Plaid federal electronic surveillance requests dropped, privacy requests live on
On April 30, 2021 a district court in California cut various federal privacy-related claims, including the Computer Fraud and Abuse Act (CFAA) filing, from a highly visible pending purported class action lawsuit against fintech services company Plaid Inc. (“Plaid”), but allowed to other state law privacy claims of go ahead. The lawsuit involves Plaid’s alleged collection and use of consumers’ banking login credentials and subsequent processing and sale of such financial transaction data to third parties without adequate notice or consent (Cottle v Plaid Inc.No. 20-3056 (ND Cal. Apr. 30, 2021).
The court’s decision did not elaborate on the merits of the CFAA application, as it was rejected on procedural grounds; similarly, in this first phase of the dispute, the resolution of the main issues of the case relating to the violation of privacy and the adequacy of consent for accessing consumers’ bank accounts and collecting/aggregating data has not been achieved. Therefore, this case is just the beginning and is certainly one to watch to see how the unstable areas of mobile privacy and CFAA “unauthorized access” are further developed.
Plaid is a fintech services company that offers applications that provide account linking and verification services for various fintech apps that consumers use to send and receive money from their bank accounts. The plaintiffs allege that Plaid’s bank authentication system, integrated into various fintech apps, included a user interface that mimicked an individual user’s financial institution login screens so that users were not notified that they were not they were actually logging in through the bank’s platform. Instead, according to the plaintiffs, consumers unknowingly provide Plaid with their financial institution’s login credentials, and Plaid maintains access to their credentials and uses them to mine, aggregate, and then sell users’ financial transaction data to third parties (including fintech apps that use its services) for purposes unrelated to the claimants’ use of fintech payment apps. In summary, the plaintiffs’ complaint alleges that at no time were users given obvious notice or significantly prompted to read Plaid’s privacy policy stating that Plaid receives and maintains access to your login credentials of your bank account or uses your credentials to collect and sell your banking information.
Based on the allegations, the plaintiffs have filed a variety of claims, including, among others, violations of the CFAA (and the state’s Computer Hacking Act) and the Federal Stored Communications Act (SCA), as well as a number of state lawsuits on privacy and consumer protection (including violation of the California Anti-Phishing Act of 2005). In response, Plaid moved to fire for several reasons, with mixed results.
The court first ruled that the plaintiffs had Article III standing because they had sufficiently pleaded factual damages. Plaid does not materially disclose the extent of its data collection practices, that Plaid downplays its link to its privacy policy, and that Plaid uses consumer login information to obtain bank information whether or not it relates to the transfer of money via finech apps – sufficiently demonstrate that Plaid’s data collection practice would “cause harm or material risk of harm” to their interest in controlling their personal information to meet the Article III law requirements.
As for the federal claims, the court dismissed both. The CFAA prohibits various computer crimes, most of which involve accessing computers without authorization or in excess of authorization, and then performing certain prohibited actions. Plaid moved to dismiss the CFAA’s claims on several grounds, including that the plaintiffs had failed to advance facts to support the requested amount of $5,000 in “damages or losses” sought under the statute (“damages” si generally refers to damage to the availability or integrity of data and information; “loss” means the reasonable costs of responding to a network intrusion or conducting damage assessments or damages incurred as a result of a service interruption). On this procedural issue, the court rejected the CFAA’s request and ruled that the plaintiffs failed to adequately explain how to assess the alleged “loss of use and control” of their financial information and offered no authority as to whether that loss was recognizable for CFAA purposes. The court also rejected the state’s Comprehensive Computer Data Access and Fraud Act (CDAFA) claims, finding that although the CDAFA does not contain a specific monetary threshold for loss related to statute violations, the plaintiffs did not offer any support their theories that the loss of the right to control your data or the loss of the value of your data is “damage or loss” under the CDAFA.
