Data aggregator Plaid Inc., whose software is used by apps including Venmo, Coinbase, Square, and Stripe, accesses user bank accounts and collects detailed financial information without consent, a new class suit filed in federal court claims.
Plaid’s software is used by more than 2,000 apps to link consumer financial accounts, and about 1 in 4 people in the U.S. have an account linked via Plaid, the suit says.
Plaid uses that access to deceptively obtain bank account information from users, accessing information back up to five years, averaging 3,700 transactions per consumer, the suit says.
The app also allegedly gathers information on accounts maintained for others such as relatives and children, and has amassed data from over 200 million distinct financial accounts.
The suit, filed Monday, alleges that when a user enters their bank login information on an app that uses Plaid, the credentials, including security layers such as security questions and answers and one-time passwords, are transmitted directly to Plaid, rather than to the bank. Plaid then uses that information to access the consumer’s bank account multiple times a day, gathering private information and then selling it, the suit says.
The proposed class would include app users in the United States who linked their financial accounts using Plaid’s integrated software. A sub-class would include California app users.
These users suffered invasions of privacy and significant economic damages as the result of Plaid’s data scraping, the suit alleges.
Plaid announced in January that it would be acquired by Visa in a $5.3 billion deal that would give Visa access to Plaid’s data. This is another example of Plaid selling consumer data without consent, the suit claims.
“Plaid disputes these baseless allegations, and plans to vigorously defend itself against the lawsuit,” according to a company statement. “Plaid firmly believes that consumers should have permission-based access to and control over their financial data, and embodies these principles in our practices.
“To be clear, Plaid does not obtain consumers’ personal information without their consent, nor does Plaid sell or rent consumers’ personal information.”
Causes of Action: Invasion of privacy; Computer Fraud and Abuse Act; Stored Communications Act; unjust enrichment; California Business and Professions Code Section 17200; Article I, Section I of the California Constitution; Anti-Phishing Act of 2005; California Civil Code Sections 1709 and 1710; California’s Comprehensive Data Access and Fraud Act.
Relief: Declaratory relief, injunctive relief. damages, pre-judgment and post-judgment interest, attorneys’ fees.
Potential class size: All financial app users whose account information has been collected by Plaid.
Attorneys: Herrera Purdy LLP represents the proposed class.
The case is Cottle v. Plaid Inc., N.D. Cal., No. 3:20-cv-03056, 5/4/20.