Class Action: FinTech Middleman Plaid Uses App Login Credentials to Secretly Harvest Private Financial Data [UPDATE]
Last Updated on January 13, 2022
Cottle et al. v. Plaid Inc.
Filed: May 4, 2020 ◆§ 3:20-cv-03056
A class action says Plaid has obtained and exploited the bank account login credentials and transaction histories of hundreds of millions of fintech app users.
Case Updates
January 13, 2021 – File a Claim: Plaid Class Action Settlement Website Is Live
The official website for the $58 million Plaid user data class action settlement is live and can be found here:
To file a claim, click here and then enter your unique notice ID and confirmation code. If you did not receive a personalized notice by mail or email, select the option on the right and fill in the required information.
The settlement covers U.S. residents who connected a financial account to an app that uses Plaid’s software between January 1, 2013 and November 19, 2021. If you are unsure whether an app you use/used is powered by Plaid, you can search for the app on this page. The settlement site states that roughly 5,000 mobile and web-based apps use Plaid to allow users to connect their bank accounts to the apps.
As part of the deal, Plaid has agreed to minimize the data it stores going forward, delete certain previously retrieved data and maintain certain enhancements to Plaid Link.
All claims for the Plaid settlement must be submitted online or postmarked by April 28, 2022. If you do nothing by this date, you will nevertheless be bound by the terms of the deal, meaning you will give up your right to sue Plaid or related entities over the allegations detailed on this page.
Plaid denies the allegations in the plaintiff’s case and any wrongdoing, and maintains that it adequately disclosed and was transparent about its user login practices.
Don’t miss out on settlement news like this. Sign up for ClassAction.org’s free weekly newsletter here.
December 8, 2021 – Settlement Receives Preliminary Approval
The proposed settlement detailed below received the judge’s stamp of preliminary approval on November 19.
Those covered by the deal should soon receive notice of the settlement via email or mail with instructions on how to file a claim for their share of the $58 million fund. Claims can be made either online through the settlement website, which was not yet active at the time this update was posted, or by mail.
According to the preliminary approval order, claimants can choose to receive their payments—which are estimated to range from $10 to $39 per person depending on how many valid claims are filed—by check, ACH transfer, PayPal or Venmo.
The deadline to submit a claim is April 28, 2022.
Keep in mind that payments will not be made until after the settlement receives final approval, which will be decided after a hearing scheduled for May 12, 2022, and any appeals are resolved.
August 16, 2021 – Plaid Agrees to $58M Settlement
Plaid Inc. has agreed to settle the claims in the case detailed on this page as part of a deal looking to resolve consolidated litigation against the fintech giant.
In a memo filed August 5, the plaintiffs informed U.S. Magistrate Judge Donna M. Ryu that they had, after over a year of “hard-fought litigation” and five months of arms-length negotiations, come to “an excellent settlement” with Plaid that is worthy of preliminary approval.
The proposed deal, if approved, would provide a $58 million fund from which consumers who file valid claims would receive cash payments. Plaid would also be required to make certain changes to its interface to avoid misleading consumers, provide “more fulsome” consumer disclosures and delete certain transactional banking data obtained through apps that did not request it, according to the memo.
“This injunctive relief will help ensure that Class members have informed control of their private financial data, and it will provide important protections for consumers across the country who increasingly rely on modern fintech apps to do business, transfer and invest funds, and otherwise manage their finances electronically,” the filing states.
The proposed deal looks to cover U.S. residents who, between January 1, 2013 and the date the settlement is granted preliminary approval, own or owned one or more “financial accounts,” defined as a financial institution account that Plaid accessed using the user’s login credentials and connected to a mobile or web-based fintech application that enables payments or other money transfers or for which the user provided financial account login credentials to Plaid through Plaid Link.
The proposed settlement now awaits Judge Ryu’s stamp of preliminary approval.
A proposed class action alleges Plaid, Inc. utilizes Venmo, Coinbase, Square and Stripe users’ login details to access their financial accounts and then “sells and otherwise misuses” the private information therein without consent or disclosure.
Filed in California federal court, the 85-page lawsuit says Plaid’s stated mission is to make it easy for consumers to connect their bank accounts to popular financial technology apps such as Venmo, Coinbase, Square and Stripe. The defendant, however, “conceals its conduct and true intentions from consumers,” who are unaware that Plaid, whose bread and butter is verifying that a consumer owns a particular bank account, has “exploited its position as middleman” to acquire app users’ banking login credentials, the complaint alleges.
According to the case, Plaid uses consumers’ login credentials, obtained through a procedure that mimics the true “OAuth” process used to log into bank accounts, to surreptitiously harvest “vast amounts” of private transaction history and other financial data without consent. The suit says Plaid has carried out this scheme to compile what the company claims to be “one of the largest transactional data sets in the world.”
As for what Plaid does with data, the lawsuit says the company has exploited the information by marketing the trove to its app customers, analyzing the data to derive consumer behavioral insights and, most recently, selling its data stockpile to Visa as part of a multi-billion dollar acquisition.
“Plaid has unfairly benefited from the personal information of millions of Americans and wrongfully intruded upon their private financial affairs,” the plaintiffs, two California Venmo users, allege.
Detailing Plaid’s alleged scheme, the complaint says the company first induces consumers into handing over their private banking login credentials by making it appear as though the information is being communicated directly to the individuals’ banks. Per the case, consumers are told the connection is private and secure and that their banking credentials will “never be made accessible” to the app before being directed to a login screen that appears to come from their bank, complete with its logo and branding.
In truth, however, neither Plaid nor its app partners disclose to consumers that the company itself is responsible for this purportedly bank-branded login screen, the case says. Essentially, this process, which the suit claims Plaid has acknowledged is optimized to increase user conversions, aims to provide a false sense of security to consumers, who are unaware Plaid is an unaffiliated third party, according to the complaint.
Once a user’s banking login credentials have been obtained, the information is allegedly used by Plaid to gain “direct and full” access to the individual’s personal financial information for the company’s own commercial purposes “wholly unrelated” to app use. According to the lawsuit, Plaid downloads years’ worth of transactions for every single account the consumer maintains with the bank regardless of whether the data has any relationship to the app for which the consumer signed up.
All told, a consumer who makes just a single mobile payment through an app connected to a bank by Plaid has unwittingly given the company years’ worth of granular financial information, sometimes for multiple accounts, the case says. To date, Plaid is used by more than 2,000 applications, and holds a trove of data pertaining to more than 200 million distinct financial accounts, the complaint adds.
The lawsuit looks to cover a nationwide and California-only class of U.S. consumers whose accounts at financial institutions were accessed by Plaid using login credentials obtained through the company’s software incorporated in a mobile or web-based fintech app that enables payments or other money transfers.
The complaint can be found below.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Before commenting, please review our comment policy.