[majormajor]

The "using Plaid" part of what you're saying confuses me. My reading is that the plaintiffs are claiming that they signed up for Paypal or Venmo directly, linked their banks account, and were unaware that behind the scenes this meant their data went to Plaid, and that then Plaid both gathered data from this and sold the data.

If that's accurate - if the plaintiffs were just trying to use Paypal + their bank account, and only coincidentally using Plaid because Paypal used Plaid - then any data being captured and stored by Plaid does sound extremely fishy. I'd want them to just be a bridge to let info flow between the bank and Paypal, not store any of that themselves too. That part seems sketchy even if they never sold it - I still don't think they should keep it in the first place.

[ahzhou]

Check the source material. Here's the suit: https://www.classaction.org/media/cottle-et-al-v-plaid-inc.p....

The relevant section is on pg 16, under the heading "Plaid Sells and Otherwise Exploits the Unlawfully-Obtained Private Data".

The suit alleges that "Plaid has admitted that it routinely sells the consumer banking data it collects. At a minimum, Plaid sells the data it obtains from consumers’ accounts back to the very app providers, including the Participating Apps, who use its services. [40] Plaid calibrates its prices based on the type of information being sold. [41]".

Footnotes 40 and 41 are, respectively:

[40] See Feb. 21, 2017 Response by Plaid to CFPB’s RFI, https://plaid.com/documents/PlaidConsumer-Data-Access-RFI-Te... (Plaid acknowledges to CFPB that it sells data to party “permissioned” by consumer).

[41] See Feb. 2019 interview with Zach Perret, https://www.saastr.com/build-a-platformecosystem/.

-----

IANAL. The suit alleges that Plaid sells the data, with the specific proof that Plaid sells data to the authorized app (Paypal or Venmo in your example above). The plaintiffs do provide proof in the suit that Plaid sells the data to third parties, but suggest that Plaid might, since they already sell the data to the app that users authorized.

At risk of misrepresenting their argument, the suit seems to claim that Plaid doesn't do enough to give consumers (think average non-tech savvy person) enough of a heads up on what's happening behind the scenes. According to the suit, a consumer using Plaid doesn't understand that they give banking credentials to a third party (Plaid), which uses the credentials and "sells" data to the app that is being connected to the bank.

The above seems consistent to what the Plaid CTO wrote. I haven't seen anything that indicates Plaid sells your data to unrelated third parties. That said, I agree with the suit - Plaid should do a better job of making it clear exactly how your banking information is going to be used.

[owenversteeg]

So, in other words, they're selling my data, just not to third parties. So when I go to click "connect to Plaid", now whoever I'm connecting to suddenly has every single transaction from my bank/credit card/whatever I just connected.

So still a privacy nightmare, just a slightly different one.

What's so hard about not selling my data at all, and not collecting any data except for what's absolutely necessary to connect A to B?

[nemothekid]

>then any data being captured and stored by Plaid does sound extremely fishy

I've integrated with Plaid's API (a long time ago), and this doesn't sound fishy. Plaid's API is pretty comprehensive and it would have PayPal's job to unlink the connection after the verification took place. Plaid gives you a "token" representing the user that can be used to further look up information in their account - such as new transactions. If PayPal had naively enabled the usage of those APIs, then it's not surprising Plaid stored that data.

For example, if you (the API client) didn't want to store any information except for a user token (similar how you might store tokens with Stripe's API), then every time you needed to lookup the client's account number you would call Plaid's API to retrieve that data (which, by definition, they would be storing).

[majormajor]

As a customer, though, that still sounds very dismaying to me.

If I'm linking my bank to paypal to send money back and forth, I don't want: (a) paypal getting transaction history, (b) a third party company hanging on to those credentials, (c) that third party company getting any view of transactions either. I just want Paypal to send/retrieve money.

I thought Plaid just translated "different bank acount APIs" to a dev-friendly one. If they're using that to collect a lot of data THEMSELVES from customers who just wanted bank interop... that's bad. Nobody "using" Plaid is intended to give this intermediary company all that info.

I'm linking my account to Paypal because I (thought that) I trusted Paypal. I never knew I was actually giving all this shit to this other company too.

(In my case, I've used routing number/checking number because they seemed to require handing over less privileges than my full password, and this certainly seems to reinforce my skepticism about using the "sign in to your bank" password auth for linkage.)

[nemothekid]

>If I'm linking my bank to paypal to send money back and forth, I don't want: (a) paypal getting transaction history, (b) a third party company hanging on to those credentials, (c) that third party company getting any view of transactions either. I just want Paypal to send/retrieve money.

100%, which is why I think this lawsuit is valid. That said, even though I don't believe Plaid sold any data, a lot of people brought this up as a concern to using Plaid. I don't consider it shady behavior, because I don't think Plaid ever misrepresented their capabilities to their clients. In other words, PayPal knew Plaid would be storing this data, and used their reputation to provide legitimacy to Plaid. In my opinion, it was PayPal who was irresponsible with your data.