1. Imagine there is a company that knows every dollar you deposit or withdraw, every dollar you charge or pay to your credit card, and every dollar you put away for retirement, within hours after you make the transaction. Imagine this includes every book or movie ticket or meal you purchase, every bill you pay to a doctor or hospital, and every payment you make (or miss) on your mortgage, student loan or credit card bill. Imagine this company maintains a file on you containing all of this information going back five years. Imagine that this company uses your username and password to log into the online account you maintain with your bank and updates that file multiple times a day to stay up to date on every financial move you make.
  2. Imagine this company is not your bank. Imagine that, as far as you know, you never provided your username and password to this company or otherwise authorized it to access your online accounts. Imagine you never heard of this company at all.

Intrigued yet? This is just the start of the 59 page, 223 paragraph-long complaint recently filed against Plaid, Inc. in the Northern District of California.  Plaintiff Logan Mitchell alleges (on behalf of herself and putative class members) that Plaid violated pretty much every data privacy statute out there.  Plaintiff’s complaint for damages and declaratory and equitable relief alleges violations of: (1) common law invasion of privacy; (2) Article I, § 1 of the California Constitution; (3) the Stored Communications Act (“SCA”); (4) the Computer Fraud and Abuse Act (“CFAA”); (5) California’s Comprehensive Data Access and Fraud Act (“CDAFA”); (6) unjust enrichment; (7) California’s Anti-Phishing Act of 2005; (8) California Unfair Competition Law (“UCL”); (9) California Civil Code § 1709; (10) Negligence.  The UCL cause of action is based upon violations of the foregoing statutes, but also piles on alleged violations of the Graham Leach Bliley Act (“GLBA”) Privacy Rule, California’s Financial Information Privacy Act (“CalFIPA”), California Penal Code § 502, California Online Privacy Protection Act (“CalOPPA”), and, with the California Consumer Privacy Act (“CCPA”) enforcement date right around the corner, i.e. July 1, 2020, Plaintiff has also alleged Plaid violates the CCPA by not providing users with the required notice before collecting and using their personal information.

Plaid is a San Francisco-based financial technology company that allows users “to connect their banks accounts to an app.” Plaid technology is embedded in personal finance applications, such as Venmo, to add functionality that the participating apps do not provide themselves. Plaintiff alleges that Plaid collects and mines user data without the legally required consent or disclosure. Plaintiff charges that Plaid is not “truly committed to building products that are in consumer’s best interest.” Noting that Plaid’s approach for European users allows the sharing of financial data without giving Plaid access to their bank login credentials, Plaintiff states that Plaid could implement the same practices in the U.S., “regardless of whether it is required by law to do so.”

Using an example from the Venmo mobile application, Plaintiff alleges Plaid’s “fine-print click-through” disclosure is insufficient, misleading and illegal. Plaintiff alleges the text is smaller than other text on the screen, appears in a light gray color that is more difficult to read than the other text on the screen, and a user would not know that this text contains a link to Plaid’s privacy policy unless she were to actually click on it. Also, the screen contains no requirement that the user must review (or even scroll through) the privacy policy before clicking “Continue.”

If one clicks on “Plaid End User Privacy Policy,” one is directed to the another screen that discloses, “When you connect your financial accounts with a developer application or otherwise connect your financial accounts through Plaid, where applicable, we collect identifiers and login information required by the provider of your account, such as your username and password, or a security token,” amongst other information.

So does Plaid really violate a user’s “reasonable expectations of privacy in highly offensive ways that amount to egregious violations of social norms” as alleged in the complaint?  That issue may soon be before the court when Plaid files its response to the complaint, which may likely be a Rule 12(b)6 motion to dismiss – one of the defense mechanisms commonly launched at the outset of litigation to dispose of claims as exhaustive as the ones here. Stay tuned for more on this.