Last week, a putative privacy-related class action was filed in California district court against financial analytics firm Envestnet, Inc. (“Envestnet”), which operates Yodlee, Inc. (“Yodlee”). (Wesch v. Yodlee Inc., No. 20-05991 (N.D. Cal. filed Aug. 25, 2020)). According to the complaint, Yodlee is one of the largest financial data aggregators in the world and through its software platforms, which are built into various fintech products offered by financial institutions, it aggregates financial data such as bank balances and credit card transaction histories from individuals in the United States. The crux of the suit is that Yodlee collects and then sells access to such anonymized financial data without meaningful notice to consumers, and stores or transmits such data without adequate security, all in violation of California and federal privacy laws.

The timing of this case is interesting, as it comes on the heels of the recent settlement of the litigation the between the City Attorney of Los Angeles and the operator of a weather app over claims that locational information collected through the weather app was being sold to third parties without adequate permission from the user of the app.

The Yodlee lawsuit is not surprising, however, given that this past January, Democratic Senators Ron Wyden and Sherrod Brown and Congresswoman Anna Eshoo sent a letter to FTC Chairman Joseph J. Simons urging the agency to investigate whether analytics firm Yodlee’s financial data collection practices were violating the FTC Act. As we detailed in a prior post, the members of Congress took issue with Envestment’s position that consumer privacy is protected because the data it sells is anonymized, and further claimed that Envestnet does not inform consumers that their personal financial data is being sold, but rather relies on its partners to make such disclosures in privacy policies or terms of service. According to Envestnet’s recent corporate filings, the FTC investigation is ongoing and the company is cooperating and responding to various questions from the agency.

The 47-page complaint contains multiple allegations about the ways Yodlee is “seamlessly integrated” into a host company’s website or app to allow Yodlee to collect and aggregate financial data from consumers using various fintech applications or digital banking services. Despite this integration, the plaintiffs assert that, in fact, Yodlee’s collection and access to an individual’s financial data is “never disclosed” and that Yodlee’s privacy policy only applies to its own direct-to-consumer products and not to the APIs that are part of various fintech apps.  Rather, the complaint alleges, Yodlee’s privacy policy instead directs users to refer to their financial institution’s own privacy policies regarding any data collection from apps powered by Yodlee.  The plaintiffs also claim that once users log in via a Yodlee-powered application, Yodlee stores such credentials and then continues to extract user financial data without notice or consent. The complaint further alleges that an individual user of such a fintech app cannot terminate Yodlee’s access to her bank account information after providing the credentials. In summary, the complaint alleges: “[W]here an individual unknowingly uses Yodlee to connect her bank accounts to a FinTech App, there is nowhere she could have looked in Yodlee’s policies to learn the full extent of data Defendants were collecting from her or the fact that Defendants were selling her data.”  Moreover, the complaint alleges that Yodlee does not make any additional disclosures at the “point of collection,” a key issue in the weather app case mentioned above.

Akin to many data scraping-related suits, the plaintiffs employed the kitchen-sink strategy, asserting a litany of claims, including: invasion of privacy, federal Stored Communications Act claims (for knowingly divulging stored communications while in electronic storage), various California unfair competition-related and consumer protection related claims, and even federal Computer Fraud and Abuse Act (CFAA) “unauthorized access” claims for accessing the plaintiffs’ and plaintiffs’ financial institutions’ networks without authorization or by “exceeding authorized access.”  Beyond monetary relief, the plaintiffs also seek injunctive relief to bar Yodlee from further collection of financial data without adequate notice and consent.

Coupled with the FTC’s ongoing investigation, this suit brings up many interesting issues regarding consumer data collection.  We will carefully monitor this dispute and FTC investigation, as any investigation has the potential to shine a light into how modern data collection practices fit into the currency legal and regulatory regimes and how the industry might respond.