Plaid Federal Electronic Surveillance Claims Dropped, Privacy Claims Survive
On April 30, 2021 a California district court trimmed various federal privacy-related claims, including the Computer Fraud and Abuse Act (CFAA) claim, from a highly-visible, ongoing putative class action against fintech services company Plaid Inc. (“Plaid”), but allowed other state law privacy claims to go forward. The lawsuit involves Plaid’s alleged collection and use of consumers’ banking login credentials and later processing and selling of such financial transaction data to third parties without adequate notice or consent (Cottle v. Plaid Inc., No. 20-3056 (N.D. Cal. Apr. 30, 2021).
The court’s decision did not delve deeply in the merits of the CFAA claim, as it was dismissed on procedural grounds; similarly, resolution of the major issues of the case about invasion of privacy and the adequacy of consent to access consumers’ bank accounts and collect/aggregate data was not achieved at this early stage of the litigation. Thus, this case is just beginning and is certainly one to watch to see how the unsettled areas of mobile privacy and CFAA “unauthorized access” are further developed.
Plaid is a fintech services company that offers applications that provide account linking and verification services for various fintech apps that consumers use to send and receive money from their bank accounts. The plaintiffs claim that Plaid’s banking authentication system, which is embedded into various fintech apps, included a user interface that mimicked the login screens of an individual user’s financial institution such that users were uninformed that they were not actually logging in via the bank’s own platform. Instead, according to plaintiffs, consumers would unwittingly give Plaid their financial institution login credentials and that Plaid would retain access to their credentials and use them to mine, aggregate and then sell users’ financial transaction data to third parties (including to the fintech apps that use its services) for purposes unrelated to the plaintiffs’ use of the fintech payment apps. In sum, plaintiffs’ complaint asserts that at no time were users ever given conspicuous notice or meaningfully prompted to read through Plaid’s privacy policy indicating that Plaid receives and retains access to their financial institution account login credentials or uses their credentials to collect and sell their banking information.
Based on the allegations, plaintiffs advanced a number of claims, including, among others, violations of the CFAA (and state computer trespass law) and the federal Stored Communications Act (SCA), as well as a number of state privacy and consumer protection claims (including violation of the California Anti-Phishing Act of 2005). In response, Plaid moved to dismiss on several grounds, with mixed results.
The court first ruled that the plaintiffs had Article III standing because they sufficiently pled an injury-in-fact.. The court found that plaintiffs’ allegations – that Plaid does not disclose to users that they are interfacing with Plaid rather than their banks, that Plaid does not meaningfully disclose the extent of its data collection practices, that Plaid deemphasizes the link to its privacy policy, and that Plaid uses the consumer login information to obtain banking data regardless of whether it relates to the transfer of money via the finech apps – sufficiently show that Plaid’s data collection practice would “cause harm or a material risk of harm” to their interest in controlling their personal information to satisfy Article III standing requirements.
Regarding the federal claims, the court dismissed both of them. The CFAA prohibits various computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking certain forbidden actions. Plaid moved to dismiss the CFAA claims on several grounds, including that plaintiffs had not alleged facts…
Read More: Plaid Federal Electronic Surveillance Claims Dropped, Privacy Claims Survive