On August 5, 2021, a proposed class action settlement was reached in the closely followed privacy action against fintech services company Plaid Inc. (“Plaid”). The settlement includes a $58 million severance fund and injunctive relief that will make changes to Plaid’s notice and consumer data collection practices, including provisions requiring the deletion of certain bank transaction data. (In re Plaid Inc. Privacy Litigation., No. 20-3056 (ND Cal. Memorandum of Points for Proposed Settlement Aug. 5, 2021)). The transaction is still subject to court approval.

Plaid is a fintech services company that offers applications that provide account linking and verification services for various fintech apps that consumers use to send and receive money from their bank accounts. The consolidated actions concern complaints related to Plaid’s alleged collection and use of consumers’ banking login credentials and subsequent processing and sale of such financial transaction data to third parties without adequate notice or consent. The plaintiffs’ complaint further alleged that at no time did users ever receive a noticeable notice or meaningful prompt to read Plaid’s privacy policy stating that Plaid receives and maintains access to your institution’s login credentials financial or uses their credentials to collect and sell their banking information. As we wrote in May 2021, the California District Court, in deciding Plaid’s motion to dismiss, reduced several federal privacy claims, including the Computer Fraud and Abuse Act (CFAA) request, but allowed other claims state law privacy policy to go forward.

Here’s a quick rundown of the material terms of the proposed deal:

  • Monetary relief: $58 million fund for the defined consumer class who, among other things, held a financial account that Plaid accessed using the user’s login credentials and connected to a web-based or mobile fintech application.
  • Data deletion: Plaid will delete data that was retrieved as part of Plaid’s “Transactions” product, which may include financial account activity information, such as the amount, time and location of deposits, withdrawals, transfers or purchases, for users that Plaid can reasonably determine did not link an account to an application that requested transaction data. Therefore, if a consumer has only connected an application (or applications) that has not asked Plaid to collect transaction data, but Plaid has nevertheless retrieved such data, Plaid will delete such data from its systems.
  • Injunction: Plaid has agreed to change a number of privacy and data collection practices (for at least three years in the United States), including promises to: (1) Inform class members how to use the Plaid Portal and manage connections made between their accounts and selected fintech app applications that use Plaid and delete data stored by Plaid; (2) use clear disclosures about Plaid’s role when consumers link financial accounts to a fintech app, avoid using the specific bank’s color scheme in the credential box, and require users to affirmatively accept Plaid’s privacy policy ; (3) minimize the data stored by Plaid (subject to certain limitations), such that Plaid will only store the categories of data for the Plaid product that your app specifically requests from Plaid or is needed by Plaid to offer its services, unless the user has expressly consented to the collection of further data; (4) improve privacy policies; and (5) continue to host a dedicated web page on Plaid’s security practices.

This is a major deal in the area of ​​fintech privacy, as the collection and use of consumer data has become more scrutinized in recent years, especially amid the surge of fintech and money transfer apps that have become popular. among consumers. With major mobile platforms tightening their developer policies and privacy notification requirements around data sharing this year, and more stakeholders filing mobile and privacy-related lawsuits, we will continue to monitor developments in these areas. .