Lawsuit filed in Northern District of California alleges theft of transactional and other private banking data belonging to tens of millions of consumers

On behalf of consumers in California and across the nation, the law firms of Herrera Purdy LLP, Lieff Cabraser Heimann & Bernstein, LLP, and Burns Charest LLP have filed a federal class action lawsuit against fintech infrastructure company Plaid Inc., which agreed to be purchased by Visa for $5.3 billion in January 2020.

The lawsuit alleges that Plaid violates consumer privacy and computer data protection laws by collecting consumers’ sensitive bank login information through software embedded in a host of fintech apps such as Venmo, Coinbase, Square’s Cash App, and Stripe. Plaid then uses the credentials to access and capture years of transaction and other confidential data from all of the consumers’ accounts with the bank, all without consumers’ knowledge or consent.

As the complaint notes, Plaid’s software is designed to spoof banks’ websites so that consumers will feel more comfortable entering their login information, but in reality, consumers using fintech apps with Plaid’s software are unwittingly handing their login information directly to Plaid. “By concealing its true role, Plaid has amassed for itself what it calls one of the largest transactional data sets in the world, with private banking data collected from 200 million accounts,” said attorney Shawn Kennedy of Herrera Purdy, who filed the lawsuit on behalf of the Plaintiffs.

The lawsuit also alleges that once Plaid establishes a connection with a consumer’s bank, it downloads all available data—including years’ worth of transaction history—for every account the consumer has connected to that bank (such as checking, savings, credit card, and brokerage accounts), regardless of whether the data in any of the accounts bears any relationship to the app for which the consumer signed up. Plaintiffs’ co-counsel Rachel Geman of Lieff Cabraser explained, “With the rapid growth of fintech apps, it is imperative to protect the privacy of consumers and to cement and enforce meaningful consent.”

The complaint also points out that, by removing consumers’ sensitive financial information from the secure banking environment, Plaid strips consumers of important rights and protections. “Despite Plaid’s assurances that its software is secure, Plaid’s actions expose consumers’ sensitive login information to malicious actors and leave consumers vulnerable to data breach and theft,” said Plaintiffs’ co-counsel Christopher Cormier of Burns Charest.  

The lawsuit seeks declaratory and injunctive relief requiring Plaid to cease its misconduct, purge the data it has unlawfully collected, notify consumers of its misconduct, and inform consumers of the steps they can take to protect themselves from further invasions. It also seeks damages and disgorgement based upon Plaid’s misconduct and unjust enrichment.

A copy of the complaint can be found HERE.

Cottle, et al. v. Plaid Inc., case 4:20-cv-03056 in the U.S. District Court for the Northern District of California.