`
`
`
`Aaron M. Sheanin (SBN 214472)
`Christine S. Yun Sauer (SBN 314307)
`ROBINS KAPLAN LLP
`2440 West El Camino Real, Suite 100
`Mountain View, CA 94040
`Telephone: (650) 784-4040
`Facsimile: (650) 784-4041
`asheanin@robinskaplan.com
`cyunsauer@robinskaplan.com
`
`Hollis Salzman (pro hac vice forthcoming)
`Kellie Lerner (pro hac vice forthcoming)
`David Rochelson (pro hac vice forthcoming)
`ROBINS KAPLAN LLP
`399 Park Avenue, Suite 3600
`New York, NY 10022
`Telephone: (212) 980-7400
`Facsimile: (212) 980-7499
`hsalzman@robinskaplan.com
`klerner@robinskaplan.com
`drochelson@robinskaplan.com
`
`[Additional counsel on signature page]
`
`
`Attorneys for Plaintiff and the Proposed Class
`
`Christian Levis (pro hac vice forthcoming)
`Amanda Fiorilla (pro hac vice forthcoming)
`LOWEY DANNENBERG, P.C.
`44 South Broadway, Suite 1100
`White Plains, NY 10601
`Telephone: (914) 997-0500
`Facsimile: (914) 997-0035
`clevis@lowey.com
`afiorilla@lowey.com
`
`Anthony M. Christina (pro hac vice
`forthcoming)
`LOWEY DANNENBERG, P.C.
`One Tower Bridge
`100 Front Street, Suite 520
`West Conshohocken, PA 19428
`Telephone: (215) 399-4770
`Facsimile: (914) 997-0035
`achristina@lowey.com
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`
`DEBORAH WESCH, individually and on behalf
`of all others similarly situated,
`Plaintiff,
`
`v.
`YODLEE, INC., a Delaware corporation, and
`ENVESTNET, INC., a Delaware corporation,
`Defendants.
`
`Case No.:
`
`
`CLASS ACTION COMPLAINT
`
`JURY TRIAL DEMANDED
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`CASE NO. ____________
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 3:20-cv-05991-SK Document 1 Filed 08/25/20 Page 2 of 47
`
`
`
`TABLE OF CONTENTS
`
`Page
`SUMMARY OF ALLEGATIONS ............................................................................................... 1
`
`JURISDICTION AND VENUE ................................................................................................... 4
`
`PARTIES ..................................................................................................................................... 4
`
`FACTUAL BACKGROUND ....................................................................................................... 5
`
`I.
`
`II.
`
`III.
`
`IV.
`
`The Founding of Yodlee ................................................................................................... 5
`
`Yodlee Collects and Sells Individuals’ Financial Data Without Their Consent .................. 7
`
`Yodlee’s Failure to Disclose Violates Several Privacy Laws........................................... 11
`
`Government and Industry Leaders Agree that Defendants’ Conduct Is Wrong,
`Risky, Dangerous and Bad for Consumers ...................................................................... 15
`
`INJURY AND DAMAGES TO THE CLASS ............................................................................ 17
`
`I.
`
`II.
`
`III.
`
`IV.
`
`Plaintiff and Class Members Have Suffered Economic Damages .................................... 17
`
`Loss of Control Over Valuable Property ......................................................................... 18
`
`Yodlee Does Not Have Adequate Safeguards to Protect Consumers’ Data ...................... 20
`
`Congress Has Requested an FTC Investigation into Envestnet & Yodlee Practices ......... 23
`
`TOLLING, CONCEALMENT AND ESTOPPEL ...................................................................... 24
`
`CLASS ACTION ALLEGATIONS............................................................................................ 25
`
`CALIFORNIA LAW APPLIES TO THE NATIONWIDE CLASS ............................................ 27
`
`CLAIMS FOR RELIEF .............................................................................................................. 28
`
`
`
`i
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 3:20-cv-05991-SK Document 1 Filed 08/25/20 Page 3 of 47
`
`
`
`Plaintiff Deborah Wesch (“Plaintiff”), on behalf of herself and all others similarly situated,
`asserts the following against Defendants Yodlee, Inc., (“Yodlee”) and Envestnet Inc., (“Envestnet”)
`(collectively “Defendants”), based upon personal knowledge, where applicable, information and
`belief, and the investigation of counsel.
