[BreachExchange] Five Privacy Practices Every Company Should Address in the Wake of the FTC’s Enforcement Action against PayPal

[Audrey McNeil]

https://www.jdsupra.com/legalnews/five-privacy-
practices-every-company-54644/

Privacy is serious business. This was made clear in the Federal Trade
Commission’s (FTC) recent announcement that it had settled its complaint
against Venmo, PayPal’s peer-to-peer payment service, for
misrepresentations to consumers regarding privacy and security settings.
Although the terms of the settlement do not become final until approval by
the FTC on or about March 29 (after the conclusion of a public comment
period), there are at least five important lessons and practices that every
company should take stock of now.

1. Review Your Security Safeguards

The FTC focused on representations made by Venmo that it utilized “bank
grade security systems and data encryption” to protect transactions and
safeguard against unauthorized access to financial information. To
highlight how far Venmo’s security was from “bank grade,” the FTC singled
out specific safeguards that Venmo did not undertake. For example, the FTC
cited Venmo’s failure to provide consumers with security notifications
regarding changes to account settings (i.e. changes to password or email
address or addition of new device), Venmo’s failure to maintain adequate
customer support capabilities, and Venmo’s lack of urgency in responding to
reports of unauthorized transactions.

It is clear that the FTC considers notifications to consumers when there is
a change to their account settings or potential unauthorized access a basic
security measure. As a result, companies would be well suited to review
their privacy practices to ensure that these notifications are included as
part of their security program safeguards. Additionally, companies should
consider reviewing their customer support capabilities and employee
training to appropriately respond to consumer inquiries and timely escalate
reports of unauthorized transactions or access to information.

2. Fully Compliant Privacy Notices Are Mandatory

The FTC also found that Venmo was in violation of the Gramm-Leach-Bliley
Act (GLBA) by failing to implement safeguards to protect consumer data and
failing to deliver adequate privacy notices. The FTC focused on Venmo’s
failure to adequately disclose the steps required to make a transaction
private (rather than publicly available on Venmo’s news feed), failure to
notify users of security changes to customer accounts resulting in
fraudulent activity being missed as explained above, a failure to have a
written information security program prior to August 2014, and failure to
implement safeguards to protect the security, confidentiality, and
integrity of consumer data until March 2015. In settling with the FTC,
PayPal has consented to incurring the cost of biennial third-party
assessments of Venmo for the next 10 years to ensure that Venmo is no
longer misrepresenting, and is, in fact, affirmatively disclosing its
privacy and security settings to consumers.

The FTC expects companies to be privacy compliant and transparent with
customers. Even where companies have basic GBLA notices, if the form of the
notice is less than clear, the notice is inadequate. For example, the FTC
cited Venmo for failing to have a “clear and conspicuous” initial privacy
notice because Venmo used “grey text on a light grey background.” Likewise,
the FTC alleged that Venmo failed to deliver the initial privacy notice
because Venmo did not require customers to acknowledge receipt of an
initial privacy notice as a necessary step to obtaining a particular
financial product or service. These costly issues could be avoided by a
privacy-focused “best practices” review.

3. Privacy and Security Practices Must Address Reasonably Foreseeable Risks

Another takeaway from the Venmo settlement is a recent list of consumer
tips issued by the FTC that relates to the overlap between consumer
expectation and regulator focus. Consumers expect transactions in the
digital age to be both instant and private. As companies jockey to meet
these expectations and beat their competitors out for business and market
share, regulators are watching closely to make sure companies are not
cutting corners. The rise of social network advertising and the development
of new ways to provide services can be beneficial to profits and open the
market up to new types of consumers and transactions. However, in the race
to innovatively meet consumer service expectations, companies should not
lose sight of how terms of use and privacy and security settings are
portrayed. Consumers truly want it all, and omissions and
misrepresentations by companies won’t be tolerated.

Not only did the FTC broadly condemn Venmo for failing to comply with GLBA,
but it raised specific examples of non-compliance that make clear that the
FTC expects companies to have a thoughtful and well-reasoned privacy
notice. The FTC cited Venmo for failing to “assess reasonably foreseeable
internal and external risks to the security, confidentiality, and integrity
of consumer information.” It is clear from the FTC’s complaint against, and
settlement with, Venmo that companies must thoroughly assess their security
practices, strategize reasonably foreseeable risks, implement appropriate
security measures, and be transparent with consumers on security practices
and processes. As a result, it is prudent that companies conduct an
assessment of their privacy and security practices, identify gaps, and
create corrective action plans to comply with regulatory obligations and
expectations.

4. Privacy Settings and Opt-Out Options Must Be Clearly Disclosed to
Consumers

In line with its focus on enforcing consumer expectations, the FTC further
targeted Venmo over its confusing opt-out settings. In its complaint, the
FTC alleges that Venmo required consumers change not one but two default
settings under two different menus in order to keep information private.
Even if the consumer set one setting to the highest level of privacy,
failure to change both settings would ‘override’ the consumer’s clear
request to keep information private, and the dual opt-out requirement was
not made clear to consumers. The FTC took issue with Venmo’s failure to
clearly inform consumers on the existence of these privacy settings,
failure to provide clear instructions on how to use the settings, and
Venmo’s policy relating to treatment of private information when the two
settings had a discrepancy.

Given the FTC’s focus on clear disclosures and consumer education,
companies should consider reviewing their practices to ensure that the
least sophisticated consumer can (1) easily determine how to protect his
personal information and (2) still meaningfully utilize the requisite
technology to receive the desired product or service.

5. Technology Can Increase Privacy, but Its Use Comes with an Obligation to
Inform the Consumer of the Benefits and Risks of the Technology Used

Increasing privacy protections by incorporating multi-factor
authentication, fingerprint recognition, and the ability to opt-out of and
modify data sharing is one step in the right direction of increasing
privacy. Nonetheless, one of the easiest ways a company can run afoul of
regulators is by failing to understand or acknowledge not only the benefits
of innovative services and technology, but most importantly, the areas
which are still developing. Only by informing themselves can companies
adequately inform consumers.

The FTC clearly advises companies: “Customers appreciate choices, but they
need to understand what they are choosing. If you provide privacy options,
make it straightforward for consumers to select options that best match
their privacy preferences—and then honor their choices.”

In seeking to avoid similar regulatory actions, and increasingly common
data privacy litigation, companies should take a clear look at these five
privacy areas and implement appropriate compliance measures.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180308/f9feb32b/attachment.html>