safeguard the privacy rights of consumers.
3
EPIC has previously filed a complaint with the FTC
alleging many of the same harms identified in the PayPal matter.
4
EPIC has also routinely filed
many other complaints with the FTC regarding business practices that harm consumer privacy.
5
EPIC’s comments are divided into four sections. Section I sets out FTC’s legal obligations in
considering these comments before finalizing its consent order. Sections II and III summarize the
FTC complaint and consent order. Section IV lays out EPIC’s proposed modifications to the consent
order. In short, the FTC should require PayPal to (1) change Venmo’s default setting to private; (2)
obtain affirmative express consent before enacting any changes to its privacy settings; (3) make its
independent privacy assessments publicly available; (4) implement multi-factor authentication; and
implement the Fair Information Practices.
I. The FTC has a legal obligation to consider public comments prior to finalizing any
consent agreement.
The Administrative Procedure Act requires that the Commission take public comments
before finalizing any consent agreement and gives the Commission authority to modify an
3
Letter from EPIC Executive Director Marc Rotenberg to FTC Commissioner Christine Varney (Dec. 14,
1995) (urging the FTC to investigate the misuse of personal information by the direct marketing industry),
http://epic.org/privacy/internet/ftc/ftc_letter.html; See also EPIC, In the Matter of DoubleClick, Complaint
and Request for Injunction, Request for Investigation and for Other Relief, before the Federal Trade
Commission (Feb. 10, 2000), http://epic.org/privacy/internet/ftc/DCLK_complaint.pdf; EPIC, In the Matter of
Microsoft Corp., Complaint and Request for Injunction, Request for Investigation and for Other Relief, before
the Federal Trade Commission (July 26, 2001), http://epic.org/privacy/consumer/MS_complaint.pdf; EPIC, In
the Matter of Choicepoint, Request for Investigation and for Other Relief, before the Federal Trade
Commission (Dec. 16, 2004), http://epic.org/privacy/choicepoint/fcraltr12.16.04.html.
4
In the Matter of Uber Technologies, Inc. (2015) (Complaint, Request for Investigation, Injunction, and
Other Relief), Jun. 22, 2015, https://epic.org/privacy/internet/ftc/uber/Complaint.pdf.
5
In the Matter of Google Inc. (Complaint, Request for Investigation, Injunction, and Other Relief), July 31,
2017, https://www.epic.org/privacy/ftc/google/EPIC-FTC-Google-Purchase-Tracking-Complaint.pdf; In the
Matter of Genesis Toys and Nuance Communications (Complaint and Request for Investigation, Injunction,
and Other Relief), Dec. 6, 2016, https://epic.org/privacy/kids/EPIC-IPR-FTC-Genesis-Complaint.pdf; In the
Matter of Snapchat (Complaint, Request for Investigation, Injunction and Other Relief) May, 16, 2013,
https://epic.org/privacy/ftc/EPIC-Snapchat-Complaint.pdf; In the Matter of Google, Inc. (Complaint, Request
for Investigation, Injunction, and Other Relief), Feb. 16, 2010,
https://epic.org/privacy/ftc/googlebuzz/GoogleBuzz_Complaint.pdf; In the Matter of Facebook (Complaint,
Request for Investigation, Injunction, and Other Relief), Dec. 17, 2009,
https://epic.org/privacy/inrefacebook/EPIC-FacebookComplaint.pdf.