`SUMMARY OF ALLEGATIONS
`The Internet age has spawned the development of a vast data economy. Among its
`1.
`key players are data aggregators, companies that collect and repackage data from various sources
`for sale to advertisers, investors, researchers, and other third parties.
`Yodlee is one of the largest financial data aggregators in the world. Its business
`2.
`focuses on selling highly sensitive financial data, such as bank balances and credit card transaction
`histories, collected from individuals throughout the United States. For example, as Yodlee’s former
`chief product officer explained in a 2015 interview, “‘Yodlee can tell you down to the day how
`much the water bill was across 25,000 citizens of San Francisco,’ or the daily spending at
`McDonald’s throughout the country.”1
`This data is not available from public sources and is so sensitive that the individuals
`3.
`it concerns would not voluntarily turn it over.
`Rather, Yodlee surreptitiously collects such data from software products that it
`4.
`markets and sells to some of the largest financial institutions in the country. These institutions,
`including 15 top banks (e.g., Bank of America, Merrill Lynch, and Citibank), 10 top wealth
`management firms, and digital payment platforms like PayPal, use Yodlee’s software for various
`purposes, including to connect their systems to one another.
`Yodlee, in turn, acquires financial data about each individual that interacts with the
`5.
`software installed on its customers’ systems. However, these individuals often have no idea they are
`dealing with Yodlee.
`
`
`
`1 Bradley Hope, Provider of Personal Finance Tools Tracks Bank Cards, Sells Data to Investors,
`WALL ST. J. (Aug. 6, 2015), https://www.wsj.com/articles/provider-of-personal-finance-tools-
`tracks-bank-cards-sells-data-to-investors-1438914620.
`
`
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`CASE NO. ____________
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 3:20-cv-05991-SK Document 1 Filed 08/25/20 Page 4 of 47
`
`
`
`This is by design. Given the highly sensitive nature of the data Yodlee collects,
`6.
`Yodlee’s software is developed to be seamlessly integrated directly into the host company’s existing
`website and/or mobile app in a way that obscures who the individual is dealing with and where their
`data is going. For example, when individuals connect their bank accounts to PayPal, they are
`prompted to enter their credentials into a log in screen that mirrors what they would see if they
`directly logged into their respective bank’s website. See Part II, below. Their financial institution’s
`logo is prominently displayed on each of the screens that they interact with and the individuals use
`the same usernames and passwords they would to log in to their financial institution’s own website
`or mobile app. At no point are the individuals prompted to create or use a Yodlee account.
`Moreover, to the extent Yodlee is mentioned, individuals are not given accurate
`7.
`information about what Yodlee does or how it collects their data. For example, PayPal discloses to
`individuals that Yodlee is involved in connecting their bank account to PayPal’s service for the
`limited purpose of confirming the individual’s bank details, checking their balance, and transactions,
`as needed. While this might be true for that initial log in, Yodlee’s involvement with the individual’s
`data goes well beyond the limited consent provided to facilitate a connection between their bank
`account and PayPal.
`Yodlee, in fact, stores a copy of each individual’s bank log in information (i.e., her
`8.
`username and password) on its own system after the connection is made between that individual’s
`bank account and any other third party service (e.g., PayPal).
`Yodlee then exploits this information to routinely extract data from that user’s
`9.
`accounts without their consent.
`This process continues even if, for example, an individual severs the connection
`10.
`between its bank account and the third party service (e.g., PayPal) that Yodlee facilitated. In that
`instance, Yodlee relies on its own stored copy of the individual’s credentials to extract financial data
`from her accounts long after the access is revoked.
`This unagreed-to data collection is particularly problematic because “[c]onsumers’
`11.
