Privacy Litigation Updates for the Financial Services Sector: Claims Against Yodlee Survive and Limited Discovery of Envestnet AllowedIn November 2020, Yodlee and its parent company Envestnet filed separate motions to dismiss the class action lawsuit brought over Yodlee’s alleged data collection and use practices. Yodlee’s motion to dismiss argued that plaintiffs failed to state a claim under Federal Rule of Civil Procedure 12(b)(6), while Envestnet argued that its status as the parent company to Yodlee was not enough for the court to establish personal jurisdiction over Envestnet under Federal Rule of Civil Procedure 12(b)(2).

On February 16, 2021, Federal Magistrate Judge Sallie Kim partially granted and partially denied Yodlee’s motion to dismiss and reserved ruling on Envestnet’s motion to dismiss. The court allowed plaintiffs to cure deficiencies and file an amended complaint. On March 15, 2021, plaintiffs filed a Second Amended Complaint.

Yodlee’s Motion to Dismiss

Claims 1 and 10 – Invasion of Privacy:

The court held that plaintiffs have a reasonable expectation of privacy in their individual financial accounts. Yodlee is alleged to have improperly accessed and retained data from these personal accounts. Furthermore, Yodlee is alleged to have sold aggregated financial data that “would only take a few steps to identify the individual.”

The court denied Yodlee’s motion to dismiss Claims 1 and 10.

Claim 2 – Stored Communications Act:

The court held that plaintiffs failed to allege facts sufficient to satisfy the element of “electronic storage” because plaintiffs only alleged Yodlee “stores the information for its own misuse of the data.”

The court granted Yodlee’s motion to dismiss Claim 2 with leave to amend.

Claim 3 – Unjust Enrichment:

The court held that plaintiffs’ allegations of acquiring their data through a fraudulent scheme and selling that data was pled with enough particularity to put Yodlee on notice of the substance of the alleged fraudulent scheme.

The court denied Yodlee’s motion to dismiss Claim 3.

Claim 4 – California Civil Code § 1709:

The court found that plaintiffs sufficiently alleged Yodlee’s alleged fraudulent scheme to deceive plaintiffs.

The court denied Yodlee’s motion to dismiss Claim 4.

Claim 5 – California Unfair Competition Law – Business and Professional Code § 17200:

The court held that plaintiffs did not allege “a transaction or contract with Yodlee,” only the “Loss of Benefit of the Bargain,” and as such, it is unclear how plaintiffs “lost money or property as a result of Yodlee’s alleged conduct.” Furthermore, although plaintiffs allege the inability to seek indemnification and the heightened risk of identity theft, the court held that since neither of these have occurred yet, they are merely potential and hypothetical and not enough to have standing to bring suit over this cause of action.

The court granted Yodlee’s motion to dismiss Claim 5 with leave to amend.

Claims 7 and 9 – Computer Fraud and Abuse Act and California Comprehensive Data Access and Fraud Act:

The court held that plaintiffs’ damage claims of “the costs of conducting damage assessments, restoring the data to its condition prior to the offense, and consequential damages they incurred by, inter alia, spending time conducting research to ensure that their identity had not been compromised and accounts reflect the proper balances” were conclusory and insufficient to show damage or loss.

The court granted Yodlee’s motion to dismiss Claims 7 and 9 with leave to amend.

Claim 8 – California Anti-Phishing Act of 2005:

The court held that plaintiffs’ allegations that Yodlee represented themselves to be plaintiffs’ financial institutions, which was an allegedly fraudulent and deceitful impersonation of those institutions, and induced plaintiffs to provide their login credentials to defendants, were sufficient to state a claim under the California Anti-Phishing Act.

The court denied Yodlee’s motion to dismiss Claim 8.

Envestnet’s Motion to Dismiss for Lack of Personal Jurisdiction

The court held that plaintiffs have not alleged sufficient facts to bring an alter ego claim against Envestnet. The court noted that an alter ego claim is a rare remedy. To be invoked, the court held that there must be (1) unity of interest and (2) an inequitable result will occur if not invoked. To show unity of interest, plaintiffs should plead a fact supporting at least two or three of the following factors: “commingling of funds, identification of the equitable owners with domination and control of the two entities, instrumentality or conduit for a single venture or the business of an individual, failure to maintain minutes or adequate corporate records, use of the same office or business locations, identical equitable ownership of the two entities, use of a corporation as a mere shell, and the failure to adequately capitalize a corporation.” Furthermore, in some jurisdictions, such as the present jurisdiction, a showing of bad faith is required.

The court noted that, as it stands, plaintiffs have not alleged sufficient facts to support their alter ego claim. However, the court reserved ruling on Envestnet’s motion to dismiss until plaintiffs have an opportunity to conduct discovery on the issue. The court provided plaintiffs the opportunity to issue five document requests, five interrogatories, and five requests for admissions, as well as take one deposition of Envestnet. Plaintiffs must then file a supplemental brief no later than May 28, 2021, and Envestnet may file a response by June 11, 2021.

