Disclosures to the public about privacy practices must be completely accurate and must be clear and conspicuous, as demonstrated by the Federal Trade Commission’s recent settlement with PayPal. In that matter, as set out in the FTC complaint, PayPal allegedly described its protection of customers’ financial information as subject to “bank-grade security systems and data encryption.” According to the FTC, that was false, since PayPal failed to provide security notices of account changes, allowing hacking to take over some consumer accounts. PayPal also allegedly failed to have a written information security program, failed to assess reasonably foreseeable risks, and failed to provide adequate customer support to investigate consumer reports of the compromise of their accounts. In addition, the FTC charged that PayPal’s privacy notices were not in clear and conspicuous places, being accessible in a dark grey typeface against a light grey background, were inaccurate with regard to default settings, and were not delivered reasonably. The FTC brought its case against PayPal as a violation of the Gramm-Leach-Bliley Act, but the FTC’s message that privacy policies must be accurate and clear and conspicuous transcends the financial services industry.