`credit and debit card transactions can reveal information about their health, sexuality, religion,
`
`2
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 3:20-cv-05991-SK Document 1 Filed 08/25/20 Page 5 of 47
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`political views, and many other personal details.”2 It is no wonder that Yodlee has been highly
`successful as, according to the Wall Street Journal, companies are willing to pay as much as $4
`million a year for access to this sort of highly personal data.
`Plaintiff Deborah Wesch connected her PNC Bank account to PayPal using a Yodlee-
`12.
`powered portal in order to facilitate transfers among those accounts. At no time was it disclosed by
`PayPal, Yodlee, or PNC Bank that the Defendants would continuously access Plaintiff’s bank
`account to extract and sell data without her consent.
`This is especially troubling as reports have revealed that Defendants are mishandling
`13.
`the data they collected from individuals without authorization by distributing it in unencrypted plain
`text files. These files, which can be read by anyone who acquires them, contain highly sensitive
`information that make it possible to identify the individuals involved in each transaction.
`Yodlee’s failure to take even the most basic steps to protect this highly sensitive data
`14.
`(e.g., requiring a password to open such files) has placed Plaintiff and all Class members at
`significant risk of fraud and identity theft. This risk is especially heightened given Yodlee’s practice
`of reselling the data it collects—without authorization—to third parties. While Yodlee claims to
`protect this data while in its custody, it has admitted in filings with the United States Securities and
`Exchange Commission (“SEC”) that it “does not audit its customers to ensure that they have acted,
`and continue to act, consistently with such assurances.”3 Yodlee, accordingly, cannot guarantee
`Plaintiff or other Class members that its clients, or anyone with whom its clients share Class
`members’ sensitive personal data, are not using such data for nefarious purposes.
`Given Defendants’ secretive data collection practices and recent reports regarding its
`15.
`grossly inadequate approach to data security, Plaintiff believes that additional evidence supporting
`its claims will be uncovered following a reasonable opportunity for discovery.
`
`
`2 Letter from Senator Ron Wyden et al, Cong. of the U.S., to Joseph J. Simons, Chairman, Fed.
`Trade Comm’n (Jan. 17, 2020),
`https://www.wyden.senate.gov/imo/media/doc/011720%20Wyden%20Brown%20Eshoo%20Enve
`stnet%20Yodlee%20Letter%20to%20FTC.pdf.
`3Proxy Statement/Prospectus, YODLEE (Oct. 21, 2015),
`https://www.sec.gov/Archives/edgar/data/1337619/000104746915007906/a2226277z424b3.htm.
`
`3
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`
`
`
`Case 3:20-cv-05991-SK Document 1 Filed 08/25/20 Page 6 of 47
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`JURISDICTION AND VENUE
`Pursuant to 28 U.S.C. § 1331, this Court has original subject matter jurisdiction over
`16.
`the claims that arise under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and the Stored
`Communications Act, 18 U.S.C. § 2701. This Court has supplemental jurisdiction over all other
`claims pursuant to 28 U.S.C. § 1367(a).
`This Court also has jurisdiction over the subject matter of this action pursuant to 28
`17.
`U.S.C §1332(d), because the amount in controversy for the Class exceeds $5,000,000 exclusive of
`interest and costs, there are more than 100 putative class members defined below, and a significant
`portion of putative class members are citizens of a state different from Defendants.
`This Court has general personal jurisdiction over Yodlee because Yodlee’s principal
`18.
`place of business is in Redwood City, California.
`This Court has specific personal jurisdiction over Envestnet because it regularly
`19.
`conducts business in this District and a substantial portion of the events and conduct giving rise to
`Plaintiff’s claims occurred in this State.
`Venue is proper in this District pursuant to 28 U.S.C. §1391(b), (c), and (d) because
`20.
`Defendants transact business in this District; a substantial portion of the events giving rise to the
`claims occurred in this District; and because Defendant Yodlee is headquartered in this District.
`Intra-district Assignment: A substantial part of the events and omissions giving rise
`21.
