PayPal To Shoppers: We Can E-Mail You, But You Have To Snail-Mail Us

Written by Mark Rasch
October 24th, 2012

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

When PayPal wanted to change a fundamental term of its contract on Sunday (Oct. 21), it communicated with its customers electronically, using E-mail and its Web site. But if consumers wanted to communicate about that change to PayPal, well, for some reason, 21st Century forms of communication were just inadequate. PayPal insisted on a more, shall we say, 6th Century BCE form of communication—a written and signed letter mailed or couriered to a specific physical address. If this seems fundamentally unfair, that’s probably because it is.

Most relationships between retailers and shoppers are dictated by some form of contract, typically online. This may be true even for purchases made in brick-and-mortar stores, as courts increasingly look to the online contract to determine the rights and responsibilities of parties even if the consumer never went online. But online contracts present a problem for merchants: How do you change them?

PayPal recently wanted to fundamentally change its relationship with its consumers by requiring them to forever give up their rights to sue PayPal individually or in any class action and to instead “agree” to binding arbitration. A pretty big deal. PayPal E-mailed the new agreement to its customers and put it on the company’s Web site. If you do nothing, voilà! You have agreed to arbitrate and waive your rights (and a bunch of other things). If you want to preserve the rights you already had, the PayPal terms state that you have to haul out your typewriter, find a piece of paper, type PayPal a letter, sign it, find an envelope, address and put a stamp on it, and then mail it to PayPal in San Jose. (OK, I made up the typewriter part.)

But the mechanism PayPal chose for consumers to continue to preserve a fundamental right was specifically designed to deter them from preserving their rights and, essentially, to force them to agree to the new terms. It’s not clear that a court would require consumers to jump through hoops to essentially not agree to changes to a contract, particularly where all other communications between the parties are electronic. Why make it so hard to agree?

The PayPal contract changes, effective November 1, do a lot of things—some big, some small. Those chances allow PayPal and any of its “family of companies” (including ebay) to record your telephone calls, even if you live in a state that doesn’t permit such recordings. Why? Because the Web site says you have now “consented” to the recordings—whether you read the Web site or not. No more warning, “Your calls may be monitored for ‘quality assurance.'” The changes allow PayPal or any of its “family” to robocall not only you but any telephone number you “provide” to PayPal. Oh, and you “provide” that number simply by calling PayPal from that number, even if you have registered on the “do not call” registry and do not want these robocalls.

But the most important change is the waiver of the right to sue. Two years ago, in a case called AT&T Mobility v. Concepcion, the Supreme Court held that mandatory arbitration agreements and waivers of class-action litigation and arbitration could be binding if they were agreed to. There are many advantages to arbitration, some even to consumers. Arbitration is meant to be a cheaper, faster, more efficient way to resolve disputes between the parties. It is essentially a “private justice” system. But it means there are no more class-action cases, no more publicly reported trials, almost no discovery or disclosure of corporate business practices, limited damages or statutory damages, and a greater likelihood that the arbitrator—who may depend for his or her livelihood on continuing to be “picked” by the company as an arbitrator—be more biased than an appointed judge. So a decision to waive the constitutional rights and protections of trial or jury trial should not be entered into lightly by consumers.

PayPal could have forced the arbitration agreement down the throats of consumers. It could have said, “If you don’t want to waive your right to trial, class action, discovery and a real judge, find another way to pay for things.” In fact, that’s the usual way of doing business. If you want a cell phone from AT&T, you have to waive these rights. You want Internet or phone or TV service from Comcast, arbitration is required. Find another provider—if you can. But PayPal wants to retain all its customers, so it created an “opt-out” procedure. PayPal’s Web site says explicitly that you can do so, noting:

You can choose to reject this Agreement to Arbitrate (“opt out”) by mailing us a written opt-out notice (“Opt-Out Notice”). You must mail the Opt-Out Notice to PayPal, Inc., Attn: Litigation Department, 2211 North First Street, San Jose, CA 95131.

The Opt-Out Notice must state that you do not agree to this Agreement to Arbitrate and must include your name, address, phone number, and the E-mail address(es) used to log in to the PayPal account(s) to which the opt out applies. You must sign the Opt-Out Notice for it to be effective. This procedure is the only way you can opt out of the Agreement to Arbitrate. If you opt out of the Agreement to Arbitrate, all other parts of the User Agreement, including all other provisions of Section 14 (Disputes with PayPal), will continue to apply. Opting out of this Agreement to Arbitrate has no effect on any previous, other or future arbitration agreements that you may have with us.

OK. So what’s so bad about this?


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.