January 17, 2020

Wyden, Brown, Eshoo Urge FTC to Investigate Firm Collecting and Selling Americans’ Financial Data

Lawmakers concerned that Envestnet, operator of the largest consumer financial data aggregator in the U.S., is breaking the law by selling Americans’ personal data without consent

Washington, D.C. – U.S. Sen. Ron Wyden, D-Ore., U.S. Sen. Sherrod Brown, D-Ohio, and U.S. Rep. Anna G. Eshoo, D-Calif., today demanded the Federal Trade Commission (FTC) investigate Envestnet for possibly violating the law by recklessly selling Americans’ personal data. 

Envestnet operates Yodlee, the largest consumer financial data aggregator in the United States. Financial technology apps, banks and other companies use Yodlee to access, collect and analyze transaction data from consumers’ bank, credit card and other financial accounts. Envestnet also sells access to the financial data of tens of millions of Americans.

In a letter to FTC Chairman Joseph J. Simons, the lawmakers wrote, “The consumer data that Envestnet collects and sells is highly sensitive. Consumers’ credit and debit card transactions can reveal information about their health, sexuality, religion, political views, and many other personal details. And the more often that consumers’ personal information is bought and sold, the greater the risk that it could be the subject of a data breach, like the recent breaches at Equifax and Capital One.”

The legislators express concern that Envestnet does not adequately notify consumers that their personal financial data is being sold to third parties, therefore violating the FTC Act’s prohibitions against unfair and deceptive practices.

The lawmakers continued “Consumers generally have no idea of the risks to their privacy that Envestnet is imposing on them. Envestnet does not inform consumers that it is collecting and selling their personal financial data. Instead, Envestnet only asks its partners, such as banks, to disclose this information to consumers in their terms and conditions or privacy policy. That is not sufficient protection for users.”

In October 2019, Wyden introduced the Mind Your Own Business Act, which requires radical transparency about how corporations share, sell and use consumer data and holds accountable corporations that treat Americans’ personal information recklessly.

Last fall, Wyden urged the FTC to open an investigation into Amazon’s failure to secure servers rented to Capitol One, a security flaw that may have allowed a hacker to steal the personal information of 100 million Americans in July 2019.

A copy of today’s letter is available here.