`to the violations of law alleged herein occurred in the County of San Mateo, and as such, this action
`may be properly assigned to the San Francisco or Oakland divisions of this Court pursuant to Civil
`Local Rule 3-2(c).
`
`PARTIES
`
`PLAINTIFF
`A.
`Plaintiff Deborah Wesch (“Plaintiff”) is a natural person and citizen of the State of
`22.
`New Jersey and a resident of Monmouth County.
`Plaintiff Ms. Wesch is a PayPal user who connected her bank account to PayPal
`23.
`through Yodlee’s account verification application programming interface (“API”). Defendants
`abused their access to Ms. Wesch’s bank account by collecting and selling Plaintiff Wesch’s
`
`4
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`
`
`
`Case 3:20-cv-05991-SK Document 1 Filed 08/25/20 Page 7 of 47
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`I.
`
`sensitive personal data without her knowledge or consent.
`DEFENDANT
`B.
`24.
`Defendant Yodlee, Inc. is a Delaware corporation with principal executive offices
`located at 3600 Bridge Parkway, Suite 200, Redwood City, CA 94065.
`Defendant Envestnet, Inc. is a Delaware corporation, with principal executive offices
`25.
`located at 35 East Wacker Drive, Suite 2400, Chicago, Illinois 60601.
`FACTUAL BACKGROUND
`THE FOUNDING OF YODLEE
`Yodlee was founded in 1999. Initially, Yodlee was focused on providing banks and
`26.
`financial institutions with software that would improve the user experience, for example, making it
`possible for banking clients to view bank statements, financial accounts, and investment portfolios
`all at once without relying on multiple logins or webpages.
`Yodlee later expanded its business to develop APIs for financial apps and software
`27.
`(collectively, “FinTech Apps”). This includes payment apps, such as Paypal; personal budgeting
`apps, such as Personal Capital; and apps for particular banks. Yodlee’s software silently integrates
`into its clients’ existing platforms to provide various financial services, like budgeting tools, savings
`trackers, or account history information. In each instance, the customer believes that it is interacting
`with its home institution (e.g., its bank) and has no idea it is logging into or using a Yodlee product.
`Defendants profit from these interactions in two ways. First, the financial institutions
`28.
`that use Defendants’ software pay a licensing fee to integrate Yodlee’s API into their platform.
`Second, Yodlee collects the financial data of each individual that connects to one of the FinTech
`Apps through a bank or other financial institution using its software. This information, which
`includes bank account balances, transaction history and other data, is then aggregated with that of
`other individuals and sold to third parties for a fee.
`Yodlee’s reach and the amount of data it collects is extraordinary. More than 150
`29.
`financial institutions and a majority of the 20 largest U.S. banks integrate Defendants’ API into their
`platforms. According to filings with the SEC, more than 900 companies subscribe to the Yodlee
`platform to power customized FinTech Apps and services for millions of their users.
`
`5
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`
`
`
`Case 3:20-cv-05991-SK Document 1 Filed 08/25/20 Page 8 of 47
`
`
`
`Given its widespread success, Yodlee went public on NASDAQ in October of 2014,
`30.
`generating almost $100 million that year. Prior to its public offering, Yodlee claims it only provided
`data to third parties for “research uses,” such as “enhanc[ing] predictive analysis.”
`In 2015, Yodlee was acquired by Envestnet. The deal valued Yodlee at $590 million
`31.
`or approximately $19 per share. The acquisition was considered the second largest FinTech deal in
`U.S. history at the time.
`That same year, the Wall Street Journal released a report revealing for the first time
`32.
`that a large part of Yodlee’s revenue was actually generated by a different lucrative source: selling
`user data. The report concluded that Yodlee has been selling data it gathers from users for at least
`the last year.
` Yodlee denied the Wall Street Journal report, claiming it had only “a very limited
`33.
`number of partnerships with firms to develop . . . sophisticated analytics solutions.” Yodlee claimed
`these partners only received “a small, scrubbed, de-identified, and dynamic sample of data to enable
`trend analysis. Yodlee does not offer, nor do partners receive, raw data.”
