When Interface Design Serves as Privacy Notice: Class Action Suits Against Plaid, Inc.

The US privacy regime is built squarely upon the dual concepts of notice and consent. Most Americans are familiar with the online notice-and-consent mechanism – a webpage displays a privacy policy notice and the individual is asked to consent to data collection processing by ticking a box.

Criticisms of the notice-and-consent framework abound, centering on arguments like:

• The increasing complexity of the privacy regime has led notices to be written in lengthy and inscrutable legal language which the average consumer has neither the time nor ability to read and understand
• Notice and consent places the burden on consumers to protect their privacy and shifts accountability away from companies / data collectors
• Sites can be optimized to limit opt-ins and “dark patterns” (tricks designed by web developers to manipulate users into doing something they otherwise would not want to do) restrict true choice

The concepts of notice and consent entered into the FTC Act and other privacy laws from traditional contract law. In contact law, the words of the contract matter. While the design of the contract is important to help facilitate parties’ ability to read and understand the terms, the actual terms of the contract do not extend to the design or user experience around the contract. In this way, traditional contract law does not align neatly with notice-and-consent exercises in the digital realm, where user interface design and user experience play an integral role in a user’s mental processing of information. Online, words and design matter.

The adequacy of traditional contract law as the underlying model for digital privacy is at issue in recent lawsuits against Plaid, Inc. Specifically, the Plaid cases raise questions about the interaction between contract law, website user interface design, and user experience. Ultimately, these lawsuits could potentially add another criticism of the notice-and-consent privacy regime – whether the decidedly-American dedication to free market contracts appropriately balances the data protection of individual Americans with the necessary accountability of data collectors.

Plaid Cases

Plaid is a fintech company offering a popular platform that enables applications like Venmo to connect with users’ bank accounts. (Plaid was acquired by Visa earlier this year for $5.3 billion). Plaid’s user interface provides a traditional text-based privacy notice and allows the user to click a “continue” button to indicate consent and move to the next screen, which displays a list of financial institution brand logos and asks the user to indicate their bank. The subsequent page mimics the log-in screen of their financial institution, which prompts the user to log in using their banking log-in credentials. This interface is owned and controlled by Plaid, not by their financial institution, and the user’s credentials are being disclosed to Plaid.

A series of class-action lawsuits (Mitchell v. Plaid Inc. and a separate consolidated claim In Re Plaid Inc. Privacy Litigation) were filed against Plaid in the Northern District of California over the summer, alleging the fintech illegally collects and misuses information from users of Venmo, Stripe, Coinbase, and Square. According to analysis in The National Law Review, Mitchell alleges violations of a litany of privacy-related statutes, including (1) common law invasion of privacy; (2) Article I, §1 of the California Constitution; (3) the Stored Communications Act (SCA); (4) the Computer Fraud and Abuse Act (CFAA); 5) California’s Comprehensive Data Access and Fraud Act (CDAFA); (6) unjust enrichment; (7) California’s Anti-Phishing Act of 2005; (8) California Unfair Competition Law (UCL); (9) California Civil Code §1709; (10) Negligence; (11) Graham Leach Bliley Act (GLBA) Privacy Rule; (12) California’s Financial Information Privacy Act (CalFIPA); (13) California Penal Code §502; (14) California Online Privacy Protection Act (CalOPPA), and (15) California Consumer Privacy Act (CCPA). The consolidated class action case In Re Plaid Inc. Privacy Litigation does not include CCPA in its list of violated statutes.

Additionally, TD Bank filed suit against Plaid on October 14, 2020 (The Toronto-Dominion Bank v. Plaid Inc.) for unlawful use of TD Bank’s name, trademarks, and logos in Plaid’s user interface linking consumers’ bank accounts to its third party fintech apps. The suits claim the appearance of their bank’s log-in screen makes users believe they are inputting their personal information into a webpage controlled by their bank, presumably an institution they already trust, whereas, it is actually an interface controlled by Plaid.

According to PYMNTS.com, if “users select an option on their phones to give Plaid access to their account information, the fintech is reportedly able to access years of a customer’s bank account transactions for purposes unrelated to the transactions they wanted to conduct.” The suits claim Plaid is thus able to harvest large amounts of personal data by making users believe the data is being used to communicate directly with their bank, rather than providing it to Plaid.

Plaid’s initial response defended their data collection practices by pointing out that they provide notice and opportunity for consent before the user discloses any personal information.

Notice and Consent in the Privacy Regime

Notice is generally determined to have been satisfied when the website user is provided the organization’s privacy policy in text form before the user’s personal information is collected. The notice language indicates information an organization intends to collect from a user and how they intend to use it. As privacy legal expectations have become more complex, privacy policy notices have become longer and more difficult for the average American to read and understand.

