The payment app Venmo, which is a staple of life for many millennials, gave investors a nasty shock last week when its parent company, PayPal, disclosed in a recent SEC filing that it is under investigation by the Federal Trade Commission.
The FTC and PayPal (PYPL) have yet to say a word about just what Venmo did to land in hot water. But on Friday, a pretty big clue emerged about what the agency is looking into.
The clue comes in the form of a settlement document between Venmo and the Attorney General of Texas. The document describes a host of privacy violations, including an “autofriend” feature that scrapes the contact list from a user’s phone, and Venmo’s default setting of making payments public. It also says that Venmo shall not tell users it offers “bank-grade security” unless the claim is true.
To understand why this matters, it’s helpful to know how Venmo, which is soaring in popularity, operates in the first place. I only began using it last year, and was startled about some of its features.
Get Data Sheet, Fortune’s technology newsletter.
First off, it’s incredibly easy to use and obviates the age-old problem of having to settle a bar tab or dinner check with friends who don’t have cash. You just type in their name and, zap, you pay them instantly — no matter what bank they use, and without any service fee. You can also set it up in minutes; I did it on my phone in a bar.
While the convenience is a delight, Venmo also has some unsettling aspects. For instance, it somehow knows everyone you know. And, in a feature that’s weird to non-millennials like me, Venmo publishes a news stream of financial transactions among your friends and others – you see (presuming you care) that John paid Ahmed for beer, Raoul sent Alice money for tacos, et cetera.
I promptly turned this feature off and set my transactions to private, but many other people have not. This is what may have led the Texas Attorney General to require Venmo, within 90 days, to tell users “clearly and conspicuously” that it makes certain features public unless users take steps to turn them off.
The Texas settlement document also alludes to a variety of other misbehaviors by Venmo. For instance, it says that the company must tell users how to reach customer service, and stop sending emails that appear to come from a user’s friend.
A fine and another investigation
The Texas settlement will require Venmo to pay a relatively paltry fine of $175,000 to the state and make a series of changes in how it does business. The more interesting question is what this means for the investigation by the FTC, which serves as America’s top privacy cop.
A Venmo spokesperson, in response to a question about the regulatory attention, said the company is cooperating with Texas and federal authorities.
“This agreement is a result of PayPal working in good faith and collaborating with the State of Texas to create a better experience for our Venmo users,” said the spokesperson by email. “Consumers entrust us to move and manage their money and we take that responsibility seriously.”
A spokesperson from the FTC said the agency does not comment on ongoing investigations, and that it could only confirm that the Venmo matter is ongoing.
The Trends PayPal Cofounder Max Levchin Thinks Will Change the World
A source familiar with the matter, who did not want to be identified, said that Venmo has yet to receive formal questions from the FTC, which suggests any investigation is still in an early stage. The person also said the company has not heard from other state regulators.
If the FTC does decide to collar Venmo, it’s unlikely to result in a fine or any serious business constraints, because the U.S agency doesn’t have the power to swoop in and impose penalties, unlike privacy cops in other countries. Instead it has to rely on its power to police “unfair and deceptive” trade practices.
In practice, this means a company ends up under a so-called “consent decree” that forces it to follow certain rules or else face a fine. The arrangement is so familiar that nearly every tech company — Google, Facebook, Snapchat, etc — is under a consent decrees based on fast-and-loose behavior from their early days.
Why Venmo Stopped This Woman From Using its App
Is it possible to say for certain that the FTC will follow in the footsteps of Texas? No, it’s not. But as the relevant federal and state laws (in this case the Texas Trade Deceptive Act) are quite similar, it would be surprising if the FTC does not act on some of the same objections, particularly the contact list scraping and the public setting default.
The outcome is likely to be that in the coming year, the FTC will unveil a settlement scolding Venmo for privacy violations. But overall, the peer-to-peer payment firm will keep on moving money.