On August 5, 2021, a proposed class action settlement was reached in the closely-watched privacy action against fintech services company Plaid Inc. (“Plaid”), featuring a $58 million settlement fund and certain injunctive relief that would make changes to Plaid’s methods of notice and consumer data collection, including provisions requiring the deletion of certain banking transaction data. (In re Plaid Inc. Privacy Litig., No. 20-3056 (N.D. Cal. Memorandum of Points for Proposed Settlement Aug. 5, 2021)). The plaintiffs have since filed a motion for preliminary court approval of the settlement.
Plaid is a fintech services company that offers applications that provide account linking and verification services for various fintech apps that consumers use to send and receive money from their bank accounts. The consolidated actions involve claims surrounding Plaid’s alleged collection and use of consumers’ banking login credentials and later processing and selling of such financial transaction data to third parties without adequate notice or consent. Plaintiffs’ complaint also contend that at no time were users ever given conspicuous notice or meaningfully prompted to read through Plaid’s privacy policy indicating that Plaid receives and retains access to their financial institution account login credentials or uses their credentials to collect and sell their banking information. As we wrote about back in May 2021, the California district court, in deciding Plaid’s motion to dismiss, trimmed various federal privacy-related claims, including the Computer Fraud and Abuse Act (CFAA) claim, but allowed other state law privacy claims to go forward.
Here is a quick rundown of the material terms of the proposed settlement:
-
Monetary relief: $58 million fund to the defined settlement class of consumers who, among other things, held a financial account that Plaid accessed using the user’s login credentials and connected to a mobile or web-based fintech application.
-
Injunctive relief: Plaid agreed to change a number of its privacy and data collection practices (for at least three years within the U.S.), including promises to: (1) delete certain financial account activity data from its systems, such as data from closed accounts as well as certain transaction data for users that Plaid can reasonably determine did not connect an account to a fintech app that requested the particular transaction data Plaid had collected; (2) inform class members on how to use the Plaid Portal and manage the connections made between their financial accounts and chosen fintech apps applications using Plaid and delete data stored by Plaid; (3) employ clear disclosures about Plaid’s role when consumers connect financial accounts to a fintech app, avoid using the particular bank’s own color scheme in the credential pane, and require users to affirmatively agree to Plaid’s privacy policy; (4) minimize the data Plaid stores (subject to certain limitations), such that Plaid will only store the categories of data for the Plaid product that the user’s app specifically requests from Plaid or that are necessary for Plaid to offer its services, unless the user has expressly consented to additional data collection; (5) enhance privacy policy disclosures; and (5) continue to host a dedicated webpage about Plaid’s security practices.
This is a major settlement in the fintech privacy area, as the collection and use of consumer data has become more scrutinized in the past few years, especially amidst the wave of fintech and money transfer apps that have become popular with consumers. With the major mobile platforms tightening their developer policies and privacy notification requirements surrounding data sharing this year, and more litigants bringing mobile- and privacy-related actions, we will continue to follow developments in these areas.