proposed complaint alleges that Venmo violated the GLB
Act's Privacy Rule and Regulation P by failing to provide users with a
clear and conspicuous initial privacy notice, disseminating an initial
privacy notice that does not accurately reflect its policies and
practices, and failing to deliver the initial privacy notice so that
each customer could reasonably be expected to receive actual notice.
Finally, the proposed complaint alleges that Venmo violated the GLB
Act's Safeguards Rule by failing to have a comprehensive written
information security program before August 2014, failing to identify
reasonably foreseeable internal and external risks to the security,
confidentiality, and integrity of customer information, and assessing
the sufficiency of any safeguards in place to control those risks
before September 2014, and failing to design and implement information
safeguards to control the known risks to the security,
[[Page 9318]]
confidentiality, and integrity of customer information.
The proposed order contains injunctive provisions addressing the
alleged deceptive conduct and Rule violations in connection with
PayPal's operation of a payment and social networking service. Part I
of the proposed order prohibits PayPal from making misrepresentations
regarding material restrictions, limitations, or conditions to use any
payment and social networking service. It also prohibits
misrepresentations about data security and privacy, including
misrepresentations regarding the extent of control provided by any
privacy settings and the extent to which PayPal implements or adheres
to a particular level of security.
Part II of the proposed order requires PayPal, when making any
representations through any payment and social networking service about
the availability of funds to be transferred or withdrawn to a bank
account, to provide clear and conspicuous disclosures that transactions
are subject to review and, if true, that funds could be frozen or
removed as a result of transaction reviews. Part II also requires
PayPal to issue a one-time notice informing current Venmo users that
when they attempt to transfer or withdraw funds to a bank account,
Venmo will perform transaction reviews and based on such review, may
block or delay the transfer or withdrawal, and/or reverse a payment
transaction.
Part III of the proposed order requires PayPal to provide clear and
conspicuous disclosures to users related to how any payment and social
networking service shares transaction information with other users and
how a consumer can limit the visibility or sharing of transaction
information through privacy settings.
Part IV of the agreement prohibits violations of the GLB Privacy
and Safeguards Rules.
Part V requires PayPal to obtain biennial data security assessments
for ten years.
Parts VI through IX of the proposed order are reporting and
compliance provisions, which include recordkeeping requirements and
provisions requiring PayPal to provide information or documents
necessary for the Commission to monitor compliance. Part X states that
the proposed order will remain in effect for 20 years, with certain
exceptions.
The purpose of this analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the complaint or proposed order, or to modify in any
way the proposed order's terms.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2018-04331 Filed 3-2-18; 8:45 am]
BILLING CODE 6750-01-P
