Comparison in Plaid Fintech Data Case | Proskauer – New Media & Technology



On August 5, 2021, a proposed class action lawsuit settlement was reached as part of the closely followed data protection lawsuit against the fintech service company Plaid Inc. (“Plaid”). The settlement provides for a $ 58 million settlement fund and injunction that would make changes to Plaid’s notification methods and collection of consumer data, including provisions requiring the deletion of certain banking transaction data. (In re Plaid Inc. Privacy Litig., No. 20-3056 (ND Cal.Memorandum of Points for Proposed Settlement, August 5, 2021)). The settlement is still subject to judicial approval.

Plaid is a fintech service company that offers applications that provide account linking and verification services for various fintech apps that consumers use to send and receive money from their bank accounts. The consolidated lawsuits concern claims related to Plaid’s alleged collection and use of consumer bank credentials and the subsequent processing and sale of such financial transaction data to third parties without appropriate notice or consent. The plaintiffs’ complaint also alleged that at no time were users conspicuously notified or sensibly asked to read Plaid’s privacy policy, which states that Plaid receives and retains access to their financial institution account credentials or uses their credentials to access their banking information collect and sell. As we wrote back in May 2021, the California District Court cut several state privacy-related claims, including the Computer Fraud and Abuse Act (CFAA), in ruling Plaid’s dismissal motion, but dropped other state privacy claims forward.

Here is a brief overview of the main terms of the proposed settlement:

  • Money relief: 58 million US dollars to the defined billing class of consumers who, among other things, had a financial account, to which the plaid was accessed with the user’s login data and was connected to a mobile or web-based fintech application.
  • Deletion of data: Plaid will delete data obtained from Plaid as part of its Transactions product – which may include information about financial account activity such as the amount, time and place of deposits, withdrawals, transfers, or purchases – for users that Plaid can reasonably determine does not have an account with connected to an application that requested transaction data. So if a consumer has only connected one application (or applications) that Plaid did not ask to collect transaction data, but Plaid did get that data anyway, then Plaid will delete that data from its systems.
  • Injunctive relief: Accounts and selected fintech apps that use Plaid and delete data stored by Plaid; (2) provide clear information on Plaid’s role when linking financial accounts to a fintech app, avoid using the bank’s own color scheme for credentials, and require users to agree to Plaid’s privacy policy; (3) Minimizing the data stored by Plaid (subject to certain restrictions) so that Plaid only stores the categories of data for the Plaid product that the user’s app expressly requests from Plaid or that are necessary for Plaid to offer its services, unless the user has expressly consented to further data collection; (4) improve privacy policy disclosure; and (5) continue to host a dedicated webpage on Plaid’s security practices.

This is an important agreement in the fintech privacy space, as the collection and use of consumer data has come under increasing scrutiny over the past few years, especially given the wave of fintech and money transfer apps that have become popular with consumers. Since the major mobile platforms have tightened their developer guidelines and data protection regulations for the sharing of data this year and more and more parties to the litigation are taking mobile and data protection-related measures, we will continue to monitor developments in these areas.

[View source.]



Comments are closed.