US Judge Approves Plaid Privacy Suit Settlement

July 27, 2022
Back
The California district court has ordered data aggregator Plaid to delete a vast amount of consumer data and pay $58m to those whose data was sold without consent.

  • Plaid agreed to pay $58m, delete vast data and upgrade data management practices
  • Settlement to serve as a benchmark for data aggregators, lawyers say

The California district court has ordered data aggregator Plaid to delete a vast amount of consumer data and pay $58m to those whose data was sold without consent.

The order puts an end to five class action claims representing around 98m Plaid users who accused the fintech of using their banking login credentials to harvest and sell detailed financial data without their consent.

Plaid provides bank linking and verification services for fintech apps that consumers use to send and receive money from their financial accounts, such as Venmo, Coinbase, Cash App and Stripe.

Users of mobile and online payment apps alleged that Plaid misled them when it mimicked the login screens of their banks in the Plaid Link interface. By doing so, Plaid gave its interface “the look and feel” of login screens used by individual financial institutions.

Once it had gathered the login details, Plaid used that information to collect a significant amount of consumer banking data and routinely sold that data to third parties.

Although it is unknown how much profit the company generated from this exercise, Plaid’s annual revenue was estimated to hit $170m in December 2020.

The firm has now agreed to pay $58m compensation to class members.

According to the class counsel’s estimates, around 1.25m people applied for compensation, out of the total estimated 98m class members, and they each would receive $31.50 for the unconsented sale of their financial data.

As part of the settlement, Plaid agreed to delete a significant amount of data related to users whose transactional data was collected, even though the app provider had not requested that data.

Plaid has also been ordered to delete data for which it “no longer has valid means that can be used to authenticate with the financial institution”.

This means, for example, if Plaid finds that the password for a particular bank account has changed or the account has been closed, Plaid will have to delete the associated account data from its systems.

In addition, the data aggregator agreed to make a number of business practice changes to enhance its privacy protections, including minimising the data it collects and stores going forward, and make enhanced disclosures in the account connection process and its privacy policy.

The company will also include prominent references to Plaid Portal, which allows users to view and manage connections between their apps and financial accounts using Plaid.

A benchmark for data aggregators

Although the US fintech industry is waiting for the regulators to draft open banking rules and related financial data sharing regulations, the settlement could give some guidance to market participants as to what is and what is not accepted under existing regulations.

“While not a rule of law or regulation, it is likely that some businesses might view the settlement as a benchmark for these types of activities,” Jeffrey Neuburger and Ryan Blaney, partners at Proskauer Rose, told VIXIO.

Financial data aggregators may use the settlement, particularly the injunctive relief provisions, to model their privacy and data collection practices.

“For example, other fintech firms may want to provide more transparency and disclosures around how they manage the connections made between the fintech’s platform and the users’ financial accounts,” Neuburger and Blaney said.

Privacy regulators may also use this settlement as evidence of what is considered “reasonable” privacy and data collection practices for fintech firms.

Although the Plaid settlement is not a unique case in the sense that there have been a few similar cases in the past, each case is dependent on the unique facts and the class action bar is continually looking for new cases to bring, the lawyers cautioned.

“The class action bar is only interested in cases where they see problems that can be highlighted in the litigation, so fintech companies should attempt to operate in a manner at least consistent with the proposed settlement,” they stressed.

The case highlights the importance of fintech data aggregators in “getting it right” the first time.

Plaid denied the allegations throughout the whole process.

“We do not, nor have we ever, sold data,” the company says on its website.

“Plaid never shares your data without your permission, and we don’t sell or rent it to outside companies.”

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

To find out more about Vixio, contact us today
No items found.