Request for Information Regarding Data Collection and Use for On-Hold Payments

GARRETTL · ‎August 30, 2024

Date: 08/30/2024

Subject: Request for Information Regarding Data Collection and Use for On-Hold Payments

I am writing to formally request detailed information regarding the data collection, handling, and sharing practices associated with the on-hold payments related to my VISA card, which was issued from a private, secure credit card linked to a stocks fund.

Specifically, I seek clarification on the following points:

1. Identity of Data Recipients:
- Who is responsible for collecting and processing the information provided in response to questions asked during the on-hold payment process?
- Who receives and has access to this information within your organization?

2. Purpose of Data Collection:
- What is the specific purpose of asking for the information during the on-hold payment process?
- Why is this information necessary, and how does it relate to the authorization or processing of payments?

3. Nature of the Information Requested:
- Who are the individuals or entities for whom this information is requested?
- What specific types of information are being requested from cardholders during this process?

4. Data Sharing Practices:
- Is the collected information shared with any third parties, including but not limited to banks, financial institutions, or other service providers?
- If so, please provide the identities of these third parties and the purpose for which the information is shared.
- In the absence of explicit evidence connecting this information to third-party banks, please explain the rationale for the questions asked.

5. Data Security and Privacy Protections:
- What measures are in place to ensure the security and confidentiality of the information collected?
- How long is this information retained, and under what conditions is it stored or disposed of?

Given the sensitive nature of this matter and the implications for privacy and data protection, I would appreciate a prompt and thorough response to my inquiries. I believe it is my right as a cardholder to fully understand how my information is being handled and for what purpose.

Please provide a response within 10 days from the date of this letter. Failure to provide satisfactory responses may compel me to seek further legal advice or report the matter to relevant regulatory authorities.

Thank you for your prompt attention to this matter. I look forward to your detailed response.

JuryL · ‎August 30, 2024

I appreciate you for bringing this to our attention, GARRETTL. I'm here to share information about the Data Collection and Use for On-Hold Payments.

QuickBooks Payments allows you to process your payments in QuickBooks Online. If you've been notified that your recently accepted payment is on hold, this doesn't mean anything is wrong. It simply implies that we're still reviewing the payment to ensure that everything is accurately processed.

While I can't provide an answer to each of your question, what we promise to do is to use customer data to help our customers improve their financial lives. This means we help them make or save money, be more productive, be in compliance.

You can refer to this page about Intuit's data stewardship principles: https://www.intuit.com/privacy/data-stewardship-principles/.

I'm aware that I've not addressed each of your question, and you can consider contacting our payments support team again because they are the ones who can give you accurate information regarding why there are times when funds are placed on hold. Know that you can contact them through this time frame: for Plus, Essentials, Simple Start M-F 6 AM to 6 PM PT and Saturday 6 AM to 3 PM PT and for Advanced, any time, any day.

For future reference, I'm adding this article to learn more about QuickBooks Payments: Common questions about QuickBooks Payments deposits in QuickBooks Online.

Feel free to reply to this post if you have more queries regarding your payments-related topics.

GARRETTL · ‎August 30, 2024

Hello @JuryL ,

My small business has to deal with federal agencies, some of which are active law enforcement, and in progress with gaining contracts with homeland security agencies.

Thank you for your response and for sharing QuickBooks’ perspective on the matter. However, there are several critical issues and legal concerns that your explanation does not adequately address. Below is a detailed response to each of the points raised:

Regarding your statement that the payment is on hold for further review, it remains unclear why such extensive information is being collected, especially when it appears to have no direct relevance to the transaction in question. The explanation provided about ensuring accurate processing does not justify the extensive data collection, including personal and sensitive information, particularly when there is no clear, direct relationship between the information requested and the payment’s processing. Furthermore, the withholding of funds without transparent reasoning and the lack of clear, upfront communication may constitute deceptive business practices under various consumer protection laws, including the Washington Consumer Protection Act and the Federal Trade Commission Act.

While QuickBooks has disclosed that Intuit Payments manages the data, it fails to clarify the necessity and legal basis for requiring such extensive personal information from clients, particularly when there is no clear consent from the end users for such data processing. The statement that the data is managed by payment processing, compliance, and other teams does not sufficiently justify the breadth of information being requested, nor does it address the potential overreach in data collection practices. Moreover, the undisclosed background checks on clients without their explicit consent may violate the Fair Credit Reporting Act (FCRA) and other state-specific privacy laws, such as the Colorado Privacy Act.

The assertion that data collection is necessary for anti-money laundering, counter-terrorism financing, identity verification, and fraud prevention is understood within the context of compliance with the USA PATRIOT Act and the Bank Secrecy Act. However, there is no evidence that the data requested is proportionate to these stated purposes, particularly when it involves clients who have no known connection to such activities. Furthermore, the use of this data for broad purposes, including business process enhancement and tailoring user experiences, may exceed the reasonable expectations of privacy for users and could potentially violate privacy rights under the Gramm-Leach-Bliley Act and various state laws.

The collection of highly sensitive information, such as government-issued identification, tax filings, and personal or business records, raises significant privacy concerns, particularly when it is unclear how this information is specifically used to validate the transaction in question. Cross-referencing this information with third-party databases without explicit client consent further exacerbates these concerns and may violate the Fair Credit Reporting Act and other state-specific consumer protection laws, such as the New Mexico Unfair Practices Act.