`Currently, Defendants sell sensitive personal data of tens of millions of individuals
`34.
`to a large customer base, including investment firms and some of the largest banks in the United
`States, like J.P. Morgan.4 One of Yodlee’s products, called its “Data Platform,” offers “the best and
`most comprehensive financial data at massive scale across retail banking, credit, and wealth
`management.” Yodlee explains “[t]his is made possible through the strengths of our data acquisition
`capabilities, extensive data cleaning and enrichment expertise, and massive scale.”5
`Defendants’ sale of users’ highly sensitive personal data violates their privacy rights
`35.
`and several state and federal laws because, as explained below, that data is collected without
`Plaintiff’s and Class members’ knowledge or consent. Furthermore, Yodlee fails to implement
`
`
`4 Joseph Cox, Leaked Document Shows How Big Companies Buy Credit Card Data on Millions of
`Americans, VICE, (Feb. 19, 2017), https://www.vice.com/en_us/article/jged4x/envestnet-yodlee-
`credit-card-bank-data-not-anonymous.
`5 Id.
`
`6
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 3:20-cv-05991-SK Document 1 Filed 08/25/20 Page 9 of 47
`
`
`
`adequate security measures to protect Plaintiff’s and Class members’ data, leaving their highly
`sensitive personal data vulnerable to hackers, criminals, and other unauthorized third parties.
`II. YODLEE COLLECTS AND SELLS INDIVIDUALS’ FINANCIAL DATA WITHOUT
`THEIR CONSENT
`36. While Yodlee claims that it only sells “small . . . sample[s] of data,”6 in reality,
`Defendants sell millions of users’ sensitive personal data to hundreds of clients. As explained below,
`this data is collected without the individual’s consent by leveraging credentials provided to Yodlee
`for a different, specific, and limited purpose.
`For example, PayPal uses Yodlee’s account verification API to validate an
`37.
`individual’s bank account so that the individual can use that account with PayPal’s services. An
`individual is prompted by the following screen when attempting to connect her bank account:
`FIGURE 1
`
`
`
`38.
`
` The first screen displayed in Figure 1 states that “[PayPal] use[s] Yodlee to confirm
`
`
`6 Yodlee Responds and Corrects The Wall Street Journal Article, YODLEE, archived at:
`https://web.archive.org/web/20150816230052/https://www.yodlee.com/yodlee-responds/ (last
`visited Aug. 21, 2020).
`
`7
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 3:20-cv-05991-SK Document 1 Filed 08/25/20 Page 10 of 47
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`your bank details and to check your balance and transaction as needed, which can help your PayPal
`payments go through.” This limited interaction is all that the individual consents to. Nowhere does
`she give either PayPal or Yodlee permission to collect and store data for resale.
`But this is exactly what happens. Yodlee goes beyond facilitating the log in
`39.
`transactions by storing a copy of the individual’s banking data, and retains the username and
`password that the individual provides on log in screens, like that displayed in Figure 1, to collect
`and store the individual’s bank account transaction history on an ongoing basis. The individual never
`consents to this kind of data collection, which solely benefits Yodlee and is unrelated and
`unnecessary to complete the log in transaction.
`An individual cannot opt out of or turn off Yodlee’s access to her bank account
`40.
`information after providing her credentials. For example, while the first screen in Figure 1 states,
`“[y]ou can turn off our use of Yodlee by removing permissions for this Bank in your Profile,” this
`pertains only to PayPal’s access. Yodlee still retains the individual’s credentials and continues to
`access her bank account to collect and sell highly sensitive financial data without consent even after
`PayPal’s permissions are removed.
`Yodlee’s recurring collection of and continued access to an individual’s financial
`41.
