News: Envestnet, Yodlee Face Lawsuit hit with Consumer Privacy Suit
At the end of August 2020, a privacy-related class action was filed in California district court against Envestnet, Inc. (Envestnet) and its software subsidiary, Yodlee, Inc. (Yodlee) (Wesch v. Yodlee Inc., No. 20-05991 (N.D. Cal. filed Aug. 25, 2020)). According to the complaint, Envestnet and Yodlee have been sued over their data collection, use and security practices. Yodlee, one of the largest financial data aggregators on the street, has been selling bank balances and consumer credit card transaction data for years to financial institutions like hedge funds.
The Yodlee lawsuit is not surprising. If you recall, Yodlee was also the subject of Congressional focus earlier this year when lawmakers called for the investigation into the inadequacy of consumer consent prior to selling their data to third parties. Members of Congress took issue with Envestment’s position that consumer privacy is protected because the data it sells is anonymized, and further claimed that Envestnet does not inform consumers that their personal financial data is being sold, but rather relies on its partners to make such disclosures in privacy policies or terms of service. According to Envestnet’s recent corporate filings, the FTC investigation is ongoing and the company is cooperating and responding to various questions from the agency.
The crux of the suit is that Yodlee collects consumer credit card transaction data and redistributes the data to third parties (FWIW, for a hefty price tag) this transaction data in an anonymized format without any explicit or meaningful notice to consumers. Meaning, consumers aren’t really placed on notice about the type of data that is collected and what happens to it after it is collected. The complaint also points out inadequacies in the storage and transmission of this data and alleges violation of California and federal data privacy laws.
This case comes on the heels of the recent settlement of the litigation the between the City Attorney of Los Angeles and the operator of a weather app over claims that location information collected through the weather app was being sold to third parties without adequate permission from the user of the app.
Class Action Suit Details
In a class action suit filed in the U.S. District for the Northern District of California, plaintiff Deborah Wesch of New Jersey alleged that she and other consumers have been put at risk because Envestnet and Yodlee did not properly protect consumer data and failed to put in place sufficient security protocols. The complaint contains multiple allegations about the ways Yodlee is “seamlessly integrated” into a host company’s website or app to allow Yodlee to collect and aggregate financial data from consumers using various fintech applications or digital banking services. Wesch also alleged that often times, U.S. consumers don’t even know they are ultimately providing their personal data to Yodlee because the firm “surreptitiously collects such data from software products that it markets and sells to some of the largest financial institutions in the country” including Merrill Lynch, PayPal, Bank of America and Citibank.
“Yodlee, in turn, acquires financial data about each individual that interacts with the software installed on its customers’ systems,” but those individuals “often have no idea they are dealing with Yodlee,” according to the complaint.
Wesch knows this because she connected her PNC Bank account to PayPal using a Yodlee-powered portal in order to facilitate payments and transfers between accounts. “At no time was it disclosed by PayPal, Yodlee, or PNC Bank that the Defendants would continuously access Plaintiff’s bank account to extract and sell data without her consent.”
That was “especially troubling as reports have revealed that Defendants are mishandling the data they collected from individuals without authorization by distributing it in unencrypted plain text files,” the complaint alleged, adding: “These files, which can be read by anyone who acquires them, contain highly sensitive information that make it possible to identify the individuals involved in each transaction.”
The complaint further alleges that an individual user of such a fintech app cannot terminate Yodlee’s access to her bank account information after providing the credentials. In summary, the complaint alleges: “[W]here an individual unknowingly uses Yodlee to connect her bank accounts to a FinTech App, there is nowhere she could have looked in Yodlee’s policies to learn the full extent of data Defendants were collecting from her or the fact that Defendants were selling her data.” Moreover, the complaint alleges that Yodlee does not make any additional disclosures at the “point of collection,” a key issue in the weather app case mentioned above.
The “failure” of Yodlee to “take even the most basic steps to protect this highly sensitive data (e.g., requiring a password to open such files) has placed Plaintiff and all Class members at significant risk of fraud and identity theft,” according to the complaint. The risk to consumers was “especially heightened given Yodlee’s practice of reselling the data it collects — without authorization — to third parties,” the plaintiff alleged.
Envestnet, meanwhile, suffered a setback in its legal dispute with FinancialApps as the latter firm defeated Envestnet’s motion to dismiss the suit filed against Envestnet and Yodlee last year that accused them of misappropriating FinancialApps’ proprietary software platform.
In August, Judge Colm F. Connolly of U.S. District Court for the District of Delaware, adopting the July 6 recommendation of Magistrate Judge Christopher J. Burke, ruled in a memorandum order that the case could proceed. FinancialApps is seeking over $100 million in damages, claiming Envestnet and Yodlee were guilty of trade secret misappropriation, fraud and breach of contract. The case can now proceed to discovery, FinancialApps said.
Commenting after Judge Connolly’s decision, the Envestnet | Yodlee spokesperson told ThinkAdvisor: “Notwithstanding the plaintiff-friendly standard on a motion to dismiss whereby the Court must accept all of FinancialApps’s allegations as true, the Court ruled in favor of Envestnet and Yodlee and actually dismissed two counts, including claims alleging copyright infringement and violations of the Illinois Deceptive Trade Practices Act.”
The spokesperson added: “The claims filed by FinancialApps are baseless and we are vigorously defending ourselves. We hold ourselves to the highest ethical standards with regard to business dealings with customers, partners, and employees, particularly with respect to intellectual property rights.”
The plaintiffs asserted a litany of claims, including: invasion of privacy, federal Stored Communications Act claims (for knowingly divulging stored communications while in electronic storage), various California unfair competition-related and consumer protection related claims, and even federal Computer Fraud and Abuse Act (CFAA) “unauthorized access” claims for accessing the plaintiffs’ and plaintiffs’ financial institutions’ networks without authorization or by “exceeding authorized access.” Beyond monetary relief, the plaintiffs also seek injunctive relief to bar Yodlee from further collection of financial data without adequate notice and consent.
This new suit, coupled with the FTC’s ongoing investigation of Yodlee, highlights interesting issues around consumer data collection. With the implementation of new legal and regulatory approaches to data privacy and recent investigations brought to light, the industry (both data aggregators) and financial institutions consuming the data for investment purposes, will be forced to respond.