As someone who has overseen our consumer privacy team over the past few years building out products like Plaid Link and Plaid Portal, I can attest this is a foremost priority for the company. FWIIW, I don’t agree with the allegations, and you can read our POV on this blog post.
Based on this, and the blog post, they clearly take issue with the term ‘sold’. Making the users data accessible via api to customers who’ve paid for access to said data does not constitute ‘being sold’, as far as their lawyers are concerned. The fact that 98 million users disagree is unfortunate...
The product was sold as infrastructure, and used as data collection, and 98 million users were not aware of that.
If you’re unable to reconcile why users of square cash would be confused when they hear their data is accessible through some service called ‘plaid’ for which they’ve never signed up, or given their data, then maybe you could start with defining terms as they would, rather than how you’d prefer they sound.
Having data in a database doesn’t make it yours, it’s the users. It was when it was in their bank, it is when you move it to your service and it remains when you provide it to someone else.
I replied in a few other threads on this. We don't make the user's data accessible via API outside of the app the user connected. Your personal data is not sold or rented or given away or bartered to parties that are not Plaid, your bank, or the connected app.
We talk about all of this in our privacy policy, including ways that data could be used — for example, with data processors/service providers (like AWS which hosts our services) for the purposes of running Plaid’s services or for a user’s connected app to provide their services.
Thank you for the response — I know you're likely very restricted in what you can say here, but:
You just settled a claim that you sold customer transaction histories, and from the article linked, the plaintiffs' lawyers claim that you have agreed to implement meaningful business practice changes to remediate these issues.
(1) If you've never sold transaction histories, why settle a lawsuit alleging that you sold transaction histories?
(2) What meaningful business practice changes could you be making if there's no issue to begin with?
(I'm relying on the article here as a source of truth).
You’re right that I can’t write much (legal, PR team say hello).
The bottom line point is, we don’t sell data and that’s not the main allegation. The main allegation is that people didn’t understand that we were part of the flow of connecting banks to apps. We disagree.
Before 2017, there was a whitelabel experience of Plaid that didn’t say “Plaid”, didn’t have the Plaid logo, etc. We still stand by our belief that our disclosures at the time were more than adequate. But it’s not something we want to have protracted litigation around.
The reality is that our experience today is vastly different (and has been for a while). As for “what meaningful business practice changes could you be making if there's no issue to begin with.” Like most companies, we’re always making improvements to our experience -- today we have a consent pane that makes our role clear, a portal for people to manage their data, etc.
> Plaid would retain access to their credentials and use them to mine, aggregate and then sell users’ financial transaction data to third parties (including to the fintech apps that use its services) for purposes unrelated to the plaintiffs’ use of the fintech payment apps. [1]
This is allegedly from the lawsuit. I can see your perspective — that it made sense to settle because of the privacy accusation, but you still deny the other accusations. I understand that perspective, though as I'm sure you can understand, it's hard to know for sure based on the allegations and the settlement.
Pre-2017 Plaid was awesome. You were able to just feed in a username and password of a bank account you collected with your own UI and it would spit out its transactions.
IANAL and have no affiliations to Plaid. My takeaway from the article and [0] is that Plaid violated privacy laws because they provided insufficient disclosure with respect to the collected data, not that they are selling data to third parties.
(IANAL either) I understand and agree that part of the issue is that they, allegedly, underhandedly collected this data. My question is focused around the potential selling of that data, which took place according to the lawsuit and was likely the reason to collect the data.
From the article you linked:
> Plaid would retain access to their credentials and use them to mine, aggregate and then sell users’ financial transaction data to third parties (including to the fintech apps that use its services) for purposes unrelated to the plaintiffs’ use of the fintech payment apps.
> My question is focused around the potential selling of that data, which took place according to the lawsuit and was likely the reason to collect the data.
They would kind of have to be idiots to do so, to be quite frank.
