Case Law, Congress, Data Privacy, Investigation, News, Personally Identifiable Information, Third-party Obligations

News: “Lawmakers Call for Investigation of Fintech Firm Yodlee’s Data Selling”

On Friday, January 17, 2020, the WSJ reported that Members of Congress are digging into whether Envestnet | Yodlee, a leading data aggregation and data analytics platform, is getting adequate consent from consumers prior to selling their data to third parties, such as hedge funds. For background, Yodlee, according to their company website, “helps consumers live better financial lives through innovative products and services created for more than 1,200 financial institutions and FinTech companies, including 15 of the top 20 U.S. banks.” The dataset that is offered to the fund manager crowd includes aggregated data about customers of certain financial institutions (e.g. banks) that Yodlee receives in connection with services that Yodlee provides back to the banks, as well as any other aggregated data that Yodlee might collect about their own customers.

Three lawmakers called on the Federal Trade Commission (FTC) to investigate Yodlee on the claim that the vendor is selling consumers’ personal financial data without proper consent. The letter, from Sen. Ron Wyden (D., Ore.), Sen. Sherrod Brown (D., Ohio), and Rep. Anna Eshoo (D., Calif.) asked the FTC to investigate whether Yodlee’s practices constitute unfair, deceptive, or abusive behavior. If the FTC determines that is the case, there are many layers in the data distribution/resale chain that will be impacted. Yodlee could face financial penalties or other sanctions. Data brokers and financial institutions/investors may be exposed and scrutinized for their due diligence reviews/onboarding processes/PII cleansing.

The primary use case with this type data is the insight into consumer spending trends, primarily helpful for consumer focused investment teams. Typically, collected data is a snapshot in time – showing things like bank account summary, bank transaction, card account summary and transaction data. The data is shared with the vendor through a personal financial management (PFM) tool which is a software that helps consumers manage their money. So, any type of bank app like Personal Capital, which allows the end user to view accounts, add multiple accounts, categorize transactions, view spending trends, build budgets, etc. all in a single view.

“Consumers’ credit and debit card transactions can reveal information about their health, sexuality, religion, political views, and many other personal details,” the lawmakers’ letter said. “Consumers generally have no idea of the risks to their privacy that Envestnet is imposing on them.”

Yodlee’s website says that “when an investor engages with a fiduciary advisor, the investor permissions the advisor and the supporting institution(s) to see their data.” Yodlee “never sells data that identifies individuals” and scrubs data of personally identifiable information before selling it, it says.

One of the main arguments coming from lawmakers is that even if the end-user consumer is placed on notice that data may be sold in this manner, data vendors like Yodlee “should not put the burden on consumers to locate a notice buried in small printThe FTC has made it clear that companies may not hide important facts about how consumer data is collected or shared in the small print of a privacy policy.”

Another strong point noted by the lawmakers is that even aggregated, anonymous data does not always stay that way. As mentioned in previous posts on this blog, it is still possible to back into or identify individuals when combining multiple data sets. In a 2015 Science article, academics studied ‘anonymized data’ on 1.1 million consumer’s credit care transactions and were still able to identify 90% of the individuals with things like names, social security numbers, and other identifying information.

Share this:

Leave a Reply