Last week, Democratic Senators Ron Wyden and Sherrod Brown and Congresswoman Anna Eshoo sent a letter to FTC Chairman Joseph J. Simons urging the agency to investigate whether analytics firm Envestnet, Inc. (which operates Yodlee) was violating the FTC Act.
According to the letter, Yodlee is the largest consumer financial data aggregator in the United States. It aggregates financial information from banks, credit card companies and other financial services providers with consumer consent, and maintains a database of credit and debit card transactions of tens of millions of consumers. The letter asserts that Yodlee is used by over 1,200 companies to offer online personal finance tools to consumers. Yodlee offers its software and platform to fintech providers, banks, financial apps, consumers and others to help process financial data from various sources.
The crux of the letter claims that Envestnet sells access to such consumer data without meaningful notice to consumers of such sale. The members of Congress reject Envestment’s position that consumer privacy is protected because the data it sells is anonymized, and claim that Envestnet does not inform consumers that their personal financial data is being sold, but rather relies on its partners to make such disclosures in privacy policies or terms of service. The letter asserts that this is not sufficient, as Envestnet does not appear to take any steps to ensure that its partners give such notice, and even if they did, such practices place the burden on consumers to find such a notice “buried in small print” and then search for a way to opt out of such data sharing.
The authors of the letter asked the FTC to look into whether: (1) Envestnet’s sale of consumers’ personal data to third parties without consumers’ express knowledge is an unfair, deceptive or abusive act or practice; and (2) whether Yodlee and the third parties that acquired Yodlee’s financial data have sufficient security measures in place to protect such data from hacking or reidentification.
It remains to be seen how such an investigation – if one is ever conducted – will be resolved. The letter touches on a number of interesting issues. Beyond the concerns about notice and consent behind the collection of such consumer financial data, additional issues include whether Envestnet’s data aggregation practices comply with laws such as the Gramm-Leach-Bliley Act (GLB)’s information sharing and data security requirements or California’s new California Consumer Privacy Act. It also raises the question of whether Envestnet has an affirmative duty to confirm that its partners were providing effective consent to data sharing. Drilling down further, the letter also raises questions as to what is the appropriate method for obtaining consent to sharing, an issue at the heart of an ongoing dispute between the City Attorney of Los Angeles and an app operator over geolocation data collection (which brings up the issue in the context of app-based disclosures to data sharing).
Regardless of the outcome, any investigation has the potential to shine a light into the data collection and privacy practices of financial data aggregation companies, as well as stress the importance for downstream recipients of such anonymized financial data to understand how such data is collected, processed and secured before entering into any agreement with a provider.