Yodlee Hit with Privacy Class Action Over Alleged Behind-the-Scenes Sale of Sensitive Consumer Financial Data

New to ClassAction.org? Read our Newswire Disclaimer

A PayPal user alleges Yodlee, Inc. has surreptitiously collected highly sensitive, non-public consumer data from its financial account aggregation software products and subsequently sold the information to “some of the largest financial institutions in the country” without consent to do so.

According to the 47-page lawsuit, the recipients of Yodlee user data include top-15 banks—Bank of America, Merrill Lynch and Citibank, among others—as well as wealth management firms and digital payment platforms such as PayPal, who use the Redwood City, California company’s products to connect their systems to one another. 

The plaintiff, a New Jersey resident, charges that Yodlee’s failure to “take even the most basic steps” to safeguard user data has left consumers at a heightened risk of fraud and identity theft. Per the lawsuit, the extent to which Yodlee has access to sensitive financial details is “especially troubling” given reports that the company has mishandled the impermissibly collected data, including by “distributing it in unencrypted plain text files” that can be read by anyone who acquires them.

As the complaint tells it, proposed class members “have no idea they are dealing with Yodlee” once the company has acquired their financial data. Per the lawsuit, Yodlee’s behind-the-scenes role is by design and aided by the fact its software has been developed to be “seamlessly integrated” into a host company’s existing website and/or mobile app “in a way that obscures who the individual is dealing with and where their data is going.”

For instance, when a consumer connects their bank account to PayPal, they’re prompted to enter their credentials into a log in screen that “mirrors” what they’d see if they were to log into their bank’s website, the lawsuit relays, noting a user would see their bank’s logo and be able to use the same username and password as they would to log into their bank account. 

“At no point are the individuals prompted to create or use a Yodlee account,” the suit says. 

Broadly, consumers are not given accurate information with regard to what Yodlee does or how it collects their data, the lawsuit continues. Though PayPal, for instance, discloses that Yodlee is involved in connecting a consumer’s bank account to PayPal’s service for the “limited purpose” of confirming account balances and transactions, the true extent of the defendant’s involvement with a user’s financial data “goes well beyond” what’s disclosed, the complaint alleges.

From the suit: 

“Yodlee, in fact, stores a copy of each individual’s bank log in information (i.e., her username and password) on its own system after the connection is made between that individual’s bank account and any other third party service (e.g., PayPal). 

Yodlee then exploits this information to routinely extract data from that user's accounts without their consent.” 

The issue with the defendant’s allegedly unauthorized data collect is that information pertaining to a consumer’s credit and debit transactions can reveal much about their “health, sexuality, religion, political views, and many other personal details,” the suit reads. In that light, it’s “no wonder Yodlee has been highly successful,” and able to command as much as $4 million a year for access to consumers’ financial data, the case ponders.

According to the suit, the plaintiff connected her PNC Bank account to PayPal via a Yodlee-powered portal to facilitate transactions between the accounts. At no point was it disclosed by Yodlee, PayPal or PNC Bank that the defendant would continuously access the consumer’s bank account data for sale to third parties without consent, the lawsuit alleges. 

The case, which also names as a defendant Yodlee parent company Envestnet, Inc., looks to cover anyone in the United states whose accounts at a financial institution were accessed by Yodlee using login credentials obtained through the company’s software incorporated in a mobile or web-based fintech app that enables payments (including ACH payments) or other money transfers from 2014 through the present.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.