The broad sharing of collected data with financial institutions, service providers, credit bureaus, and even within the Intuit group raises serious concerns about the potential misuse of personal data. Without explicit consent from the client, sharing data with third parties, especially for purposes beyond the scope of the original transaction, could violate both federal and state privacy laws, including the Gramm-Leach-Bliley Act and the Colorado Privacy Act. The lack of transparency in these practices may also constitute unfair or deceptive trade practices under the Federal Trade Commission Act and the Washington Consumer Protection Act.

While it is acknowledged that QuickBooks follows industry-standard security measures like PCI DSS and NACHA requirements, the concerns here go beyond the mere security of data. The key issues involve the legal justification for collecting and retaining such sensitive information in the first place. The retention of data for an unspecified period and its eventual destruction, while standard practice, does not address the core issue of whether the data collection itself is necessary and proportionate. This could potentially violate data minimization principles under various privacy laws, including the Florida Information Protection Act (FIPA).

The response provided by QuickBooks does not sufficiently address the serious legal concerns related to data privacy, consumer protection, and the unauthorized withholding of funds. The practices described, including the collection of extensive personal data without clear consent and the misleading explanations provided for withholding payments, may violate multiple consumer protection and privacy laws, including:

- Washington Consumer Protection Act (RCW 19.86)
- New Mexico Unfair Practices Act (NMSA 1978, Section 57-12-1)
- Colorado Consumer Protection Act (C.R.S. § 6-1-105)
- Florida Deceptive and Unfair Trade Practices Act (FDUTPA)
- Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801-6809)
- Federal Trade Commission Act (15 U.S.C. §§ 41-58)
- Fair Credit Reporting Act (15 U.S.C. §§ 1681 et seq.)

Given the gravity of these concerns, I reiterate my demand for a detailed explanation and immediate resolution. I also urge QuickBooks to reassess its data collection and sharing practices to ensure full compliance with applicable laws.

GARRETTL · ‎August 31, 2024

This is what I’m struggling to understand in relation to QuickBooks' actions, as outlined in this link: Being impacted by QuickBooks Actions

QuickBooks claims that their actions are in compliance with various legal requirements, but what they are actually doing amounts to conducting investigations without warrants on individuals and businesses, even though no formal charges have been brought against them. This means they are holding funds from small businesses without any legitimate legal justification tied to the transactions themselves.

There is no evidence of wrongdoing, no indication of funding terrorism, or any involvement in terrorist activities. Yet, QuickBooks is grossly breaching consumer protection laws, violating the Fair Credit Reporting Act (15 U.S.C. §§ 1681 et seq.), and abusing the rights of consumers and businesses. Additionally, their actions may violate laws governing search warrants, which require that searches and investigations involving personal information be conducted under legal authority and with due process.

Specifically, the actions taken by QuickBooks may violate the following laws:

- Federal Trade Commission Act (15 U.S.C. §§ 41-58): Prohibits unfair or deceptive acts or practices in commerce. Holding funds without legal cause or misrepresenting the reason for such actions may constitute a violation of this act.

- Fair Credit Reporting Act (15 U.S.C. §§ 1681 et seq.): Regulates the collection, dissemination, and use of consumer information, including background checks. QuickBooks’ unauthorized background checks and the subsequent withholding of funds may violate this federal law.

- Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801-6809): Requires financial institutions to protect the confidentiality and security of consumer information. The overreach in data collection and lack of transparency regarding the use of this information may constitute a breach of this law.

- Fourth Amendment to the U.S. Constitution: Protects individuals from unreasonable searches and seizures by the government. While QuickBooks is not a government entity, its actions—conducting what amounts to unwarranted investigations without the legal authority to do so—raise significant concerns. Holding funds and demanding personal information under the guise of compliance, without any formal charge or evidence, mirrors actions that would typically require a search warrant if conducted by a governmental body. This behavior is in direct conflict with the legal protections that prevent unwarranted intrusions into personal and business affairs.

- Washington Consumer Protection Act (RCW 19.86): Prohibits unfair or deceptive acts in commerce. QuickBooks’ actions, including misleading statements about the purpose of information requests and holding funds without clear cause, may violate this state law.

- New Mexico Unfair Practices Act (NMSA 1978, Section 57-12-1): Prohibits deceptive trade practices. Holding funds without legitimate cause and conducting unauthorized investigations on individuals may constitute a violation of this act.

- Colorado Consumer Protection Act (C.R.S. § 6-1-105): Prohibits deceptive trade practices. The unjustified withholding of funds and the unauthorized collection of personal information may violate this law.

- Florida Deceptive and Unfair Trade Practices Act (FDUTPA, Chapter 501, Part II, Florida Statutes): Prohibits unfair and deceptive practices in trade or commerce. QuickBooks’ actions, including the withholding of funds without valid legal reasoning, may violate this state law.

QuickBooks needs to explain how its actions comply with these federal and state laws. The lack of transparency and the apparent overreach in their practices are deeply concerning and appear to be in direct conflict with the protections afforded under these laws. Their conduct, which effectively mimics a search and investigation without proper legal authority, contradicts the principles that typically require a warrant for such actions. Please help me make sense of this situation, as the current justification provided by QuickBooks does not align with the legal standards that should govern such transactions.

As stated previously:
My small business has to deal with federal agencies, some of which are active law enforcement, and in progress with gaining contracts with homeland security agencies.