`data is never disclosed. Yodlee’s privacy policy only applies to its own direct-to-consumer products
`and does not cover the APIs that power FinTech Apps or facilitate log in transactions like that
`described in Figure 1.7 Instead, Yodlee directs an individual using “Yodlee powered services
`delivered through a Yodlee client” to refer to Defendants’ “client’s data governance and privacy
`practices.” Thus, where an individual unknowingly uses Yodlee to connect her bank accounts to a
`FinTech App, there is nowhere she could have looked in Yodlee’s policies to learn the full extent of
`data Defendants were collecting from her or the fact that Defendants were selling her data.
`Nor does Yodlee require its FinTech App clients to make any such disclosures. For
`42.
`example, while the PayPal Privacy Statement linked to in the first screen of Figure 1 discloses that
`
`
`7 Privacy Notice, YODLEE (July 31, 2020), https://www.yodlee.com/europe/legal/privacy-
`notice#:~:text=The%20Yodlee%20Services%20databases%20are,of%20identification%20includi
`ng%20biometric%20authentication.
`
`8
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`
`
`
`Case 3:20-cv-05991-SK Document 1 Filed 08/25/20 Page 11 of 47
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`PayPal does not “sell [individuals’] personal data,” it says nothing about whether third-party service
`providers, such as Yodlee, collect and sell such sensitive financial data. Likewise, while the PayPal
`Privacy Statement provides that “you may be able to manage how your personal data is collected,
`used, and shared by [third-parties],” it does not provide individuals with a way to manage what data
`Defendants collect about them through PayPal or how Defendants use and share that data with
`others. Such controls would have to come directly from Yodlee, which does not allow individuals
`to manage their personal data, because doing so would undermine Defendants’ highly profitable
`data aggregation business.
`Not only do Defendants collect more data than is necessary from individuals that
`43.
`interact with their FinTech Apps—Defendants’ service is not necessary at all.
`Historically, in order to allow a third party access to a bank account, a user had to
`44.
`submit her bank routing and account numbers; transfer a small trial deposit (usually a few cents);
`and then return to the bank to verify the amount transferred. This process usually took several days,
`a delay that could—in the fast-moving Internet age—cause potential users of FinTech Apps to give
`up on using the app at all.
`One alternative to this process is “OAuth.” Users are likely familiar with this
`45.
`procedure because it has become the industry-standard protocol for users who wish to grant a
`website or an app permission to access certain information from another website or app. Crucially,
`OAuth “enables apps to obtain limited access (scopes) to a user’s data without giving away a user’s
`password.”8 For instance, consider an example in which a user wishes to grant Facebook permission
`to access her Twitter account so that it can integrate its social media accounts together. Before it can
`do so, the user will be redirected from Facebook to Twitter, where it must login to ensure it is
`authorized to grant those permissions.9 Then, a dialogue box pops up, asking which permissions the
`user is granting and which it is denying. The dialogue box might look something like this:
`
`
`8 See Matt Raible, What the Heck is Oauth? OKTA (June 21, 2017),
`https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth.
`9 Redirection from the app the user is currently using to the app where it retains the data to which
`it is granting permission is a hallmark of OAuth.
`
`9
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`
`
`
`Case 3:20-cv-05991-SK Document 1 Filed 08/25/20 Page 12 of 47
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`10
`
`
`In this example, note that the user grants Facebook permission to update its Twitter
`46.
`profile and even post to the user’s Twitter account (“This application will be able to . . . Update your
`profile; Post Tweets for you”), but denies Facebook permission to see the user’s Twitter password
`(“This application will not be able to . . . See your Twitter password”). Instead, the user provides
`her Twitter username and password only to Twitter. Twitter then sends a “token” to Facebook,
`essentially confirming to Facebook that the user’s login to Twitter was legitimate. Scopes are one
`of the “central components” and perhaps even “the first key aspect” of OAuth.
`But as with the old-fashioned way of authorizing a bank account by providing
`47.
`account and routing numbers and waiting for a small deposit, OAuth requires a user to leave the app
`and be redirected to another site or interface to log in. This supposedly undermines an app’s ability
`to sign up new users by driving away individuals who decide it is not worth the trouble of dealing
`with the OAuth process.
`Yodlee’s API purports to solve this problem, but the distinctions between Yodlee’s
`48.
