Lawmakers Say Financial Giant Envestnet Has Been Selling User Data Without Telling Them

A trio of lawmakers are urging the FTC to investigate financial-data corporation Envestnet for selling consumers’ personal data without first clearly informing customers. Envestnet is a financial services giant used by 15 of the 20 largest banks in the country to provide personal financial tools to their customers. Its subsidiary, Yodlee, also develops software and apps that allow consumers to track their finances at a glance. A letter sent to the FTC by Oregon Senator Ron Wyden, Ohio Senator Sherrod Brown, and California Representative Anna Eshoo warns that Yodlee and Envestnet have been selling that data to a large number of third parties without making it clear, a violation of the FTC Act.

“The consumer data that Envestnet collects and sells is highly sensitive," the lawmakers said. "Consumers’ credit and debit card transactions can reveal information about their health, sexuality, religion, political views, and many other personal details."

"And the more often that consumers’ personal information is bought and sold, the greater the risk that it could be the subject of a data breach, like the recent breaches at Equifax and Capital One" the trio added. Granted, even if the FTC investigates, there’s no guarantee that much will come of it. One study found that roughly 60 percent of FTC staffers have financial conflicts of interests with the companies they’re tasked with holding accountable. Such “revolving door regulators” often don’t try very hard to penalize companies they’ve either previously worked for—or are hoping to soon be hired by. The FTC is also historically underfunded and understaffed when it comes to privacy. The agency has roughly 8 percent of the staff of similar agencies in the UK tasked with policing privacy and data security, despite the UK having a fifth as many consumers to protect. As a result, even when the FTC does act the end result is often lacking. The FTC’s Equifax settlement, for example, promised the breach’s 147 million victims $125 compensation; a payout that suddenly and abruptly evaporated when those victims went to collect it. The FTC’s ability to act is also limited by whether something is clearly “unfair and deceptive,” under the FTC Act a restriction corporate lawyers often tapdance around. The agency’s shaky authority (and dwindling resources) are a major reason why the telecom sector lobbied fiercely to shift telecom oversight from the FCC to the FTC in 2017. While Envestnet claims that the financial data it collects is secure because it’s “anonymized,” study after study have showcased how anonymous data isn’t really all that anonymous, and users can routinely be easily identified with just a few additional snippets of information. One MIT study into anonymized credit card data found that the dates and locations of just a few purchases can easily reveal the identities of the consumer with minimal work. The researchers went so far as to call the protection anonymization provides an “illusion.” In their letter to the FTC, the lawmakers note that instead of clearly disclosing its data sales practices itself, it shovels that responsibility to its banking partners, who bury these notifications deep in the fine print of overlong and confusing terms and conditions and privacy policies. “That is not sufficient protection for users,” the lawmakers said. “Envestnet should not put the burden on consumers to locate a notice buried in small print in a bank or apps’ terms and conditions or privacy policy, and then find a way to opt out—if that is even possible—in order to protect their privacy.”