On August 5, 2021, a proposed class action settlement was reached in the closely-watched privacy action against fintech services company Plaid Inc. (“Plaid”).  The settlement features a $58 million settlement fund and certain injunctive relief that would make changes to Plaid’s methods of notice and consumer data collection, including provisions requiring the deletion of certain banking transaction data. (In re Plaid Inc. Privacy Litig., No. 20-3056 (N.D. Cal. Memorandum of Points for Proposed Settlement Aug. 5, 2021)). The settlement is still subject to court approval.

Plaid is a fintech services company that offers applications that provide account linking and verification services for various fintech apps that consumers use to send and receive money from their bank accounts.  The consolidated actions involve claims surrounding Plaid’s alleged collection and use of consumers’ banking login credentials and later processing and selling of such financial transaction data to third parties without adequate notice or consent.  Plaintiffs’ complaint also contended that at no time were users ever given conspicuous notice or meaningfully prompted to read through Plaid’s privacy policy indicating that Plaid receives and retains access to their financial institution account login credentials or uses their credentials to collect and sell their banking information.   As we wrote about back in May 2021, the California district court, in deciding Plaid’s motion to dismiss, trimmed various federal privacy-related claims, including the Computer Fraud and Abuse Act (CFAA) claim, but allowed other state law privacy claims to go forward.

On April 30, 2021 a California district court trimmed various federal privacy-related claims, including the Computer Fraud and Abuse Act (CFAA) claim, from a highly-visible, ongoing putative class action against fintech services company Plaid Inc. (“Plaid”), but allowed other state law privacy claims to go forward.  The lawsuit involves Plaid’s alleged collection and use of consumers’ banking login credentials and later processing and selling of such financial transaction data to third parties without adequate notice or consent (Cottle v. Plaid Inc., No. 20-3056 (N.D. Cal. Apr. 30, 2021).

The court’s decision did not delve deeply in the merits of the CFAA claim, as it was dismissed on procedural grounds; similarly, resolution of the major issues of the case about invasion of privacy and the adequacy of consent to access consumers’ bank accounts and collect/aggregate data was not achieved at this early stage of the litigation.  Thus, this case is just beginning and is certainly one to watch to see how the unsettled areas of mobile privacy and CFAA “unauthorized access” are further developed.