Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I just read the settlement document, and it looks like this is being reported incorrectly or at least ambiguously.

The allegation is NOT that they shared/sold data to any third parties but that their Plaid Link user interface, where people enter their banking information to add it to Plaid, looks like the customer's financial institution (i.e, uses the bank's branding colours and logo).

Because of this branding, people can reasonably assume that they are sending that data directly to their bank without knowledge, and therefore consent, to share their information with Plaid itself.

If that understanding is correct then this isn't a business practice or security issue, but a user consent issue. That's a problem that definitely needs to be fixed, and the injunctive relief requires them to change the branding and disclosure to make it clearer that people are interacting with Plaid rather than their bank.

But to me it's definitely not a reason to cancel your account or boycott Plaid or whatever.

https://newmedialaw.proskauer.com/wp-content/uploads/sites/2...



+1. Bad reporting here. This seems to be mostly about consumer disclosure, not that what's happening under-the-hood is different that what your average security-conscious developer might expect after reading that Plaid doesn't sell your data.

That said I think the suit makes a compelling argument that the disclosures should be better.


Looks like there is some other deceptive stuff going on as well - for example, they apparently collected and stored transaction data even when developers didnt request it (at least, they are agreeing to delete this data now, so it must have been collected in some cases).


Again, I don't see anything shady there. There's two things I see in the settlement about that:

1. They proactively retrieved transaction data when you connect an account. This sounds like an assumption that almost always people are going to want transaction data, so they just do it by default, presumably to improve the first-time user experience so the data's already there when you later request it. This is going to be changed to only retrieve transaction data on demand.

2. If Plaid's connection is broken (e.g. the user changes their password) then Plaid deactivates the connection but keeps the data. They've agreed to delete the data in this case. The drawback of this change is that since many connectivity issues are going to be temporary, this means that in those cases they'll need to delete the data, then retrieve it again when the user reconnects.

Basically it sounds like they optimized a little too hard on user experience, especially when connecting a new account, and in the process they overstepped user consent. I don't see any bad intent there personally, it sounds like they were just a bit overzealous trying to make the experience super slick.


Optimizing away user consent for collection and storage of highly sensitive banking transaction data certainly meets my bar for "shady".


I disagree. This sounds like an enthusiastic developer that may or may not have fully described the situation to the PM.

Shady would happen depending on what they did with the data.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: