Privacy Practices Every Company Should Address in Wake of Action Against PayPal
Privacy is serious business. This was made clear in the Federal Trade Commission's (FTC) recent announcement that it had settled its complaint against Venmo, PayPal's peer-to-peer payment service, for misrepresentations to consumers regarding privacy and security settings.
March 15, 2018 at 11:59 AM
7 minute read
The FTC focused on representations made by Venmo that it utilized “bank grade security systems and data encryption” to protect transactions and safeguard against unauthorized access to financial information. To highlight how far Venmo's security was from “bank grade,” the FTC singled out specific safeguards that Venmo did not undertake. For example, the FTC cited Venmo's failure to provide consumers with security notifications regarding changes to account settings (i.e., changes to password or email address or addition of new device), Venmo's failure to maintain adequate customer support capabilities, and Venmo's lack of urgency in responding to reports of unauthorized transactions.
It is clear that the FTC considers notifications to consumers when there is a change to their account settings or potential unauthorized access a basic security measure. As a result, companies would be well suited to review their privacy practices to ensure that these notifications are included as part of their security program safeguards. Additionally, companies should consider reviewing their customer support capabilities and employee training to appropriately respond to consumer inquiries and timely escalate reports of unauthorized transactions or access to information.
|Fully Compliant Privacy Notices Are Mandatory
The FTC also found that Venmo was in violation of the Gramm-Leach-Bliley Act (GLBA) by failing to implement safeguards to protect consumer data and failing to deliver adequate privacy notices. The FTC focused on Venmo's failure to adequately disclose the steps required to make a transaction private (rather than publicly available on Venmo's news feed), failure to notify users of security changes to customer accounts resulting in fraudulent activity being missed as explained above, a failure to have a written information security program prior to August 2014, and failure to implement safeguards to protect the security, confidentiality, and integrity of consumer data until March 2015. In settling with the FTC, PayPal has consented to incurring the cost of biennial third-party assessments of Venmo for the next 10 years to ensure that Venmo is no longer misrepresenting, and is, in fact, affirmatively disclosing its privacy and security settings to consumers.
The FTC expects companies to be privacy compliant and transparent with customers. Even where companies have basic GBLA notices, if the form of the notice is less than clear, the notice is inadequate. For example, the FTC cited Venmo for failing to have a “clear and conspicuous” initial privacy notice because Venmo used “grey text on a light grey background.” Likewise, the FTC alleged that Venmo failed to deliver the initial privacy notice because Venmo did not require customers to acknowledge receipt of an initial privacy notice as a necessary step to obtaining a particular financial product or service. These costly issues could be avoided by a privacy-focused “best practices” review.
|Privacy and Security Practices Must Address Reasonably Foreseeable Risks
Another takeaway from the Venmo settlement is a recent list of consumer tips issued by the FTC that relates to the overlap between consumer expectation and regulator focus. Consumers expect transactions in the digital age to be both instant and private. As companies jockey to meet these expectations and beat their competitors out for business and market share, regulators are watching closely to make sure companies are not cutting corners. The rise of social network advertising and the development of new ways to provide services can be beneficial to profits and open the market up to new types of consumers and transactions. However, in the race to innovatively meet consumer service expectations, companies should not lose sight of how terms of use and privacy and security settings are portrayed. Consumers truly want it all, and omissions and misrepresentations by companies won't be tolerated.
Not only did the FTC broadly condemn Venmo for failing to comply with GLBA, but it raised specific examples of noncompliance that make clear that the FTC expects companies to have a thoughtful and well-reasoned privacy notice. The FTC cited Venmo for failing to “assess reasonably foreseeable internal and external risks to the security, confidentiality and integrity of consumer information.” It is clear from the FTC's complaint against, and settlement with, Venmo that companies must thoroughly assess their security practices, strategize reasonably foreseeable risks, implement appropriate security measures, and be transparent with consumers on security practices and processes. As a result, it is prudent that companies conduct an assessment of their privacy and security practices, identify gaps, and create corrective action plans to comply with regulatory obligations and expectations.
|Privacy Settings and Opt-Out Options Must Be Clearly Disclosed to Consumers
In line with its focus on enforcing consumer expectations, the FTC further targeted Venmo over its confusing opt-out settings. In its complaint, the FTC alleges that Venmo required consumers change not one but two default settings under two different menus in order to keep information private. Even if the consumer set one setting to the highest level of privacy, failure to change both settings would 'override' the consumer's clear request to keep information private, and the dual opt-out requirement was not made clear to consumers. The FTC took issue with Venmo's failure to clearly inform consumers on the existence of these privacy settings, failure to provide clear instructions on how to use the settings, and Venmo's policy relating to treatment of private information when the two settings had a discrepancy.
Given the FTC's focus on clear disclosures and consumer education, companies should consider reviewing their practices to ensure that the least sophisticated consumer can easily determine how to protect his personal information and still meaningfully utilize the requisite technology to receive the desired product or service.
|Technology Can Increase Privacy, But Its Use Comes With an Obligation to Inform the Consumer of the Benefits and Risks
Increasing privacy protections by incorporating multi-factor authentication, fingerprint recognition, and the ability to opt-out of and modify data sharing is one step in the right direction of increasing privacy. Nonetheless, one of the easiest ways a company can run afoul of regulators is by failing to understand or acknowledge not only the benefits of innovative services and technology, but most importantly, the areas which are still developing. Only by informing themselves can companies adequately inform consumers.
The FTC clearly advises companies: “Customers appreciate choices, but they need to understand what they are choosing. If you provide privacy options, make it straightforward for consumers to select options that best match their privacy preferences—and then honor their choices.”
In seeking to avoid similar regulatory actions, and increasingly common data privacy litigation, companies should take a clear look at these five privacy areas and implement appropriate compliance measures.
Erin Jane Illman, a partner at Bradley in the firm's Charlotte, North Carolina office, represents corporate entities, technology companies and financial institution clients in a wide variety of regulatory compliance, litigation and contract matters. She is co-chair of the firm's privacy, security and innovation team, which is part of the banking and financial services practice group.
Lyndsay E. Medlin is an associate in the firm's Charlotte office. She wide assists clients with a wide variety of litigation and internal investigation or compliance needs.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllThe FTC's Rebecca Slaughter Wants Fair Competition, and a Good Night's Sleep
Former CFTC Chair and SEC Commissioner Chart Election's Impact on Crypto and Capital Markets
4 minute readTrending Stories
- 1Decision of the Day: Administrative Court Finds Prevailing Wage Law Applies to Workers Who Cleaned NYC Subways During Pandemic
- 2Trailblazing Broward Judge Retires; Legacy Includes Bush v. Gore
- 3Federal Judge Named in Lawsuit Over Underage Drinking Party at His California Home
- 4'Almost an Arms Race': California Law Firms Scooped Up Lateral Talent by the Handful in 2024
- 5Pittsburgh Judge Rules Loan Company's Online Arbitration Agreement Unenforceable
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250