A federal judge will allow privacy claims to move forward against fintech company Plaid, accused of posing as a number of banking institutions in order to collect financial data from people when they signed up for payment apps like Venmo.
OAKLAND, Calif. (CN) — Financial services startup Plaid will have to face claims that it deceptively acquired consumers’ banking credentials without their permission.
In a ruling late Friday, U.S. Magistrate Judge Donna Ryu found a consolidated class of customers adequately alleged that Plaid had violated their privacy under a host of California laws by hiding its role as a transactional middleman in order to secretly download their financial data.
Plaid’s software allows consumers to link their bank accounts with payment apps like Venmo, Coinbase and Square’s Cash App.
Venmo user James Cottle says he had no idea that he was actually sharing his banking credentials with Plaid when he signed up for a Venmo account in 2019. His federal lawsuit filed last year says Plaid hid the fact that it was accessing his sensitive financial information by prompting him to login to his bank to set up a Venmo account, a misleading process that allegedly omits that fact that Plaid is actually intercepting a trove of consumer spending data that it later resells.
The class action came just as Plaid was planning a $3.5 billion acquisition by Visa, announced just months before the filing. The deal hit a regulatory wall late last year following an investigation by the Department of Justice into whether the merger poses a threat to competition in the market for online debit services.
Cottle’s case was combined with four other lawsuits brought in May, June, and July 2020.
Ryu’s ruling advances a host of claims, including intrusion upon seclusion, unjust enrichment, deceit and violation of California’s Anti-Phishing law, which makes it illegal to misrepresent oneself in order to induce someone to hand over their sensitive financial information.
“We’re very pleased by the ruling and the recognition that we’ve adequately alleged an invasion of privacy that was achieved via deceit,” Rachel Geman, an attorney with Lieff Cabraser who represents the class, said Friday. “We’re excited to move forward.”
Ryu nixed a claim for violation of the Stored Communications Act, which prohibits unauthorized access electronic communications considered to be in “electronic storage;” a form of digital trespassing. Ryu agreed with Plaid that a financial institution is not “a facility through which an electronic communication service is provided” under the statute.
She also found Cottle and his fellow plaintiffs had failed to allege that they suffered damage or lost money or property as a result of Plaid’s actions, which doomed their claims for fraud under California’s Unfair Competition Law and Computer Fraud and Abuse Act. Those claims were dismissed without prejudice, meaning they cannot be amended and refiled.
“While we believe the case should have been dismissed in full, we are pleased to see that several of the baseless allegations were dismissed with prejudice,” a Plaid spokesperson said in an email to Courthouse News. “We will continue to vigorously defend ourselves against the lawsuit. Plaid firmly believes that consumers should have permission-based access to and control over their financial data, and embody these principles in our practices.”