On August 5, 2021, a proposed class action settlement was reached in the closely-watched privacy action against fintech services company Plaid Inc. (“Plaid”).  The settlement features a $58 million settlement fund and certain injunctive relief that would make changes to Plaid’s methods of notice and consumer data collection, including provisions requiring the deletion of certain banking transaction data. (In re Plaid Inc. Privacy Litig., No. 20-3056 (N.D. Cal. Memorandum of Points for Proposed Settlement Aug. 5, 2021)). The settlement is still subject to court approval.

Plaid is a fintech services company that offers applications that provide account linking and verification services for various fintech apps that consumers use to send and receive money from their bank accounts.  The consolidated actions involve claims surrounding Plaid’s alleged collection and use of consumers’ banking login credentials and later processing and selling of such financial transaction data to third parties without adequate notice or consent.  Plaintiffs’ complaint also contended that at no time were users ever given conspicuous notice or meaningfully prompted to read through Plaid’s privacy policy indicating that Plaid receives and retains access to their financial institution account login credentials or uses their credentials to collect and sell their banking information.   As we wrote about back in May 2021, the California district court, in deciding Plaid’s motion to dismiss, trimmed various federal privacy-related claims, including the Computer Fraud and Abuse Act (CFAA) claim, but allowed other state law privacy claims to go forward.

Here is a quick rundown of the material terms of the proposed settlement:

  • Monetary relief: $58 million fund to the defined settlement class of consumers who, among other things, held a financial account that Plaid accessed using the user’s login credentials and connected to a mobile or web-based fintech application.
  • Deletion of Data: Plaid will delete data that was retrieved as part of Plaid’s “Transactions” product—which can include information about financial account activity, such as the amount, time, and place of deposits, withdrawals, transfers, or purchases—for users that Plaid can reasonably determine did not connect an account to an application that requested Transactions data. Thus, if a consumer exclusively connected an application (or applications) that did not ask Plaid to collect Transactions data, but Plaid retrieved that data anyway, then Plaid will delete that data from its systems.
  • Injunctive relief: Plaid agreed to change a number of its privacy and data collection practices (for at least three years within the U.S.), including promises to: (1) inform class members on how to use the Plaid Portal and manage the connections made between their financial accounts and chosen fintech apps applications using Plaid and delete data stored by Plaid; (2) employ clear disclosures about Plaid’s role when consumers link financial accounts to a fintech app, avoid using the particular bank’s own color scheme in the credential pane, and require users to affirmatively agree to Plaid’s privacy policy; (3) minimize the data Plaid stores (subject to certain limitations), such that Plaid will only store the categories of data for the Plaid product that the user’s app specifically requests from Plaid or that are necessary for Plaid to offer its services, unless the user has expressly consented to additional data collection; (4) enhance privacy policy disclosures; and (5) continue to host a dedicated webpage about Plaid’s security practices.

This is a major settlement in the fintech privacy area, as the collection and use of consumer data has become more scrutinized in the past few years, especially amidst the wave of fintech and money transfer apps that have become popular with consumers.  With the major mobile platforms tightening their developer policies and privacy notification requirements surrounding data sharing this year, and more litigants bringing mobile- and privacy-related actions, we will continue to follow developments in these areas.