The cofounder was telling the truth (or, at least, nothing in the lawsuit implies that he was not).
The plaintiffs in this case are claiming that when they linked their bank accounts to PayPal/Venmo/etc using Plaid they didn't realize what they were doing, or that it's somehow unfair that Paypal/Venmo/etc got their banking data (despite knowingly inputting their credentials into Paypal/Venmo/etc).
Paypal/Venmo/etc is not a third party in that case. They're the party that the customer was knowingly interacting with.
A third party would be an unknown / unrelated data broker. Ie, the cofounder is claiming that they don't turn around and resell data to anyone other than the app that the customer was deliberately using.
The "using Plaid" part of what you're saying confuses me. My reading is that the plaintiffs are claiming that they signed up for Paypal or Venmo directly, linked their banks account, and were unaware that behind the scenes this meant their data went to Plaid, and that then Plaid both gathered data from this and sold the data.
If that's accurate - if the plaintiffs were just trying to use Paypal + their bank account, and only coincidentally using Plaid because Paypal used Plaid - then any data being captured and stored by Plaid does sound extremely fishy. I'd want them to just be a bridge to let info flow between the bank and Paypal, not store any of that themselves too. That part seems sketchy even if they never sold it - I still don't think they should keep it in the first place.
The relevant section is on pg 16, under the heading "Plaid Sells and Otherwise Exploits the Unlawfully-Obtained Private Data".
The suit alleges that "Plaid has admitted that it routinely sells the consumer banking data it collects. At a minimum, Plaid sells the data it obtains from consumers’ accounts back to the very app providers,
including the Participating Apps, who use its services. [40] Plaid calibrates its prices based on the
type of information being sold. [41]".
IANAL. The suit alleges that Plaid sells the data, with the specific proof that Plaid sells data to the authorized app (Paypal or Venmo in your example above). The plaintiffs do provide proof in the suit that Plaid sells the data to third parties, but suggest that Plaid might, since they already sell the data to the app that users authorized.
At risk of misrepresenting their argument, the suit seems to claim that Plaid doesn't do enough to give consumers (think average non-tech savvy person) enough of a heads up on what's happening behind the scenes. According to the suit, a consumer using Plaid doesn't understand that they give banking credentials to a third party (Plaid), which uses the credentials and "sells" data to the app that is being connected to the bank.
The above seems consistent to what the Plaid CTO wrote. I haven't seen anything that indicates Plaid sells your data to unrelated third parties. That said, I agree with the suit - Plaid should do a better job of making it clear exactly how your banking information is going to be used.
So, in other words, they're selling my data, just not to third parties. So when I go to click "connect to Plaid", now whoever I'm connecting to suddenly has every single transaction from my bank/credit card/whatever I just connected.
So still a privacy nightmare, just a slightly different one.
What's so hard about not selling my data at all, and not collecting any data except for what's absolutely necessary to connect A to B?
>then any data being captured and stored by Plaid does sound extremely fishy
I've integrated with Plaid's API (a long time ago), and this doesn't sound fishy. Plaid's API is pretty comprehensive and it would have PayPal's job to unlink the connection after the verification took place. Plaid gives you a "token" representing the user that can be used to further look up information in their account - such as new transactions. If PayPal had naively enabled the usage of those APIs, then it's not surprising Plaid stored that data.
For example, if you (the API client) didn't want to store any information except for a user token (similar how you might store tokens with Stripe's API), then every time you needed to lookup the client's account number you would call Plaid's API to retrieve that data (which, by definition, they would be storing).
As a customer, though, that still sounds very dismaying to me.
If I'm linking my bank to paypal to send money back and forth, I don't want: (a) paypal getting transaction history, (b) a third party company hanging on to those credentials, (c) that third party company getting any view of transactions either. I just want Paypal to send/retrieve money.
I thought Plaid just translated "different bank acount APIs" to a dev-friendly one. If they're using that to collect a lot of data THEMSELVES from customers who just wanted bank interop... that's bad. Nobody "using" Plaid is intended to give this intermediary company all that info.
I'm linking my account to Paypal because I (thought that) I trusted Paypal. I never knew I was actually giving all this shit to this other company too.
(In my case, I've used routing number/checking number because they seemed to require handing over less privileges than my full password, and this certainly seems to reinforce my skepticism about using the "sign in to your bank" password auth for linkage.)
>If I'm linking my bank to paypal to send money back and forth, I don't want: (a) paypal getting transaction history, (b) a third party company hanging on to those credentials, (c) that third party company getting any view of transactions either. I just want Paypal to send/retrieve money.
100%, which is why I think this lawsuit is valid. That said, even though I don't believe Plaid sold any data, a lot of people brought this up as a concern to using Plaid. I don't consider it shady behavior, because I don't think Plaid ever misrepresented their capabilities to their clients. In other words, PayPal knew Plaid would be storing this data, and used their reputation to provide legitimacy to Plaid. In my opinion, it was PayPal who was irresponsible with your data.
> Plaid has settled a $58 million class action lawsuit over claims that the fintech firm passed on personal banking data to third party firms without user consent.
and selling transaction histories:
> the plaintiffs alleged that Plaid has “exploited its position as middleman” to obtain app users’ banking login credentials and use that information to gain access to and sell their transaction histories.
For what it's worth I haven't read the actual lawsuit yet, but would love a link if it refutes the article.
I wrote a post above on my take but TL;DR - I think that the suit is mostly alleging that Plaid doesn't do enough disclosure of what's happening behind the scenes. It suggests that Plaid might sell the data to unrelated third parties, but doesn't support it with any proof. It does support itself with proof that Plaid "sells" data to the app that is being connected to the bank.
