Paypal has settled charges from the Federal Trade Commission (FTC) that stated its popular money transferring app, Venmo, misled customers with confusing privacy settings. The FTC complaint is a lesson in the importance of user-friendly design in app privacy settings, as well as the privacy risks of combining financial transactions with social networking.
Money transferring apps are a popular—and sometimes necessary—modern convenience. While some users enjoy the social aspect of Venmo, others just want to split the bill without sharing. For the second camp, there seemed to be an easy solution: you could change the default audience for your transactions from “public” to “participants only.”
But even if you changed your default audience to transaction participants only, other Venmo users could still publicly share transactions they initiated with you, unless you also changed a second setting—one that controlled who could share your transactions (“everyone” or “only me”). That’s where the FTC came down on Venmo. The complaint argued that a reasonable user would assume that changing the default audience would apply to all of her transactions, making them visible only to the participants. The Commission charged Paypal with violating the FTC Act’s prohibition on deceptive trade practices, among other charges (including privacy and security violations under the Gramm-Leach-Bliley financial law).
As the Venmo complaint re-affirms, companies can’t just expect their users to decipher confusing, obscured, or contradictory privacy settings. Privacy settings count as implicit, enforceable privacy promises.
Most consumer privacy enforcement in the US is based on the FTC’s authority to police deceptive business practices. In practice, this often boils down to enforcing the promises companies make in their privacy policies. Companies have enjoyed wide latitude to use your personal data as long as they tell you about it first. But, as the Venmo complaint re-affirms, companies can’t just expect their users to decipher confusing, obscured, or contradictory privacy settings. Privacy settings count as implicit, enforceable privacy promises. They need to be designed clearly and intuitively, with users’ expectations in mind.
The privacy charges against Venmo centered on the confusing design of its privacy settings, but there are other key design choices not directly addressed in the FTC’s complaint. For example, the FTC did not address the fairness of Venmo’s default settings. While there is no bright line rule about default settings, defaults are one of the most consequential design choices a company can make, because permissive defaults require users to proactively go into their settings and make changes if they want more privacy. When users installed the Venmo app, the default sharing settings were set to share transactions publicly on Venmo’s social platform. That may not seem like a big deal in the context of a single app, but consider the number of services we use and the natural limits on the time and attention we each can devote to changing our privacy settings. It’s easy to see why default settings are so sticky and so powerful for shaping privacy norms.
Ideally, an app’s default settings should be privacy protective, not permissive. That is a hallmark of privacy by design. At a minimum, settings should roughly align with users’ expectations when they download an app. This is where blurring the lines between financial transactions and social networking gets tricky. Financial information is traditionally viewed (and treated) as sensitive, and its disclosure is subject to federal laws and detailed regulations. So consumers are justified in expecting higher privacy standards from financial apps. Social networks, on the other hand, were built for sharing. Combining the two is a potent design choice that raises real challenges for privacy norms. Importantly, Venmo doesn’t share the amount of money exchanged in a transaction, and users can be as cryptic as they want in labelling transactions. Still, as the trend of combining traditionally private functions with a social component continues, app developers need to face the full weight of their design choices.