- Imagine there is a company that knows every dollar you deposit or withdraw, every dollar you charge or pay to your credit card, and every dollar you put away for retirement, within hours after you make the transaction. Imagine this includes every book or movie ticket or meal you purchase, every bill you pay to a doctor or hospital, and every payment you make (or miss) on your mortgage, student loan or credit card bill. Imagine this company maintains a file on you containing all of this information going back five years. Imagine that this company uses your username and password to log into the online account you maintain with your bank and updates that file multiple times a day to stay up to date on every financial move you make.
- Imagine this company is not your bank. Imagine that, as far as you know, you never provided your username and password to this company or otherwise authorized it to access your online accounts. Imagine you never heard of this company at all.
Intrigued yet? This is just the start of the 59 page, 223 paragraph-long complaint recently filed against Plaid, Inc. in the Northern District of California. Plaintiff Logan Mitchell alleges (on behalf of herself and putative class members) that Plaid violated pretty much every data privacy statute out there. Plaintiff’s complaint for damages and declaratory and equitable relief alleges violations of: (1) common law invasion of privacy; (2) Article I, § 1 of the California Constitution; (3) the Stored Communications Act (“SCA”); (4) the Computer Fraud and Abuse Act (“CFAA”); (5) California’s Comprehensive Data Access and Fraud Act (“CDAFA”); (6) unjust enrichment; (7) California’s Anti-Phishing Act of 2005; (8) California Unfair Competition Law (“UCL”); (9) California Civil Code § 1709; (10) Negligence. The UCL cause of action is based upon violations of the foregoing statutes, but also piles on alleged violations of the Graham Leach Bliley Act (“GLBA”) Privacy Rule, California’s Financial Information Privacy Act (“CalFIPA”), California Penal Code § 502, California Online Privacy Protection Act (“CalOPPA”), and, with the California Consumer Privacy Act (“CCPA”) enforcement date right around the corner, i.e. July 1, 2020, Plaintiff has also alleged Plaid violates the CCPA by not providing users with the required notice before collecting and using their personal information.
Plaid is a San Francisco-based financial technology company that allows users “to connect their banks accounts to an app.” Plaid technology is embedded in personal finance applications, such as Venmo, to add functionality that the participating apps do not provide themselves. Plaintiff alleges that Plaid collects and mines user data without the legally required consent or disclosure. Plaintiff charges that Plaid is not “truly committed to building products that are in consumer’s best interest.” Noting that Plaid’s approach for European users allows the sharing of financial data without giving Plaid access to their bank login credentials, Plaintiff states that Plaid could implement the same practices in the U.S., “regardless of whether it is required by law to do so.”
So does Plaid really violate a user’s “reasonable expectations of privacy in highly offensive ways that amount to egregious violations of social norms” as alleged in the complaint? That issue may soon be before the court when Plaid files its response to the complaint, which may likely be a Rule 12(b)6 motion to dismiss – one of the defense mechanisms commonly launched at the outset of litigation to dispose of claims as exhaustive as the ones here. Stay tuned for more on this.