Plaid has settled a class-action lawsuit in which consumers alleged that the company used dubious tactics to gather bank account data to share with fintech clients. Under the terms of the agreement, the San Francisco data aggregator has agreed to establish a $58 million settlement fund and make changes to its business practices and policies.
This settlement encompasses five class-action lawsuits that were combined into one. All alleged that Plaid used consumers’ banking login credentials to harvest and sell detailed financial data without the users’ consent.
The settlement affects an estimated 98 million people for whom Plaid screen-scraped data from a bank account to be fed into a fintech app like Venmo. After the lawyers are paid, if all 98 million people file a claim, they will get about 60 cents each. (In these types of settlements, typically not everyone makes a claim. However, in this case they will be given the option of receiving the settlement money automatically through Venmo and PayPal rather than strictly through a check, which could result in more claims.)
The plaintiffs claimed that Plaid’s user interface mimicked the login screens of an individual user’s financial institution and that users were uninformed that they were not actually logging in via the bank’s own platform. Plaintiffs said they unwittingly gave Plaid their financial institution login credentials and that Plaid would retain access to their credentials and use them to mine, aggregate and then sell users’ financial transaction data to third parties.
In the settlement, Plaid committed to improve data deletion and minimization, improve disclosures, and continue to host a dedicated webpage with detailed information about its security practices.
Data minimization, in this case, is ensuring that no extra data is pulled than is needed for the fintech app’s purposes. Data deletion is eliminating any unneeded data that may have been accidentally collected. For instance, if an app is using Plaid for authentication and needs merely an account routing number, Plaid is committing to only taking that number. If any other data is collected in the process of screen-scraping the consumer’s account, it will be deleted.
Plaid has said that it hopes to have 75% of its traffic committed to bank application programming interfaces by the end of this year. The use of APIs should eliminate all the complaints raised in the lawsuit, the company said.
“If you think about the trajectory of where Plaid was five or six years ago, versus where we are now and where we're headed to the future, this really clears the decks for us to continue moving forward and moving in this API- bank partnership direction and this commitment to really strong, industry leading transparency and control tools for consumers,” said John Pitts, Plaid's head of policy. "The settlement opens up the ability for us to continue moving forward in that direction and double down on our investment in that approach to the ecosystem."