Consent is the process by which a person acknowledges and agrees to the terms of the data collection relationship. In the notice-and-consent framework, consent pairs with notice – the consumer consents directly to the terms of the privacy notice. Thus, notice-and-consent generally mirrors the offer-and-acceptance mechanism of contract law.

Notice and Consent Rooted in Contract Law

In fact, within the notice-and-consent mechanism in the business-to-consumer context, the consumer effectively signs a contract. According to the World Economic Forum, “the normalization of this process has been necessary for business to ensure legal certainty in the obtaining and processing of personal data, particularly with the explosion in free online digital services.”

Under contact law, acceptance (or in the privacy regime, consent) does not require meaningful subjective understanding of the terms of a valid contract. Instead, having access to the terms of the agreement (or in the privacy regime, notice) is sufficient. “There is no legal obligation for organizations to provide a notice that can be fully read and understood by an individual, or to obtain affirmative, voluntary consent.” (World Economic Forum)

Thus, within the contract-based notice-and-consent model, access to the privacy policy, rather than user comprehension, is required for valid consent.

Regulation of Notice and Consent: Limits of the Contracts Model

The limits of the traditional contracts law model within the notice-and-consent framework extends to regulatory enforcement of data collection and protection. As Daniel Susser notes in Notice After Notice-and-Consent, “…notice and consent reflects a free market approach to privacy: almost any behavior is permitted as long as all of the parties contractually agree to it. The role of government, in this model, is merely to ensure that the contracts are enforced.”

Currently, regulators have limited tools through which to decide whether data collection practices should be considered legitimate. If users have agreed to the terms (i.e. text) of the company’s privacy policy, “then the practices described in the policy are considered prima facie acceptable.” (Notice After Notice-and-Consent)

If offer and acceptance has occurred, the contract stands, regardless of the factors (such as inscrutability of legal notice language or interface design) that might have influenced user consent.

User Interface Design and User Experience: Integral to Notice-and-Consent

The notice-and-consent framework is a paper contract law mechanism imposed within a more complex and dynamic digital environment. As the World Economic Forum states, “notice and consent in the digital realm remains locked into predominantly skeuomorphic virtual representations of paper contracts.” User experience and user interface design are integral to information processing by the user. In fact, if we admit it is unreasonable for users to read and comprehend privacy notices, user design and experience might play an even greater role in consent than we currently recognize.

We see this phenomenon in the Plaid suits – plaintiffs claim users are more likely to consent to disclosing personal data if they believe they are disclosing their data to their bank, via the user interface that mimics their bank’s log-in screen, regardless of the lengthy privacy policy notice provided by Plaid on the previous screen. In other words, user interface design and user experience play a role in notice and influence consent.

Research demonstrates that the visual design and framing language of privacy notices can affect users’ consent. (see Sleights of Privacy: Framing, Disclosures, and the Limits of Transparency) It is likely website design and user experience influence consent not only in response to acceptance of privacy policy notices but also at the various points of data collection.

If user interface and experience inform notice and influence consent, the definition of notice should be extended to consider user interface design and user experience. Notice design should reflect the reality that users can’t consume or understand privacy policy text and that interface design on the notice page and at points of data collection inform consent.

“When privacy law ignores design, it allows Notice to become rote and ineffectual. Design can be used to obscure Notice and exploit our limited ability to understand what is being conveyed.”

Woodrow Hartzog in Privacy’s Blueprint: The Battle to Control the Design of New Technologies

Conclusion

The Plaid cases shed light on how traditional contract law is a problematic basis for the notice-and-consent framework upon which US privacy law is based.

Traditional contract law doesn’t tend to contemplate digital interface design in situations where the privacy policy legal language is provided. As law students across the United States learn in Contracts 101, if an individual signs a valid document without fully understanding the terms, caveat emptor. Digital data collection offers murkier use cases that might require more nuanced legal models.

The current dependence on the notice-and-consent framework in the US privacy regime presents conflicting conclusions. On the one hand, we justify data collection using the traditional contract law notice-and-consent mechanism. On the other hand, we acknowledge that it is unrealistic to expect the average user to read the privacy notice and it is likely that user interface design and user experience play a significant role in informing user consent, while recognizing knowledgeable and subjective consent is not even required to make the contract binding.

According to the World Economic Forum, “people absolutely need help with managing their data in complex environments, and privacy frameworks and tools should support these needs.” Rethinking notice-and-consent beyond the confines of traditional contract law can help provide a more meaningful privacy regime and help organizations build increased trust with users.