Consumers nationwide increasingly rely on modern fintech apps to do business, transfer and invest funds, and otherwise manage their finances electronically. For those who have not been following the Plaid class action litigation, CPW previously covered it HERE and HERE. In re Plaid Inc. Privacy Litig., No. 20-3056 (N.D. Cal.). As you might recall, Plaid has a platform for users to connect their bank accounts to payment apps. The plaintiffs in In re Plaid Inc. Privacy Litig. alleged that Plaid has “exploited its position as middleman” to obtain app users’ banking login credentials and then use that information to access and sell transaction histories, in the absence of app users’ consent.
The five actions were consolidated last year. The Consolidated Class-Action Complaint alleged common law privacy claims as well as violation of federal and state privacy and consumer protection laws. Plaid’s motion to dismiss Plaintiffs’ claims was partially successful. While some claims were dismissed, Plaintiffs’ claims for invasion of privacy, California Constitution (Article I, Section I), unjust enrichment, California Civil Code sections 1709 and 1710, and California Anti-Phishing Act of 2005, was denied. After engaging in negotiations over a period of several months earlier this year, a settlement was reached between plaintiffs and Plaid based on papers filed with the court last week. As summarized in the settlement papers, the proposed Settlement includes a non-reversionary $58 million cash fund.
Members of the class, which includes “all United States residents who own or owned one or more ‘Financial Accounts’ from January 1, 2013 to the date preliminary approval of the Settlement is granted,” will be eligible for a cash payout. [Note: “Financial Account” is defined as “a financial institution account (1) that Plaid accessed using the user’s login credentials and connected to a mobile or web-based fintech application that enables payments (including ACH payments) or other money transfers or (2) for which a user provided financial account login credentials to Plaid through Plaid Link.”]
The settlement—which still needs to receive court approval—also incorporates injunctive relief. Plaid has agreed to (as addressed in greater detail in the settlement agreement):
-
Delete certain data from its systems;
-
Inform Class Members of their ability to manage the connections made between their financial accounts and chosen applications using Plaid and delete data stored in Plaid’s systems;
-
Continue to include certain disclosures and features in Plaid’s standard Link flow;
-
Minimize the data Plaid stores;
-
Enhance disclosures in Plaid’s End User Privacy Policy about the categories of data Plaid collects, how Plaid uses data, and privacy controls Plaid has made available to users; and
-
Continue to host a dedicated webpage with detailed information about Plaid’s security practices.
The settlement further provides that Plaid will commit to these measures for at least three years.
This case has been a must-watch as entities operating in the financial technology space have come under scrutiny recently regarding their privacy practices. As the number of data privacy litigations continues to grow (and as consumers continue to utilize banking, wealth management and money transfer apps), expect additional developments in this area. Not to worry, CPW will be there to keep you in the loop. Stay tuned.