Again, I don't see anything shady there. There's two things I see in the settlement about that:
1. They proactively retrieved transaction data when you connect an account. This sounds like an assumption that almost always people are going to want transaction data, so they just do it by default, presumably to improve the first-time user experience so the data's already there when you later request it. This is going to be changed to only retrieve transaction data on demand.
2. If Plaid's connection is broken (e.g. the user changes their password) then Plaid deactivates the connection but keeps the data. They've agreed to delete the data in this case. The drawback of this change is that since many connectivity issues are going to be temporary, this means that in those cases they'll need to delete the data, then retrieve it again when the user reconnects.
Basically it sounds like they optimized a little too hard on user experience, especially when connecting a new account, and in the process they overstepped user consent. I don't see any bad intent there personally, it sounds like they were just a bit overzealous trying to make the experience super slick.
1. They proactively retrieved transaction data when you connect an account. This sounds like an assumption that almost always people are going to want transaction data, so they just do it by default, presumably to improve the first-time user experience so the data's already there when you later request it. This is going to be changed to only retrieve transaction data on demand.
2. If Plaid's connection is broken (e.g. the user changes their password) then Plaid deactivates the connection but keeps the data. They've agreed to delete the data in this case. The drawback of this change is that since many connectivity issues are going to be temporary, this means that in those cases they'll need to delete the data, then retrieve it again when the user reconnects.
Basically it sounds like they optimized a little too hard on user experience, especially when connecting a new account, and in the process they overstepped user consent. I don't see any bad intent there personally, it sounds like they were just a bit overzealous trying to make the experience super slick.