OAKLAND, Calif. (CN) — A federal court judge on Wednesday approved banking app Plaid's $58 million privacy class action settlement after consumers claimed the company had harvested and sold their financial data without consent.
U.S. Magistrate Judge Donna Ryu’s order found that 11 plaintiffs from five lawsuits, led by James Cottle, won payment for all impacted customers whose data was sold by the tech startup Plaid using their banking login credentials. Plaid provides bank “linking” and verification services for fintech apps that consumers use to send and receive money from financial accounts such as Venmo, Coinbase, Cash App and Stripe.
Cottle’s original complaint said when he signed up for a Venmo account in 2019, he did not know he was sharing his banking credentials with Plaid. He said the company hid the fact that it was accessing his sensitive financial information by prompting him to login to his bank to set up a Venmo account.
The case was combined with four other lawsuits brought in May, June and July 2020. Other plaintiffs said Plaid designed login screens in its interface to look like screens used by individual financial institutions, but failed to disclose to users that they were not interfacing with their bank.
All affected customers will be paid about $13.50 each. Under this order, Plaid will also implement several business practice changes, such as deleting transactions data from users that did not connect an account for transactions or those “for whom Plaid is aware that it no longer has valid means that can be used to authenticate with the financial institution.”
The judge also ruled that the considerable cost for multiple attorneys on this lawsuit required paying a fee of $11 million.
In November, the federal court preliminarily approved the settlement. Out of the approximately 98 million eligible class members, five submitted timely objections. Some asked for a more “reasonable” settlement amount paid per person, which the judge said was illegitimate since no class members incurred any out-of-pocket expenses due to Plaid’s practices.
Ryu’s preliminary ruling advanced claims including intrusion upon seclusion, unjust enrichment and violation of California’s anti-phishing law, which makes it illegal to misrepresent oneself in order to induce someone to hand over their sensitive financial information. She threw out a claim Plaid violated the Stored Communications Act, which prohibits unauthorized access to electronic communications considered to be in “electronic storage.”
Ryu dismissed without prejudice plaintiffs’ claims that they suffered damage or lost money or property as a result of Plaid’s actions, which doomed their claims for fraud under California’s Unfair Competition Law and Computer Fraud and Abuse Act.
A spokesperson for Plaid said the company denies ever having sold or harvested data.
"While we disagree and have denied all allegations, we're looking forward to putting the lawsuit behind us," they said in an emailed statement.
Laura Seidl of Herrera Kennedy LLP, representing the plaintiffs, said, “We are thrilled to have achieved such a great result on behalf of the class, including the robust injunctive relief that puts a stop to the privacy violations we uncovered during our investigation.”
Seidl added “I think it’s going to be a great deterrent to other institutions that might try to do similar things.”
The class action suit hit at the same time Plaid was planning a $3.5 billion acquisition by Visa. The Department of Justice investigated the deal in 2020 into whether the merger poses a threat to competition in the market for online debit services. The two companies subsequently abandoned the deal last year.
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.