Venmo, Strava, and Why They Haven’t Been Fined €20,000,000

Venmo describes itself on Google as “a free digital wallet.” A Paypal subsidiary, it allows people to request and send payments through their phones. In Q1 2018, it transferred $12 billion in payments. People have told me they’ll “venmo me,” forcing me to join the platform. Nobody has ever said they would “square me” or “zelle me.” On the other hand, Venmo “doesn’t directly generate all that much revenue.”

Venmo’s distinguishing characteristic is that it shoves the financial activity of people you might possibly know in your face in real time. To achieve this feat, it:

  1. Defaults the privacy setting to “Public” on install. This violates data protection by default.

Note the tiny “Public” text and even tinier world clipart

2. Publishes incorrect instructions on how to make activity private (allegedly). If true, this violates data protection by design (because well-designed data protection means you understand how your product works.)

3. Hides the settings to make activity private behind a byzantine process (allegedly). Federal Trade Commission lawyers took 5 pages to document this process. If true, this violates both data protection by design and default.

(“Accomplishments” 2 and 3 may have been patched following Paypal’s recent settlement with the FTC.)

These “accomplishments” have had the following results:

  1. Venmo users may be data-mined to discover their habits, such as how often they gamble, how much money they gamble away, and with whom:

2. Venmo users experience “Venmo anxiety”:

“Seeing these transactions — even among people I have no desire to be hanging out with — creates a sense of emptiness and unease. It’s like, ‘S–t, everybody is doing something on Thursday night, and I’m sitting and reading my book. Am I a loser?’”

3. Venmo was fined under the GDPR. Wait, it hasn’t been. Why not?

Venmo hasn’t been fined because the GDPR only applies to data controllers and processors operating in the European Economic Area (EEA) or targeting people therein.

This is a common mistake American companies made right before the GDPR became effective. They would publish statements such as “this policy was updated to comply with the GDPR” or “our Data Protection Officer is Abradolf Lincler.”

Are you subjecting yourself to GDPR jurisdiction for no reason? Are you aware of the duties you owe to a Data Protection Officer?

If you are interested in a review of these or related matters, feel free to contact me.

read original article here