The court also rejected the plaintiffs’ SCA request. Under the SCA, a plaintiff can bring an action against anyone “(1) who intentionally gains unauthorized access to a facility through which an electronic communications service is provided; or (2) intentionally exceeds a clearance to access such facility. . . and thereby gains, alters, or prevents authorized access to a cable or electronic communication while in electronic storage. As stated by the court, the plaintiffs’ argument that their financial institutions meet the SCA definition of an “instrument through which an electronic communications service is provided” is not supported by the SCA. Furthermore, the court found that the complaint did not plausibly allege that Plaid had accessed an electronic communication while it was “in electronic storage”, as there was no allegation that the plaintiffs’ financial institutions retained their “communications electronic banking” for the purpose of providing backup protection.
Although Plaid was successful in dropping federal claims, the court declined to dismiss major state privacy claims, including a privacy invasion claim. Plaid had argued that the plaintiffs could not plausibly make a reasonable expectation of privacy because they had chosen to link their accounts to fintech apps, and Plaid’s privacy policy disclosed the information he collects. Therefore, according to Plaid, the allegations do not highlight a “glaring” violation of the social norms necessary to make a successful complaint. The court declined to dismiss the state’s privacy claims because the question of whether the plaintiffs had received notice and consented to Plaid’s data collection was a “key factual dispute,” as was whether such collection was “egregious” enough to be actionable.
Interestingly, the court also declined to dismiss the creatively filed complaint under California’s Anti-Phishing Act of 2005. That statute prohibits, in part, “any person, via a Web page, a electronically or otherwise through the use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by posing as a company without the company’s authority or approval. & Prof. Code § 22948.2 In its complaint, the plaintiffs alleged that Plaid tricked users into providing their banking login credentials by posing as the user’s financial institution without the institution’s authority or approval Plaid had argued that the intent of the law was to combat phishing schemes that facilitate identity theft and that it had not “tricked” plaintiffs into revealing their login credentials. However, the court declined to dismiss the request at this stage, concluding that the complaint had made a plausible claim and the plain language of the statute did not impose any obligation on the defendant to act with an object to facilitate identity theft (although the court admitted that neither the parties nor the court could identify cases by analyzing the statute). Interestingly, the court rejected Plaid’s argument that it had acted with the approval of plaintiff’s financial institutions when it had access to plaintiffs’ account data, citing the existence of another pending lawsuit against Plaid. filed by a financial institution that includes allegations about intentionally “misleading” Plaid’s user interface that mimics bank screens.
The results of Plaid’s motion to dismiss are not surprising, given a previous February 2021 ruling in a similar consumer data privacy action against financial data aggregator Yodlee Inc. (“Yodlee”). (Wesh v. Yodlee Inc., No. 20-05991 (ND Cal. Feb. 16, 2021)). According to the complaint in that lawsuit, Yodlee is one of the largest financial data aggregators in the world and through its software platforms, integrated into various fintech products offered by financial institutions, it aggregates financial data such as bank balances and credit card transaction histories. individuals in the United States. As we wrote about last year, the core of the lawsuit is that Yodlee harvests and then sells access to such anonymous financial data without significant notice to consumers and stores or transmits that data without adequate security, all in breach of California and federal privacy laws. . In adjudicating on Yodlee’s motion to dismiss the original complaint, the California District Court considered similar requests to those made in the Plaid action and allowed several state privacy claims to go forward, but dismissed federal SCA and CFAA claims Note: The Yodlee the court rejected the CFAA’s requests on procedural grounds similar to those of the Plaid court, but found that the plaintiffs’ allegations that Yodlee stored their bank login information and accessed their account transaction history on an ongoing basis for purposes unrelated to facilitating fintech payment transactions were sufficient to support access that “exceeds” Yodlee’s authorization under the CFAA.)
With major mobile platforms tightening their developer policies and privacy notification requirements in recent years and more and more lawsuits being filed related to mobile data collection practices, data privacy (including the collection of location data and financial transaction data) has garnered more attention. There has also been a fair amount of coverage of these issues in the media and quite intense debate in Washington. We will be watching these cases carefully as they may provide some clarity to the contours of appropriate data sharing practices in the fintech area.