162 3102
UNITED STATES OF AMERICA
BEFORE THE FEDERAL TRADE COMMISSION
COMMISSIONERS:

Joseph J. Simons, Chairman
Maureen K. Ohlhausen
Noah Joshua Phillips
Rohit Chopra
Rebecca Kelly Slaughter

In the Matter of

DECISION AND ORDER

PAYPAL, INC., a corporation.

DOCKET NO. C-4651

DECISION
The Federal Trade Commission (“Commission”) initiated an investigation of certain acts and
practices of Respondent named in the caption. The Commission’s Bureau of Consumer
Protection (“BCP”) prepared and furnished to Respondent a draft Complaint. BCP proposed to
present the draft Complaint to the Commission for its consideration. If issued by the
Commission, the draft Complaint would charge Respondent with violation of the Federal Trade
Commission Act.
Respondent and BCP thereafter executed an Agreement Containing Consent Order (“Consent
Agreement”). The Consent Agreement includes: 1) statements by Respondent that it neither
admits nor denies any of the allegations in the Complaint, except as specifically stated in this
Decision and Order, and that only for purposes of this action, it admits the facts necessary to
establish jurisdiction; and 2) waivers and other provisions as required by the Commission’s
Rules.
The Commission considered the matter and determined that it had reason to believe that
Respondent has violated the Federal Trade Commission Act, and that a Complaint should issue
stating its charges in that respect. The Commission accepted the executed Consent Agreement
and placed it on the public record for a period of 30 days for the receipt and consideration of
public comments. The Commission duly considered the comments received from interested
persons pursuant to Commission Rule 2.34, 16 C.F.R. § 2.34. Now, in further conformity with
the procedure prescribed in Commission Rule 2.34, the Commission issues its Complaint, makes
the following Findings, and issues the following Order:

1

 FINDINGS
1. Respondent PayPal, Inc., operating as Venmo, is a Delaware corporation with its principal
office or place of business at 2211 North First Street, San Jose, California 95131.
2. The Commission has jurisdiction over the subject matter of this proceeding and over
Respondent, and the proceeding is in the public interest.
DEFINITIONS
For purposes of this Order, the following definitions apply:
A. “Clearly and conspicuously” means that a required disclosure is difficult to miss (i.e., easily
noticeable) and easily understandable by ordinary consumers, including in all of the
following ways:
1. In any communication that is solely visual or solely audible, the disclosure must be made
through the same means through which the communication is presented. In any
communication made through both visual and audible means, such as a television
advertisement, the disclosure must be presented simultaneously in both the visual and
audible portions of the communication even if the representation requiring the disclosure
(“triggering representation”) is made through only one means.
2. A visual disclosure, by its size, contrast, location, the length of time it appears, and other
characteristics, must stand out from any accompanying text or other visual elements so
that it is easily noticed, read, and understood.
3. An audible disclosure, including by telephone or streaming video, must be delivered in a
volume, speed, and cadence sufficient for ordinary consumers to easily hear and
understand it.
4. In any communication using an interactive electronic medium, such as the Internet or
software, the disclosure must be unavoidable.
5. The disclosure must use diction and syntax understandable to ordinary consumers and
must appear in each language in which the triggering representation appears.
6. The disclosure must comply with these requirements in each medium through which it is
received, including all electronic devices and face-to-face communications.
7. The disclosure must not be contradicted or mitigated by, or inconsistent with, anything
else in the communication.
8. When the representation or sales practice targets a specific audience, such as children, the
elderly, or the terminally ill, “ordinary consumers” includes reasonable members of that
group.
B. “Close proximity” means that the disclosure is very near the triggering representation. For
example, a disclosure made through a hyperlink, pop-up, interstitial, or other similar
technique is not in close proximity to the triggering representation.
C. “Covered information” means information from or about a User, including: (a) a first and last
name; (b) a physical address; (c) an email address or other online contact information, such
as a user identifier or a screen name; (d) a telephone number; (e) a Social Security number;