`API and true OAuth underscore the grave risk that Yodlee poses to individuals. First, Yodlee does
`not provide a clear dialogue box outlining the scopes of the permissions that the user is granting to
`Yodlee or the permissions the user is denying to Yodlee. Indeed, the user has no option to deny
`Yodlee any permissions at all.
`
`
`10 Raible, supra n. 8.
`
`10
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`
`
`
`Case 3:20-cv-05991-SK Document 1 Filed 08/25/20 Page 13 of 47
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`Second, the core principle of OAuth—and what has made it the industry-standard
`49.
`authorization protocol—is that it provides for access to an individual’s data without disclosing the
`individual’s password to the service requesting authorization. This places the individual in control,
`because she can cut off the service’s access to her data by revoking the service’s OAuth access.
`Yodlee specifically designed its API to circumvent this protection, deceiving users into providing
`Defendants with their bank usernames and passwords so that Defendants can use those credentials
`to collect sensitive financial information on an ongoing basis without giving the individual a way to
`revoke access to that data. As explained above, Defendants accomplish this by deceiving users into
`thinking that they are logging into their financial institutions’ app or website, when in fact they are
`entering their credentials directly into Defendants’ portal.
`Yodlee is capable of integrating OAuth into its API. It has done so in Europe in order
`50.
`to comply with the European Union’s Second Payment Services Directive. Yet in the United States,
`Defendants continue to deploy credential-based authentication because, though it falls short of the
`industry standard, it is a source of immense profit.
`By failing to provide disclosures or obtain users’ consent to collect and sell their
`51.
`sensitive personal data, Defendants violated Plaintiff’s and Class members’ privacy rights and state
`and federal law.
`III. YODLEE’S FAILURE TO DISCLOSE VIOLATES SEVERAL PRIVACY LAWS
`As discussed above, Yodlee’s privacy policy only applies to its “direct-to-consumer
`52.
`services and websites.” For consumers who access Yodlee’s services through one of Yodlee’s
`clients, such as Paypal, Yodlee pushes off the burden of providing adequate disclosures to
`consumers onto the client. This is an abdication of Defendants’ duties under the law.
`In California, several statutes require Defendants to provide clear disclosures to
`53.
`consumers about their conduct, including that they collect and sell consumers’ sensitive personal
`data.
`
` For example, the California Consumer Privacy Act (“CCPA”) protects consumers’
`54.
`personal information from collection and use by businesses without providing proper notice and
`obtaining consent.
`
`11
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`
`
`
`Case 3:20-cv-05991-SK Document 1 Filed 08/25/20 Page 14 of 47
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`The CCPA applies to Defendants Envestnet and Yodlee because they individually
`55.
`earn more than $25 million in annual gross revenue. Additionally, the CCPA applies to Defendants
`because they buy, sell, receive, or share, for commercial purposes, the personal information of more
`than 50,000 consumers, households, or devices.
`The CCPA requires a business that collects consumers’ personal information, such
`56.
`as Defendants’ business, to disclose either “at or before the point of collection . . . the categories of
`personal information to be collected and the purposes for which the categories of personal
`information shall be used.” Cal. Civ Code § 1798.100(b).
`Furthermore, “[a] business shall not collect additional categories of personal
`57.
`information or use personal information collected for additional purposes without providing the
`consumer with notice consistent with this section.” Id.
`Other state statutes that govern Defendants’ disclosures include California’s
`58.
`Financial Information Privacy Act (“CalFIPA”), Cal. Fin. Code §4053(d)(1), the California Online
`Privacy Protection Act (“CalOPPA”), Cal. Bus. & Prof. Code § 22575. CalFIPA requires that the
`language in privacy policies be “designed to call attention to the nature and significance of the
`information” therein, use “short explanatory sentences,” and “avoid[] explanations that are
`imprecise or readily subject to different interpretations.” Cal. Fin. Code §4053(d)(1). The text must
`be no smaller than 10-point type and “use[] boldface or italics for key words.” Id. In passing
`CalFIPA, the Californ