Up until like a year ago, their baseline product was $500 / mo plus $x / user after 100 users (iirc) with a 12 month contract.
Plaid has basically no competition, is worth billions and was almost acquired if not for an anti-trust suit.
I am not sure how Plaid or its founders would benefit financially by betraying the trust of their customers and their customers' customers by getting a few cents per record out of it.
> Plaid would retain access to their credentials and use them to mine, aggregate and then sell users’ financial transaction data to third parties (including to the fintech apps that use its services) for purposes unrelated to the plaintiffs’ use of the fintech payment apps.
People's hatred / mistrust of Plaid stems for a misunderstanding of what Plaid is.
Yes, Plaid does """sell""" that information... to the app that you willfully gave permission to, information like cash flow, debt, types of debt, etc.
Oh, also, if people are so terrified of Plaid, they should write to the Congresspeople and ask them to write a bill to force banks to write & provide REST APIs. The lack of banking APIs is the only reason Plaid exists and has to resort to scraping or storing banking information.
> Oh, also, if people are so terrified of Plaid, they should write to the Congresspeople and ask them to write a bill to force banks to write & provide REST APIs.
Why REST? Yes, I’d certainly rather call rest APIs than, say SOAP APIs, but do really want Congress specifying that much technical detail?
I haven't used Plaid and I haven't read the litigation, but it seems the following scenario may have happened:
1) Users use Plaid to buy/sell with a variety of vendors and banks
2) Vendors and banks were aware that specific users were buying /selling because they were buying/selling their products
3) Users consented to #2 because they were buying/selling their products
4) Plaid provided aggregated reports that said "5% of your customers also shopped on Amazon"
I don't have the time to read and research exactly what happened. I see you settled for a large sum. Thus, I don't believe you. We've all been burned by companies that claim one thing and do the exact opposite. It doesn't matter if legally they are stating things accurately. What matters is how we, a mere human, would believe the plain English phrases used to be construed.
Hope you have success and I have no ill will towards you.
Did you pull all transactions on plaid auth requests? Did you store that data to build out your risk score product? You’re standard customer(one verifying their account for an ACH pull) more than likely didn’t know all their transactions were being stored and mined. They just wanted to fund their robinhood account. That is the issue.
Not to be nit-picky, but is that data(or derivatives of the data) gifted, given, bartered for, or otherwise sent to parties that are not (plaid, user bank, connected app)?
Neither here nor there, but I just used Plaid for the first time yesterday to pay for the downpayment on my Tesla. It was a really nice, seamless experience.
No, your personal data is not sold or rented or given away or bartered to parties that are not Plaid, your bank, or the connected app. We talk about all of this in our privacy policy, including ways that data could be used — for example, with data processors/service providers (like AWS which hosts our services) for the purposes of running Plaid’s services or for a user’s connected app to provide their services.
I worked at Plaid from when it was less than 50 people to when it was a little over 100. There was no selling of data going on when I was there in any form (anonymized, aggregated, or otherwise). More generally, it doesn't make sense for Plaid to sell data. They already make a huge amount of money on the API. Why jeopardize that? In terms of the settlement size, it actually seems like peanuts to me in comparison to the size of Plaid and the number of affected people. I mean it basically translates into 60 cents a person. This seems more like a payoff to the class action lawyers, enough to make it worth their while but basically nothing for their "clients."
That's just not at all true. If you've ever worked in / around law you'd understand how it's less about right and wrong and more about risk management. Non guilty parties settle all the time. (I have no idea if that is true in this case or not) but simply the idea that they settled for $$$ amount means they're guilty is just false.
As an engineer that's had to advise corporate legal on how to look at various things I can assure you that most of it is just risk mitigation and reward. From lawsuits to contracts, it's all the same stuff. That's just how legal people think. I don't think it goes any deeper than that.
How much did they settle for? I don't see that in the article. Just because they were sued for $58M doesn't mean that the settlement amount was anywhere near that!
