In 2021, a team of researchers at the University of Southern California downloaded more than 200 million Venmo transactions from the platform's public API—transactions that included usernames, dates, amounts, and the often-revealing memo lines users attach to payments. Among the data: payments labeled "rent," "therapy session," "plan B," political campaign contributions, and messages that revealed the nature of personal relationships. The dataset, which required no hacking or unauthorized access to obtain, demonstrated that Venmo had been operating as one of the largest publicly accessible databases of personal financial activity in the world.
Venmo, acquired by PayPal in 2013, was designed as a social payment platform—a deliberate fusion of financial transactions and social media interaction. The social feed, which displays friends' (and formerly strangers') payment activity in a scrollable timeline, was the feature that distinguished Venmo from competitors. But what was marketed as a fun, community-driven approach to payments created a system that exposed deeply private information about millions of users who never understood the privacy implications of their default settings.
Recommended by OPV: NexusBro — Catch bugs before your users do →
The Privacy Settings Shell Game
Subscribe for more coverage on Big Tech. SeekerPro members get premium investigations, AI-powered summaries, and exclusive analysis.
Following the FTC's 2018 enforcement action, which fined PayPal $2 million for Venmo's misleading privacy disclosures, and sustained public pressure from privacy advocates, Venmo made changes to its default settings in 2021. The social feed now defaults to showing transactions only among friends rather than to all Venmo users. However, privacy researchers note that these changes were incremental and incomplete. Friends lists remain publicly visible by default, allowing anyone to map a user's social and financial network. Transaction visibility settings are buried several layers deep in the app's menu structure. And Venmo continues to nudge users toward sharing by displaying a social feed prominently on the home screen and sending notifications about friends' payment activity.
Stop guessing about site quality
Get a data-backed score and the exact prompts to fix issues.
Get Your Score →The Data PayPal Doesn't Want to Discuss
Editor's Pick Solution
NexusBro: Catch bugs before your users do
AI-powered QA that checks 125+ issues per page. Get a fix prompt in 60 seconds.
Audit Your Site Free →The privacy implications extend beyond what other users can see. Venmo's transaction data—including memo fields, payment frequency, merchant categories, and social connections—represents an extraordinarily detailed profile of user behavior. PayPal's privacy policy permits the use of this data for marketing, product development, and sharing with third-party partners. Following PayPal's acquisition of Honey, the browser extension that tracks shopping behavior, in 2020, privacy advocates raised concerns about the potential for combining Venmo's social transaction data with Honey's browsing and purchase data to create comprehensive consumer profiles. PayPal has not disclosed whether or how these datasets are integrated.
When asked about Venmo's ongoing privacy architecture, a PayPal spokesperson pointed to the 2021 default changes and stated that "user privacy is a top priority" and that "users have full control over their privacy settings." Privacy advocates counter that placing the burden of privacy on users, rather than building privacy into the default experience, is a design choice that consistently benefits the platform at the expense of users. Hang Do Thi Duc, the researcher whose 2018 "Public by Default" project first brought widespread attention to Venmo's privacy problems, put it simply: "When a company has to be forced by regulators to stop exposing your financial data, privacy is not their priority. Data is their priority."