2

 (f) a financial institution account number; (g) credit or debit card information; or (h)
transaction information.
D. “Privacy setting” shall include any control or setting provided by Respondent that allows a
user to limit or restrict which individuals or entities can access or view covered information.
E. “Respondent” means PayPal, Inc. and its successors and assigns.
F. “Transaction information” means information from or about a Payment and Social
Networking Service transaction, including (a) the participants to the transaction; (b) the date
of the transaction; or (c) any accompanying message or other descriptor related to the
transaction.
G. “User” means any person with a Payment and Social Networking Service account.
H. “Payment and Social Networking Service” means any app or website owned and operated by
Respondent that allows consumers to make payments and to share information regarding
such payments with other Users through a social network owned and operated by
Respondent.
I. “Venmo” means the wholly or partially owned subsidiary, unincorporated division or
business unit, or affiliate of PayPal, Inc., however denominated, that operates the Payment
and Social Networking Service currently branded as Venmo.
ORDER
PROHIBITED MISREPRESENTATIONS
I.

IT IS ORDERED that Respondent, and Respondent’s officers, agents, employees, and
attorneys, and all other persons in active concert or participation with any of them, who
receive actual notice of this Order, whether acting directly or indirectly, in connection with
the advertising, promotion, offering for sale, sale, or use of any Payment and Social
Networking Service must not misrepresent or assist others in misrepresenting, expressly or
by implication:
A. Any material restriction, limitation, or condition to use any Payment and Social
Networking Service; and
B. The extent to which Respondent, in connection with any Payment and Social Networking
Service, protects the privacy, confidentiality, security, or integrity of any covered
information, including:
1. The extent to which a consumer may exercise control over the disclosure of any
covered information from or about a User and the steps a User must take to
implement any such controls; and
2. The extent to which Respondent implements or adheres to a particular level of
security.

3

 REQUIRED DISCLOSURES
II.

IT IS FURTHER ORDERED that:
A. Within one hundred and fifty (150) days of the effective date of this Order, Respondent,
and Respondent’s officers, agents, employees, and attorneys, and all other persons in
active concert or participation with any of them, who receive actual notice of this Order,
whether acting directly or indirectly, when making any representation through any
Payment and Social Networking Service, expressly or by implication, about the
availability of funds to be transferred or withdrawn to a bank account (1) must disclose,
clearly and conspicuously, and in close proximity to such representation (a) that the
transaction is subject to review and (b) the fact, if true, that funds could be frozen or
removed as a result of transaction reviews performed during the bank transfer or
withdrawal process, and (2) the representation must not be otherwise misleading.
B. Respondent must issue a notice to Users, within one hundred and fifty (150) days of the
effective date of this Order as follows: (i) for Users who have installed a Payment and
Social Networking Service as an app, through the app such that the notice appears when
the User next opens the app or (ii) for Users who have not installed a Payment and Social
Networking Service as an app, through a text message, email, or other communication
sufficient to provide clear and conspicuous notice prior to the User’s next transaction.
The notice shall disclose, clearly and conspicuously, and separate and apart from any
“privacy policy,” “terms of use,” “end user license agreement,” or similar document, the
fact, if true, that when a User attempts to transfer or withdraw funds to a bank account,
Respondent (1) will perform transaction reviews, and (2) based on such review, may (i)
block or delay the transfer or withdrawal, and/or (ii) reverse a payment transaction.
ADDITIONAL PRIVACY DISCLOSURES

III.

IT IS FURTHER ORDERED that, within one hundred and fifty (150) days of the effective
date of this Order, and continuing thereafter, Respondent and Respondent’s officers, agents,
employees, and attorneys, and all other persons in active concert or participation with any of
them, who receive actual notice of this Order, whether acting directly or indirectly, in
connection with any Payment or Social Networking Service, must clearly and conspicuously
disclose to each User, through the Payment and Social Networking Service, and separate and
apart from any “privacy policy,” “terms of use,” “blog,” “helpful information” page, or
similar document: (1) how the User’s transaction information will be shared with other
Users; and (2) how the User can use privacy settings to limit or restrict the visibility or
sharing of the User’s transaction information on the Payment and Social Networking Service.
For Users that have already created an account when this disclosure is first issued, this
disclosure must occur at or immediately prior to the time that the User next engages in a
transaction through the Payment and Social Networking Service. For Users that have not
created an account when this disclosure is first issued, this disclosure must occur at the time
the User opens an account. This disclosure must not contain any other information.

