Account aggregator Plaid has agreed to a $58 million settlement in a class action lawsuit that alleged the firm violated users’ privacy by obtaining data from financial accounts without authorization and obtaining bank login information by mimicking users’ own bank account login screens. In addition to the cash settlement, Plaid is required to “maintain certain changes to the design of its standard interface, make more fulsome [comprehensive] disclosures to consumers and delete transactional banking data for consumers whose apps did not request that data,” according to a preliminary memo outlining the terms of the settlement.
Plaid links more than 11,000 institutions to more than 5,000 apps, according to a blogpost on privacy by John Pitts, global head of policy at Plaid. Plaid purchased wealth management-focused account aggregation firm Quovo in 2019.
The class affected by the settlement is all U.S. residents who own or owned a financial institution account accessed by Plaid in a certain manner from Jan. 1, 2013, to the date of the preliminary approval, according to the memo. "Access" could involve Plaid employing a user’s login credentials to connect to an app that enables payments, including ACH or other money transfers. Or it could involve an account for which a user provided credentials to Plaid via Plaid Link.
In addition to the cash settlement, Plaid has agreed to delete some data it previously held and reduce the data it is allowed to retain, as well as inform class members of their ability to manage data connections, including deleting certain data stored by Plaid. For example, if Plaid determines that a password for a certain bank account has changed or the account is closed, it will delete the associated account data from its systems, according to the memo.
Plaid will also stop using the background colors of specific financial institutions on its credential pane, in an effort to clarify that users are providing their login credentials to Plaid, not the financial institution being linked.
It is also required to maintain a webpage detailing Plaid’s security practices. All data privacy requirements outlined in the settlement will apply for a minimum of three years.
"The claims raised in the lawsuit do not reflect our practices," according to a statement provided by a Plaid spokesperson. "We make our role and practices clear, and provide services that give consumers control over how and where they share their data. We believe settlement of this matter is best in light of the cost and burden associated with protracted litigation."
"We help consumers safely connect their financial accounts to the apps and services they rely on," added the spokesperson. "Moving forward, we will continue to focus on empowering millions of people with control over the data they share across the thousands of applications Plaid supports."
The settlement also discusses Plaid Portal, Plaid’s hub for user-initiated account aggregation management. As part of the settlement, Plaid must make the hub—currently in its beta phase of development in the U.S. and UK—and its functionality more prominent. At Plaid Portal, users who have a Portal account have transparency and control over the links between apps and financial accounts using Plaid.
The settlement stems from a May 2020 lawsuit that alleged violations of fraud, privacy and intrusion under various federal and local statutes. By April 2021, nearly a year later, many of the allegations of lawbreaking had been dismissed. But some allegations of invasion of privacy and intrusion into private affairs were allowed to continue. The proposed settlement has been submitted to the United States District Court for the Northern District of California, Oakland Division. The court must approve the settlement for it to take effect.