A legal settlement over a lawsuit is the epitome of "if legally they are stating things accurately", how can you possibly conclude that their settlement relates to how you, a mere human, believe the English phrases to be constructed. One explanation is dismissed because it touches on supposedly irrelevant legal details yet your belief is based entirely on another legal detail. It sounds like you've made up your mind already regardless of what the "plain English" circumstances could be.
This really sounds like you're just doubling down without really responding to anything directly. You say you disagree with the allegations - why do you disagree with them? I understand you probably can't speak to this for legal reasons, but this vague rebuttal is worse than saying nothing at all. It just sounds like typical corporate PR, which makes me automatically assume you're lying.
I don't know the details of this case so I have no strong opinions, but this response makes me trust you less, not more.
I’m guessing this is the relevant section stating that summarized anonymized data is shared.
We may collect, use, and share End User Information in an aggregated, de-identified, or anonymized manner (that does not identify you personally) for any purpose permitted under applicable law. This includes creating or using aggregated, de-identified, or anonymized data based on the collected information to develop new services and to facilitate research.
We do not sell or rent personal information that we collect.
I'm betting you are right. It may be that they sold aggregated data, and that they aggregated based on factors that might have been too granular in some situations.
Perhaps something like "all users who are in the UK and logged in last Sunday morning". Something like that could have been a pain to sess out for each instance of data sharing, in addition, if you "settle in court", you can also set court-approved definitions of what "anonymously aggregated" means.
Facebook claimed repeatedly that they had never sold user data, and it turns out this was true: Instead, they had bartered user data for increased access or other privileges elsewhere.
I'd like to hear a broader statement on the specific phrasing in this article: « the fintech firm passed on personal banking data to third party firms without user consent ».
No, your personal data is not sold or rented or given away or bartered to parties that are not Plaid, your bank, or the connected app. We talk about all of this in our privacy policy, including ways that data could be used — for example, with data processors/service providers (like AWS which hosts our services) for the purposes of running Plaid’s services or for a user’s connected app to provide their services.
I see a lot of suspicion in thread below, which I very much understand.
I'd like to take a minute though to express my frustration with the banks that refuse to supply any sort of limited APIs. How is it 2021 and I still can't give my tax person read only access to a specific year of transactions? Plaid and others trust issue would be so much easier if the banks had any sort of control over sharing aside from none or authorized to do anything.
I don't understand something. Please, help me understand:
"According to the lawsuit, filed Thursday in California federal court, the plaintiffs alleged that Plaid has “exploited its position as middleman” to obtain app users’ banking login credentials and use that information to gain access to and sell their transaction histories. Allegedly, these actions occurred without users knowing about Plaid’s role is a variance of “deceptive tactics.”"
So, the lawsuit is for selling the transaction histories and you say you never did it.
Why do you settle for $58M if you never did it rather than go to court so that they present proofs that, according to your explanation, must be false?
I am not convinced.
Or, the simpler explanation you just lie here to us because you can. But you settle to not go to court because you know you can't lie yourself out of loosing.
While I have you here, as a developer of a financial product myself and wanting to use something to let my users connect their bank accounts to my product via plaid, let me tell you sir that your pricing strategy sucks. There is no way for a developer to pay for plaid use on per user basis and your service cannot be used without having to pay like minimum $500 to you every month even if I have like 10 users. So basically your pricing is hostile towards startups.
Sorry you got hit by that! I work at Plaid -- most of Plaid's APIs can be used without a $500 monthly minimum contract but a few of them do require it -- we know this is a pain point and are currently looking into how can make pricing on these products friendlier to small developers.
https://plaid.com/legal/#consumer-support
As someone who has overseen our consumer privacy team over the past few years building out products like Plaid Link and Plaid Portal, I can attest this is a foremost priority for the company. FWIIW, I don’t agree with the allegations, and you can read our POV on this blog post.
https://plaid.com/blog/plaids-commitment-to-consumer-privacy...