A proposed class action alleges Plaid, Inc. utilizes Venmo, Coinbase, Square and Stripe users’ login details to access their financial accounts and then “sells and otherwise misuses” the private information therein without consent or disclosure.
Filed in California federal court, the 85-page lawsuit says Plaid’s stated mission is to make it easy for consumers to connect their bank accounts to popular financial technology apps such as Venmo, Coinbase, Square and Stripe. The defendant, however, “conceals its conduct and true intentions from consumers,” who are unaware that Plaid, whose bread and butter is verifying that a consumer owns a particular bank account, has “exploited its position as middleman” to acquire app users’ banking login credentials, the complaint alleges.
According to the case, Plaid uses consumers’ login credentials, obtained through a procedure that mimics the true “OAuth” process used to log into bank accounts, to surreptitiously harvest “vast amounts” of private transaction history and other financial data without consent. The suit says Plaid has carried out this scheme to compile what the company claims to be “one of the largest transactional data sets in the world.”
As for what Plaid does with data, the lawsuit says the company has exploited the information by marketing the trove to its app customers, analyzing the data to derive consumer behavioral insights and, most recently, selling its data stockpile to Visa as part of a multi-billion dollar acquisition.
“Plaid has unfairly benefited from the personal information of millions of Americans and wrongfully intruded upon their private financial affairs,” the plaintiffs, two California Venmo users, allege.
Detailing Plaid’s alleged scheme, the complaint says the company first induces consumers into handing over their private banking login credentials by making it appear as though the information is being communicated directly to the individuals’ banks. Per the case, consumers are told the connection is private and secure and that their banking credentials will “never be made accessible” to the app before being directed to a login screen that appears to come from their bank, complete with its logo and branding.
In truth, however, neither Plaid nor its app partners disclose to consumers that the company itself is responsible for this purportedly bank-branded login screen, the case says. Essentially, this process, which the suit claims Plaid has acknowledged is optimized to increase user conversions, aims to provide a false sense of security to consumers, who are unaware Plaid is an unaffiliated third party, according to the complaint.
Once a user’s banking login credentials have been obtained, the information is allegedly used by Plaid to gain “direct and full” access to the individual’s personal financial information for the company’s own commercial purposes “wholly unrelated” to app use. According to the lawsuit, Plaid downloads years’ worth of transactions for every single account the consumer maintains with the bank regardless of whether the data has any relationship to the app for which the consumer signed up.
All told, a consumer who makes just a single mobile payment through an app connected to a bank by Plaid has unwittingly given the company years’ worth of granular financial information, sometimes for multiple accounts, the case says. To date, Plaid is used by more than 2,000 applications, and holds a trove of data pertaining to more than 200 million distinct financial accounts, the complaint adds.
The lawsuit looks to cover a nationwide and California-only class of U.S. consumers whose accounts at financial institutions were accessed by Plaid using login credentials obtained through the company’s software incorporated in a mobile or web-based fintech app that enables payments or other money transfers.
The complaint can be found below.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.