Financial Aggregator Collecting Banking Information Faces Lawsuit

Last week, an alleged class action lawsuit was filed in California's District Court against financial analyst Envestnet, Inc. ("Envestnet"), which operates Yodlee, Inc. ("Yodlee"). (Wesch v Yodlee Inc., No. 20-05991 (N.D. Cal., Filed August 25, 2020)). According to the complaint, Yodlee is one of the largest financial data aggregators in the world and aggregates financial data such as bank balances and credit card transaction histories from individuals in the United States through its software platforms integrated with various fintech products from financial institutions. At the heart of the lawsuit is that Yodlee collects and then sells access to such anonymized financial data without meaningful notification to consumers, and stores or transmits that data without adequate security, all in violation of California and state privacy laws.

The timing of this case is interesting because it comes shortly after the recent dispute settlement between the Los Angeles attorney and the operator of a weather app over the allegation that location information collected through the weather app was sold to a third party without proper permission of the user of the app.

The lawsuit against Yodlee is not surprising, however, as Democratic Senators Ron Wyden and Sherrod Brown and Congressman Anna Eshoo sent a letter to FTC Chairman Joseph J. Simons last January asking the agency to investigate The methods used to collect financial information from analytics firm Yodlee were in violation of FTC law. As we elaborated on in a previous post, members of Congress have questioned Envestment's position that consumer privacy is protected because the data it sells is anonymized, and further claimed that Envestnet did not tell consumers about it informs that their personal financial information will be sold, but rather relies on its affiliates to provide such information in privacy policies or terms of use. According to Envestnet's latest company files, the FTC investigation is still ongoing and the company is cooperating and answering various questions from the agency.

The 47-page complaint contains several allegations about how Yodlee will be seamlessly integrated with a hosting company's website or app to enable Yodlee to collect and aggregate consumer financial data using various fintech applications or digital banking services. Despite this integration, plaintiffs contend that Yodlee's collection and access to an individual's financial information is in fact "never disclosed" and that Yodlee's privacy policy applies only to its own direct-to-consumer products and not to the APIs that are part of it from various fintech apps. Rather, the complaint alleges that Yodlee's privacy policy instead instructs users to refer to their financial institution's privacy policy for data collection from apps provided by Yodlee. Plaintiffs also allege that once users log in through an application operated by Yodlee, Yodlee stores that credentials and then continues to extract users' financial information without prior notice or consent. The complaint also alleges that a single user of such a fintech app cannot terminate Yodlee's access to their bank account details after entering their credentials. In summary, the complaint claims: “(W) Here a person is unwittingly using Yodlee to link their bank accounts to a FinTech app. Nowhere could she have consulted Yodlee's guidelines to find out the full amount of data that defendants have collected from her or the fact that the defendants sold their data. “In addition, the complaint alleges that Yodlee does not provide any additional information at the“ collection point ”, a central issue in the above-mentioned case of the weather app.

Similar to many lawsuits related to data scratches, plaintiffs employed the kitchen sink strategy and made a litany of claims including: invasion of privacy, federal Recorded Communications Claims (for knowingly sharing saved communications while in electronic storage), and various unfair California claims, competitive and consumer protection claims, and even federal computer fraud and abuse (CFAA) claims for "unauthorized access" for unauthorized access to plaintiffs 'and plaintiffs' financial institutions and by "exceeding authorized access." In addition to providing financial relief, plaintiffs are also seeking an injunction to exclude Yodlee from further collecting financial information without appropriate notice and consent.

Coupled with the FTC's ongoing investigation, this suit raises many interesting questions about consumer data collection. We will be closely monitoring this dispute and the FTC investigation as any investigation may shed light on how modern data collection practices fit into legal and regulatory currency regimes and how the industry might respond.

© 2020 Proskauer Rose LLP. National Law Review, Volume X, Number 244

By getthru

Leave a Reply

Your email address will not be published. Required fields are marked *