Consumers are more aware than ever of data privacy and security issues. As technology develops, vast quantities of data are collected on individuals every minute of every day. Customers trust their institutions to keep the troves of financial data on them private and secure.
Wesch v. Yodlee, Inc. and Envestnet, Inc.
A recent class action lawsuit filed against Yodlee and its parent company, Envestnet, puts a spotlight on the data-sharing practices of consumer financial information. The plaintiff, Deborah Wesch, alleges in the complaint that Yodlee’s business practice of collecting, extracting, and selling personal data violates several privacy laws, such as the California Consumer Privacy Act (CCPA), California’s Financial Information Privacy Act (CalFIPA), the California Online Privacy Protection Act (CalOPPA), and the Gramm-Leach Bliley Act (GLBA) Privacy Rule. The complaint brings to light an issue that many financial institutions have and continue to grapple with under a dual state and federal privacy regime — namely whether Yodlee’s data aggregation practices are subject to CCPA or whether Yodlee qualifies as a “financial institution” under GLBA and CalFIPA. Even if Yodlee does qualify as a financial institution, the information would need to be collected pursuant to GLBA and CalFIPA, in order to fit within the narrow exception provided under CCPA.
Based on the complaint, Yodlee is a data aggregation and data analytics company. It obtains access to individuals’ financial data through its Application Programming Interface (API) software, which is used to connect financial apps and software to third-party service providers. This software is integrated into the platforms of some of the largest financial institutions in the country.
The plaintiff alleges that the software is “silently integrate[d] into its clients’ existing platforms to provide various financial services.” This silent integration is significant because “the customer believes that it is interacting with its home institution (e.g., its bank) and has no idea it is logging into or using a Yodlee product.” But when the customer enters their bank login information, Yodlee “stores a copy of each individual’s bank login information (i.e., her username and password) on its own system after the connection is made between that individual’s bank account and any other third-party service (e.g., PayPal).”
Once Yodlee has access to the individual’s account, the plaintiff alleges that Yodlee routinely extracts data from the user’s account, even after an individual has severed the connection between its bank account and the third-party service. After access is revoked, Yodlee accesses the account by relying on their own stored copy of the individual’s credentials. Then, Yodlee allegedly aggregates the data, including bank account balances and transaction histories, and sells it to third parties for a fee.
The plaintiff alleges that when she connected her bank account to PayPal through Yodlee’s account verification API, she did not receive the appropriate disclosures about Yodlee’s business practices of storing her account log-in information. Yodlee then continuously accessed and extracted information from her account and sold her personal data to third parties without her knowledge or consent. Even though “PayPal discloses to individuals that Yodlee is involved in connecting their bank account to PayPal’s service for the limited purpose of confirming the individual’s bank details, checking their balance, and transactions, as needed,” the plaintiff alleges that “Yodlee’s involvement with the individual’s data goes well beyond the limited consent provided to facilitate a connection between their bank account and PayPal.”
Banks and other businesses that deal with financial information have unique privacy considerations that should be evaluated in light of this pending case. First and foremost, businesses should re-evaluate their data-sharing practices with third parties that are known data aggregators by reviewing their contracts with such third-party service providers. Businesses often rely on legal bases to share information with third parties. Businesses should review these legal bases to ensure compliance with applicable privacy laws. More specifically, businesses that qualify as “financial institutions” under GLBA and/or CalFIPA should evaluate what legal basis they are relying on when sharing customer information with non-affiliate third parties.
- If the service provider exception is the legal basis relied upon to share data, businesses should confirm their contracts properly impose the limitations required by applicable privacy laws, such as those required by GLBA or CalFIPA.
- Moreover, if the consent or authorization exception is the legal basis relied upon to share data, businesses should ensure that they have received consent as defined by, and in accordance with, applicable privacy laws.
- However, if the business has taken the position that the information being shared does not qualify as “nonpublic personal information” or “personally identifiable financial information,” the business should review the relevant definitions under applicable privacy laws to ensure that such information does not fall within the scope of nonpublic personal information.
- Alternatively, if the business relies on the information being extracted by the third party as being de-identified data, the business should take steps to ensure that the data truly meets the applicable standard for de-identification under all applicable privacy laws.
Even if the sharing is permitted under applicable privacy laws, businesses should consider potential claims brought under California’s Unfair Competition Law when designing the interaction of their application with a third-party processor’s application. Particularly when a consumer enters their credentials to link an app or to verify a bank account, if the screen displays the bank’s logo, it may cause consumers to believe they are entering their information on the bank’s secure portal rather than providing their credentials to a third party. Banks should make it clear to consumers that they are interacting with an outside third-party.
Lastly, aside from the legal implications of sharing customer information, businesses should also consider the reputational risk to certain data-sharing practices. Stay tuned for a follow-up blog discussing the case decision and its impact on the privacy and financial services sector.