4

 GLB RULE PROVISIONS
IV.

IT IS FURTHER ORDERED that Respondent, and Respondent’s officers, agents,
employees and attorneys, and all other persons in active concert or participation with any of
them, who receive actual notice of this Order, whether acting directly or indirectly, in
connection with any Payment and Social Networking Service, are hereby permanently
restrained and enjoined from violating any provision of:
A. The Privacy of Consumer Financial Information Rule (Regulation P), 12 C.F.R. Part
1016; or
B. The Standards for Safeguarding Consumer Information Rule, 16 C.F.R. Part 314.
In the event that any of the statutory sections or rules identified in this Part are hereafter
amended or modified, compliance with that statutory section or rule as so amended or
modified shall not be a violation of this Order.
BIENNIAL ASSESSMENT REQUIREMENTS

V.

IT IS FURTHER ORDERED that Respondent, and its successors and assigns, in
connection with their compliance with Section IV(A) and (B) of this Order, shall obtain
initial and biennial assessments and reports (“Assessments”) of the Venmo Payment and
Social Networking Service from a qualified, objective, independent third-party professional,
using procedures and standards generally accepted in the profession. The reporting period
for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service
of the Order for the initial Assessment, and (2) each two-year period thereafter for ten (10)
years after service of this Order for the biennial Assessments. Each Assessment shall:
A. Set forth the specific administrative, technical, and physical safeguards that Respondent
has implemented and maintained during the reporting period;
B. Explain how such safeguards are appropriate to Respondent’s size and complexity, the
nature and scope of Respondent’s activities, and the sensitivity of the covered
information collected from or about consumers;
C. Explain how the safeguards that have been implemented meet or exceed the protections
required by Section IV(B) of this Order; and
D. Certify that Respondent’s security program(s) is operating with sufficient effectiveness to
provide reasonable assurance that the confidentiality, security, and integrity of covered
information is protected and has so operated throughout the reporting period.
Each Assessment must be completed within 60 days after the end of the reporting period to
which the Assessment applies. The Assessment must be obtained from a qualified, objective,
independent third-party professional, who uses procedures and standards generally accepted
in the profession. A professional qualified to prepare such Assessments must be: an
individual qualified as a Certified Information System Security Professional (CISSP) or as a
Certified Information Systems Auditor (CISA); an individual holding Global Information
Assurance Certification (GIAC) from the SANS Institute; or a qualified individual or entity
approved by the Associate Director for Enforcement, Bureau of Consumer Protection,
Federal Trade Commission.

5

 Respondent must submit the initial Assessment to the Commission within 10 days after
the Assessment has been completed. Respondent must retain all subsequent biennial
Assessments, at least until the Order terminates. Respondent must submit any biennial
Assessments to the Commission within 10 days of a request from a representative of the
Commission.
ACKNOWLEDGMENTS OF THE ORDER
VI.

IT IS FURTHER ORDERED that Respondent obtains acknowledgments of receipt of this
Order:
A. Respondent, within 10 days after the effective date of this Order, must submit to the
Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.
B. For 20 years after the issuance date of this Order, Respondent must deliver a copy of this
Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all
employees, agents, and representatives who participate in conduct related to the subject
matter of the Order; and (3) any business entity resulting from any change in structure as
set forth in the Provision titled Compliance Reports and Notices. Delivery must occur
within 10 days after the effective date of this Order for current personnel. For all others,
delivery must occur before they assume their responsibilities.
C. From each individual or entity to which Respondent delivered a copy of this Order,
Respondent must obtain, within 60 days, a signed and dated acknowledgment of receipt
of this Order.
COMPLIANCE REPORTS AND NOTICES

VII.

IT IS FURTHER ORDERED that Respondent make timely submissions to the
Commission:
A. One year after the issuance date of this Order, Respondent must submit a compliance
report, sworn under penalty of perjury, in which Respondent must: (a) identify the
primary physical, postal, and email address and telephone number, as designated points
of contact, which representatives of the Commission, may use to communicate with
Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone
numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of
each business, including the goods and services offered, the means of advertising,
marketing, and sales; (d) describe in detail whether and how Respondent is in compliance
with each Provision of this Order, including a discussion of all of the changes
Respondent made to comply with the Order; and (e) provide a copy of each
Acknowledgment of the Order obtained pursuant to this Order, unless previously
submitted to the Commission.
B. Respondent must submit a compliance notice, sworn under penalty of perjury, within 14
days of any change in the following: (a) any designated point of contact; or (b) the
structure of Respondent or any entity that Respondent has any ownership interest in or
controls directly or indirectly that may affect compliance obligations arising under this
Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary,
parent, or affiliate that provides a Payment and Social Networking Service.

