Last week, a putative privacy-related class action was filed in California district court against financial analytics firm Envestnet, Inc. (“Envestnet”), which operates Yodlee, Inc. (“Yodlee”). (Wesch v. Yodlee Inc., No. 20-05991 (N.D. Cal. filed Aug. 25, 2020)). According to the complaint, Yodlee is one of the largest financial data aggregators in the world and through its software platforms, which are built into various fintech products offered by financial institutions, it aggregates financial data such as bank balances and credit card transaction histories from individuals in the United States. The crux of the suit is that Yodlee collects and then sells access to such anonymized financial data without meaningful notice to consumers, and stores or transmits such data without adequate security, all in violation of California and federal privacy laws.
The timing of this case is interesting, as it comes on the heels of the recent settlement of the litigation the between the City Attorney of Los Angeles and the operator of a weather app over claims that locational information collected through the weather app was being sold to third parties without adequate permission from the user of the app.
The Yodlee lawsuit is not surprising, however, given that this past January, Democratic Senators Ron Wyden and Sherrod Brown and Congresswoman Anna Eshoo sent a letter to FTC Chairman Joseph J. Simons urging the agency to investigate whether analytics firm Yodlee’s financial data collection practices were violating the FTC Act. As we detailed in a prior post, the members of Congress took issue with Envestment’s position that consumer privacy is protected because the data it sells is anonymized, and further claimed that Envestnet does not inform consumers that their personal financial data is being sold, but rather relies on its partners to make such disclosures in privacy policies or terms of service. According to Envestnet’s recent corporate filings, the FTC investigation is ongoing and the company is cooperating and responding to various questions from the agency.
Akin to many data scraping-related suits, the plaintiffs employed the kitchen-sink strategy, asserting a litany of claims, including: invasion of privacy, federal Stored Communications Act claims (for knowingly divulging stored communications while in electronic storage), various California unfair competition-related and consumer protection related claims, and even federal Computer Fraud and Abuse Act (CFAA) “unauthorized access” claims for accessing the plaintiffs’ and plaintiffs’ financial institutions’ networks without authorization or by “exceeding authorized access.” Beyond monetary relief, the plaintiffs also seek injunctive relief to bar Yodlee from further collection of financial data without adequate notice and consent.
Coupled with the FTC’s ongoing investigation, this suit brings up many interesting issues regarding consumer data collection. We will carefully monitor this dispute and FTC investigation, as any investigation has the potential to shine a light into how modern data collection practices fit into the currency legal and regulatory regimes and how the industry might respond.