Privacy is serious business. This was made clear in the Federal Trade Commission’s (FTC) recent announcement that it had settled its complaint against Venmo, PayPal’s peer-to-peer payment service, for misrepresentations to consumers regarding privacy and security settings. Although the terms of the settlement do not become final until approval by the FTC on or about March 29 (after the conclusion of a public comment period), there are at least five important lessons and practices that every company should take stock of now.
1. Review Your Security Safeguards
The FTC focused on representations made by Venmo that it utilized “bank grade security systems and data encryption” to protect transactions and safeguard against unauthorized access to financial information. To highlight how far Venmo’s security was from “bank grade,” the FTC singled out specific safeguards that Venmo did not undertake. For example, the FTC cited Venmo’s failure to provide consumers with security notifications regarding changes to account settings (i.e. changes to password or email address or addition of new device), Venmo’s failure to maintain adequate customer support capabilities, and Venmo’s lack of urgency in responding to reports of unauthorized transactions.
It is clear that the FTC considers notifications to consumers when there is a change to their account settings or potential unauthorized access a basic security measure. As a result, companies would be well suited to review their privacy practices to ensure that these notifications are included as part of their security program safeguards. Additionally, companies should consider reviewing their customer support capabilities and employee training to appropriately respond to consumer inquiries and timely escalate reports of unauthorized transactions or access to information.
2. Fully Compliant Privacy Notices Are Mandatory
The FTC also found that Venmo was in violation of the Gramm-Leach-Bliley Act (GLBA) by failing to implement safeguards to protect consumer data and failing to deliver adequate privacy notices. The FTC focused on Venmo’s failure to adequately disclose the steps required to make a transaction private (rather than publicly available on Venmo’s news feed), failure to notify users of security changes to customer accounts resulting in fraudulent activity being missed as explained above, a failure to have a written information security program prior to August 2014, and failure to implement safeguards to protect the security, confidentiality, and integrity of consumer data until March 2015. In settling with the FTC, PayPal has consented to incurring the cost of biennial third-party assessments of Venmo for the next 10 years to ensure that Venmo is no longer misrepresenting, and is, in fact, affirmatively disclosing its privacy and security settings to consumers.
The FTC expects companies to be privacy compliant and transparent with customers. Even where companies have basic GBLA notices, if the form of the notice is less than clear, the notice is inadequate. For example, the FTC cited Venmo for failing to have a “clear and conspicuous” initial privacy notice because Venmo used “grey text on a light grey background.” Likewise, the FTC alleged that Venmo failed to deliver the initial privacy notice because Venmo did not require customers to acknowledge receipt of an initial privacy notice as a necessary step to obtaining a particular financial product or service. These costly issues could be avoided by a privacy-focused “best practices” review.
3. Privacy and Security Practices Must Address Reasonably Foreseeable Risks
Not only did the FTC broadly condemn Venmo for failing to comply with GLBA, but it raised specific examples of non-compliance that make clear that the FTC expects companies to have a thoughtful and well-reasoned privacy notice. The FTC cited Venmo for failing to “assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of consumer information.” It is clear from the FTC’s complaint against, and settlement with, Venmo that companies must thoroughly assess their security practices, strategize reasonably foreseeable risks, implement appropriate security measures, and be transparent with consumers on security practices and processes. As a result, it is prudent that companies conduct an assessment of their privacy and security practices, identify gaps, and create corrective action plans to comply with regulatory obligations and expectations.
4. Privacy Settings and Opt-Out Options Must Be Clearly Disclosed to Consumers
In line with its focus on enforcing consumer expectations, the FTC further targeted Venmo over its confusing opt-out settings. In its complaint, the FTC alleges that Venmo required consumers change not one but two default settings under two different menus in order to keep information private. Even if the consumer set one setting to the highest level of privacy, failure to change both settings would ‘override’ the consumer’s clear request to keep information private, and the dual opt-out requirement was not made clear to consumers. The FTC took issue with Venmo’s failure to clearly inform consumers on the existence of these privacy settings, failure to provide clear instructions on how to use the settings, and Venmo’s policy relating to treatment of private information when the two settings had a discrepancy.
Given the FTC’s focus on clear disclosures and consumer education, companies should consider reviewing their practices to ensure that the least sophisticated consumer can (1) easily determine how to protect his personal information and (2) still meaningfully utilize the requisite technology to receive the desired product or service.
5. Technology Can Increase Privacy, but Its Use Comes with an Obligation to Inform the Consumer of the Benefits and Risks of the Technology Used
Increasing privacy protections by incorporating multi-factor authentication, fingerprint recognition, and the ability to opt-out of and modify data sharing is one step in the right direction of increasing privacy. Nonetheless, one of the easiest ways a company can run afoul of regulators is by failing to understand or acknowledge not only the benefits of innovative services and technology, but most importantly, the areas which are still developing. Only by informing themselves can companies adequately inform consumers.
The FTC clearly advises companies: “Customers appreciate choices, but they need to understand what they are choosing. If you provide privacy options, make it straightforward for consumers to select options that best match their privacy preferences—and then honor their choices.”
In seeking to avoid similar regulatory actions, and increasingly common data privacy litigation, companies should take a clear look at these five privacy areas and implement appropriate compliance measures.