Takeaway

Many of plaintiffs’ claims have survived the motion to dismiss, bringing to light the legal and reputational risks from these data-sharing practices. Considering this pending case, businesses should review their privacy policies and procedures to ensure their data privacy compliance programs are up to date, accurately disclose their sharing practices, and protect consumer data. Based on this order, there are two significant areas to watch: anonymized, aggregated data and application programming interface (API) interactions.

Anonymized, Aggregated Data

The court found that plaintiffs have a reasonable expectation of privacy in their personal, financial accounts at an individual level. Though Yodlee argued that plaintiffs do not have a reasonable expectation of privacy in anonymized, aggregated data, the court noted that plaintiffs’ allegations that it “would only take a few steps to identify the individual Plaintiffs from the transactions.”

All businesses should review their contracts with third-party service providers, including those that provide APIs, to ensure that contractual language defining anonymized, aggregated data complies with relevant privacy laws and provides required protections, as well as defines whether and to what extent the business grants the third party permission to use and further disclose such anonymized, aggregated data.

API Interactions

Many of plaintiffs’ claims were based on the lack of and/or unclear disclosure of Yodlee’s interactions with their financial institutions. While plaintiffs allege that Yodlee does not have authority or approval from each financial institution, the use of a login screen that appears to be the financial institution is likely part of the API software agreement that the financial institutions pay to use. Businesses should ensure that any interaction with third-party processors on their websites or applications clearly and explicitly states the role of the third party and that such role is properly reflected in the businesses’ privacy policies.

If you have any questions or to discuss your company’s data sharing practices, contact Courtney Achee, Lissette Payne or Kelley Hails. For more information on this developing case and other updates and alerts regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point.

Print:
EmailTweetLikeLinkedIn
Photo of Courtney Achee Courtney Achee

Courtney Achee assists clients across industries with litigation and compliance needs. Courtney advises clients on compliance obligations under federal statutes and regulations, state privacy and data security laws, global data protection laws, and industry standards including GLBA, FCRA, FACTA, TCPA, CAN-SPAM, UDAP/UDAAP, COPPA…

Courtney Achee assists clients across industries with litigation and compliance needs. Courtney advises clients on compliance obligations under federal statutes and regulations, state privacy and data security laws, global data protection laws, and industry standards including GLBA, FCRA, FACTA, TCPA, CAN-SPAM, UDAP/UDAAP, COPPA, CCPA, GDPR, Privacy Shield, PCR, PCI DSS, and other laws.

Courtney has also assisted financial institutions with regulatory examinations conducted by the Consumer Financial Protection Bureau (CFPB), including examinations on regulations such as TILA RESPA Integrated Disclosures Act (TRID) and Know Before You Owe.

Photo of Lissette C. Payne Lissette C. Payne

Lissette Payne is an attorney in Bradley’s Banking and Financial Services Practice Group. She is designated as a Certified Information Privacy Professional by the International Association of Privacy Professionals, with U.S. Private Sector (CIPP/US) and European (CIPP/E) concentrations.

Lissette received a J.D. from…

Lissette Payne is an attorney in Bradley’s Banking and Financial Services Practice Group. She is designated as a Certified Information Privacy Professional by the International Association of Privacy Professionals, with U.S. Private Sector (CIPP/US) and European (CIPP/E) concentrations.

Lissette received a J.D. from the University of North Carolina School of Law, where she was president of the Hispanic/Latino Law Student Association, co-chair of the Student Bar Association’s Multicultural and Diversity Committee and a member of the Hispanic/Latino Law Student Association Moot Court Team. She received her B.A. in Political Science from the University of North Carolina at Chapel Hill.

Photo of Kelley J. Hails Kelley J. Hails

Kelley Hails focuses her practice on helping banks and other financial institutions with regulatory compliance matters. As part of her regulatory compliance practice, Kelley assists clients in the financial services and mortgage industries as they navigate, implement, and manage compliance with various originating…

Kelley Hails focuses her practice on helping banks and other financial institutions with regulatory compliance matters. As part of her regulatory compliance practice, Kelley assists clients in the financial services and mortgage industries as they navigate, implement, and manage compliance with various originating and servicing obligations imposed on them by federal and state regulators, including the Real Estate Settlement Procedures Act (RESPA), the Truth in Lending Act (TILA), TILA-RESPA Integrated Disclosure requirements, Fair Credit Reporting Act (FCRA), Equal Credit Opportunity Act (ECOA), Unfair, Deceptive or Abusive Acts or Practices (UDAAP), and other CFPB and state consumer protection requirements. She regularly advises clients on the application of such laws in connection with day-to-day operations, maintenance or development of policies and procedures, product advertising and development, mock regulatory examination reviews, risk assessments, regulatory examinations, and error correction. Kelley also has experience in a variety of commercial lending transactions.

Kelley is fluent in Spanish and assists clients with matters involving Spanish-language needs.