Three lawmakers want the Federal Trade Commission to investigate whether the giant U.S. data corporation Envestnet and its subsidiary Yodlee are breaking the law by collecting and selling millions of Americans’ sensitive financial information without appropriate consent.
Sens. Ron Wyden, D-Ore., Sherrod Brown, D-Ohio, and Rep. Anna G. Eshoo, D-Calif., recently penned a letter to FTC Chairman Joseph Simons demanding the agency determine whether Envestnet’s sale of consumer data to third parties constitutes an “unfair, deceptive or abusive act or practice” and ultimately violates the FTC Act.
“We also urge the FTC to investigate whether Envestnet and the companies to which it has sold consumer data have the required technical controls in place to protect American’s sensitive financial data from reidentification, unauthorized disclosure to hackers or foreign spies, or other abusive data practices,” the lawmakers wrote.
According to the trio, Yodlee is America’s largest consumer financial data aggregator and more than 1,200 companies—including 15 of the top 20 largest U.S. banks—use the transaction information it captures to offer personal finance tools to their customers online. Envestnet also manages a database of credit and debit card transactions from tens of millions of consumers and sells access to that consumer data. Though the company claims that individuals’ privacy remains protected because it anonymizes all the data it collects, the lawmakers note that experts have repeatedly proven that users can be re-identified through purportedly anonymized data.
Wyden, Brown and Eshoo also argue that Envestnet does not adequately inform Americans about how it’s using their personal financial information, but instead calls on the banks and other partners it works with to disclose that information in their own terms of service and privacy policies.
In a statement Friday, Envestnet reiterated that it protects consumers by anonymizing the data it sells and added that it’s “dedicated to improving the financial lives of consumers and does so in compliance with law and regulations and in accordance with leading industry practices for data security, regulatory compliance and privacy.”