536 F.Supp.3d 461
N.D. Cal.2021Background
- Plaid is a fintech data aggregator that integrates its "Plaid Link" login interface into payment apps (Venmo, Cash App, Coinbase, etc.). Plaintiffs allege Plaid designed bank-branded login screens that routed consumers' bank credentials to Plaid rather than directly to banks.
- Plaintiffs contend Plaid used those credentials to access, cache, aggregate, and sell extensive historical account data (transactions, geolocations, contacts, joint-account info) and routinely updated that cache.
- Eleven named plaintiffs (various states) allege they logged into fintech apps and linked bank accounts via the interface described in the complaint; they claim they were not meaningfully informed that Plaid would receive and retain their credentials or data.
- The consolidated amended class action complaint asserts federal and California claims, including invasion of privacy (intrusion), CFAA, SCA, CDAFA, unjust enrichment, UCL, state constitutional privacy, anti-phishing, deceit, and injunctive/declaratory relief.
- The court considered Plaid’s motion to dismiss under Rules 12(b)(1) and 12(b)(6), denied standing and merits attacks in part, but dismissed with prejudice certain statutory claims and the declaratory/injunctive standalone claim; other claims survived.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing (injury, causation, redressability) | Plaintiffs: disclosure and sale of detailed financial data injures privacy rights; harms are concrete and redressable by damages and injunctions | Plaid: alleged harms are hypothetical, plaintiffs consented by linking accounts or could have avoided Plaid; injuries are merely psychic | Held: Plaintiffs have Article III standing; privacy-allegations are concrete, causation adequately pleaded, redressability satisfied |
| CFAA and CDAFA (damage or loss requirement) | Plaintiffs: lost indemnity rights, loss of control/value of data, increased risk and diminished protection of data constitute loss/damage | Plaid: plaintiffs fail to plead the statutory "loss" or "damage" required (CFAA $5,000 threshold and CDAFA damage/loss) | Held: CFAA and CDAFA claims dismissed for failure to plead cognizable damage or loss (CFAA $5,000 not met); dismissal with prejudice |
| SCA (facility and "in electronic storage") | Plaintiffs: banks are facilities that store electronic communications and Plaid accessed those communications without authorization or in excess of authorization | Plaid: banks are not SCA "facilities" like centralized ECS providers; communications were not in backup/electronic storage as defined | Held: SCA claim dismissed because financial institutions are not plausibly SCA facilities here and plaintiffs did not plead access while communications were in electronic storage; dismissal with prejudice |
| California UCL and equitable claims; common-law deceit, intrusion, anti-phishing, unjust enrichment | Plaintiffs: UCL injury can be loss of rights or lost value of data; deceit, intrusion, anti-phishing, and unjust enrichment arise from concealment and deceptive bank-branded screens | Plaid: no economic loss for UCL; privacy policy disclosures and consent negate claims; anti-phishing targets phishing criminals not legitimate services | Held: UCL claim dismissed for failure to allege lost money or property; declaratory/injunctive standalone claim dismissed with prejudice; invasion of privacy (intrusion), California constitutional privacy claim, anti-phishing, deceit (Cal Civ Code 1709/1710), and unjust enrichment (construed as restitution/quasi-contract) survive the motion |
Key Cases Cited
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (standing requires injury in fact, causation, redressability)
- Steel Co. v. Citizens for a Better Env't, 523 U.S. 83 (jurisdictional limits on relief and Article III rules)
- Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., 528 U.S. 167 (traceability and redressability principles for standing)
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (concrete and particularized injury requirement)
- In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir.) (privacy disclosure cases analyzed for standing and intrusion)
- Andrews v. Sirius XM Radio Inc., 932 F.3d 1253 (9th Cir.) (CFAA loss narrowly construed)
- Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir.) (SCA protects communications stored by third-party providers)
- Ashcroft v. Iqbal, 556 U.S. 662 (pleading standard; plausibility)
- Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (plausibility and dismissal under Rule 12(b)(6))
- Fox v. Ethicon Endo-Surgery, Inc., 35 Cal.4th 797 (Cal. 2005) (accrual and statute of limitations principles)