Venmo is a peer-to-peer mobile payments service that PayPal acquired in 2013. Users can transfer money to another person using a mobile or web application (e.g., send money to a friend to split the cost of dinner). On May 20, 2016, Texas Attorney General Ken Paxton announced that Texas had entered into an Assurance of Voluntary Compliance agreement with PayPal to resolve its investigation of Venmo regarding potential violations of Texas’ Deceptive Trade Practices – Consumer Protection Act. The resolution involved a $175,000 payment by PayPal and a commitment to implement certain business practices. There was no admission of wrongdoing and no allegations of actual harm to any individual.
Allegations by the Texas Attorney General’s Consumer Protection Division related to Venmo’s payment service included: (1) the application’s privacy and security disclosures to users were confusing and deficient; (2) Venmo used consumers’ phone contacts without clearly disclosing how the contacts would be used and how consumers’ transactions and interactions with other users would be shared (specifically, the “Add Friends When They Join” feature); and (3) there were misrepresentations that communications from Venmo were actually from Venmo users.
Under the terms of the Assurance of Voluntary Compliance, for the Venmo service, PayPal agreed to:
- Clearly and conspicuously disclose to users the type of information from their contact list that Venmo is accessing, the authorized uses, how the “autofriend” features works (including how to disable it), and during enrollment of a new user a disclosure that any other Venmo user who has that new user listed as a contact will be notified that the new user has joined Venmo if the autofriend feature is not disabled.
- Ensure that disclosures regarding the security of the Venmo service are true and correct, including no longer representing that it provides “bank-grade security” unless the statement is true and correct.
- Disclose the audience setting in close proximity, at the time of a transaction submission.
- When a user receives notice of a payment or withdrawal of funds, clearly and conspicuously disclose when the transaction will be final and any circumstances that may affect the ability to withdraw funds.
- Disclose any optional security features “available to secure” the Venmo service at the time of a transaction (e.g., the ability to add a passcode lock to the account).
- Disclose during enrollment of new users or immediately after the default audience sharing settings, what buyer or seller protection options there may be, what types of transactions are prohibited, circumstances that may affect a user’s ability to withdraw funds, any optional password features available to secure the service, and information about how the autofriend features works and can be disabled. These disclosures also have to be sent by email to the user within 24 hours of enrollment.
- Disclose how consumers can contact Venmo customer service and have a customer service solution available to consumers at reasonable hours.
- Not send messages that purport to be from a Venmo user unless the user expressly authorizes Venmo to send the message.
- Provide an easily accessible method for users to view disclosures required by the Agreement, including an in-app disclosure.
The $175,000 payment by PayPal was segmented into $135,000 to the state of Texas and $40,000 to the Texas Attorney General for attorneys’ fees.
The Texas Attorney General investigation and resolution with Venmo is similar to a March 2016 consent order between the CFB and Dwolla. Dwolla agreed to pay a $100,000 fine and implement, to the extent not already in place, reasonable and appropriate security measures to protect customers’ personal information. These enforcement actions show the continued appetite by regulators to scrutinize “mobile payments” solutions. The Venmo resolution also highlights the importance of privacy and security due diligence during acquisitions.