Last week, an alleged class action lawsuit was filed in California's District Court against financial analyst Envestnet, Inc. ("Envestnet"), which operates Yodlee, Inc. ("Yodlee"). (Wesch v Yodlee Inc., No. 20-05991 (N.D. Cal., Filed August 25, 2020)). According to the complaint, Yodlee is one of the largest financial data aggregators in the world and aggregates financial data such as bank balances and credit card transaction histories from individuals in the United States through its software platforms integrated with various fintech products from financial institutions. At the heart of the lawsuit is that Yodlee collects and then sells access to such anonymized financial data without meaningful notification to consumers, and stores or transmits that data without adequate security, all in violation of California and state privacy laws.
The timing of this case is interesting because it comes shortly after the recent dispute settlement between the Los Angeles attorney and the operator of a weather app over the allegation that location information collected through the weather app was sold to a third party without proper permission of the user of the app.
Similar to many lawsuits related to data scratches, plaintiffs employed the kitchen sink strategy and made a litany of claims including: invasion of privacy, federal Recorded Communications Claims (for knowingly sharing saved communications while in electronic storage), and various unfair California claims, competitive and consumer protection claims, and even federal computer fraud and abuse (CFAA) claims for "unauthorized access" for unauthorized access to plaintiffs 'and plaintiffs' financial institutions and by "exceeding authorized access." In addition to providing financial relief, plaintiffs are also seeking an injunction to exclude Yodlee from further collecting financial information without appropriate notice and consent.
Coupled with the FTC's ongoing investigation, this suit raises many interesting questions about consumer data collection. We will be closely monitoring this dispute and the FTC investigation as any investigation may shed light on how modern data collection practices fit into legal and regulatory currency regimes and how the industry might respond.
© 2020 Proskauer Rose LLP. National Law Review, Volume X, Number 244