6

 C. Respondent must submit notice of the filing of any bankruptcy petition, insolvency
proceeding, or similar proceeding by or against Respondent within 14 days of its filing.
D. Any submission to the Commission required by this Order to be sworn under penalty of
perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by
concluding: “I declare under penalty of perjury under the laws of the United States of
America that the foregoing is true and correct. Executed on: _____” and supplying the
date, signatory’s full name, title (if applicable), and signature.
E. Unless otherwise directed by a Commission representative in writing, all submissions to
the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by
overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement,
Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue
NW, Washington, DC 20580. The subject line must begin: In re PayPal.
RECORDKEEPING
VIII.

IT IS FURTHER ORDERED that Respondent must create certain records for 20 years after
the issuance date of the Order, and retain each such record for 5 years, unless otherwise
specified below. Specifically, Respondent must create and retain the following records:
A. accounting records showing the revenues from all Payment and Social Networking
Services sold;
B. personnel records showing, for each person providing services in relation to any aspect of
the Order, whether as an employee or otherwise, that person’s: name; addresses;
telephone numbers; job title or position; dates of service; and (if applicable) the reason
for termination;
C. copies or records of all consumer complaints regarding any Payment and Social
Networking Service, whether received directly or indirectly, such as through a third
party, and any response;
D. all records necessary to demonstrate full compliance with each provision of this Order,
including all submissions to the Commission;
E. a copy of each unique Payment and Social Networking Service advertisement or other
marketing material making a representation subject to this Order; and
F. for 3 years after the date of preparation of each Assessment required by this Order, all
materials relied upon to prepare the Assessment, whether prepared by or on behalf of
Respondent, including all plans, reports, studies, reviews, audits, audit trails, policies,
training materials, and assessments, and any other materials concerning Respondent’s
compliance with related Provisions of this Order, for the compliance period covered by
such Assessment.

7

 COMPLIANCE MONITORING
IX.

IT IS FURTHER ORDERED that, for the purpose of monitoring Respondent’s compliance
with this Order:
A. Within 10 days of receipt of a written request from a representative of the Commission,
Respondent must submit additional compliance reports or other requested information,
which must be sworn under penalty of perjury, and produce records for inspection and
copying.
B. For matters concerning this Order, representatives of the Commission are authorized to
communicate directly with Respondent. Respondent must permit representatives of the
Commission to interview anyone affiliated with Respondent who has agreed to such an
interview. The interviewee may have counsel present.
C. The Commission may use all other lawful means, including posing through its
representatives as consumers, suppliers, or other individuals or entities, to Respondent or
any individual or entity affiliated with Respondent, without the necessity of identification
or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory
process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.
ORDER EFFECTIVE DATES

X.

IT IS FURTHER ORDERED that this Order is final and effective upon the date of its
publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate
on May 23, 2038, or 20 years from the most recent date that the United States or the
Commission files a complaint (with or without an accompanying settlement) in federal court
alleging any violation of this Order, whichever comes later; provided, however, that the filing
of such a complaint will not affect the duration of:
A. Any Provision in this Order that terminates in less than 20 years;
B. This Order’s application to any Respondent that is not named as a defendant in such
complaint; and
C. This Order if such complaint is filed after the Order has terminated pursuant to this
Provision.
Provided, further, that if such complaint is dismissed or a federal court rules that Respondent
did not violate any provision of the Order, and the dismissal or ruling is either not appealed
or upheld on appeal, then the Order will terminate according to this Provision as though the
complaint had never been filed, except that the Order will not terminate between the date
such complaint is filed and the later of the deadline for appealing such dismissal or ruling and
the date such dismissal or ruling is upheld on appeal.
By the Commission.

Janice Podoll Frankle
Acting Secretary
SEAL:
ISSUED: May 23, 2018
8