Financial Data Access and Third-Party Sharing Authorization

What it is

When you use Plaid to connect your bank account to an app, you are authorizing Plaid to retrieve your financial data including balances and transaction history and share it with that app and Plaid's other service providers.

Why it matters (compliance & governance perspective)

Plaid acts as an intermediary between your bank and third-party apps, meaning your sensitive financial account data flows through Plaid's systems and may be shared with multiple entities beyond the app you intended to connect.

Consumer impact (what this means for users)

Your bank account balances, transaction history, and related financial data may be accessed and transmitted to third-party applications and Plaid's service partners under the authorization granted by these terms; the scope of specific sharing practices is governed by Plaid's separate Privacy Policy, which should be reviewed alongside these terms.

What you can do

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: This provision directly engages the Gramm-Leach-Bliley Act (GLBA) and its implementing Privacy Rule and Safeguards Rule, which govern how nonbank financial institutions collect, use, and share nonpublic personal financial information. The CFPB's Section 1033 of the Dodd-Frank Act establishes consumer rights to access financial data and constrains how that data may be shared; the CFPB finalized rulemaking under Section 1033 in 2024, which creates new requirements for authorized third parties like Plaid. The FTC has previously taken enforcement action against Plaid (2022 consent decree) related to data collection practices, making FTC Act Section 5 directly relevant. (2) GOVERNANCE EXPOSURE: High. The authorization granted by users in this provision is the legal basis for Plaid's core business function, and the adequacy of that consent is subject to regulatory scrutiny under GLBA, CFPB Section 1033 rulemaking, and state privacy laws. The reference to sharing with unspecified 'service providers and partners as described in the Plaid Privacy Policy' creates a disclosure gap if users do not separately review the Privacy Policy; this structure may face scrutiny under transparency requirements in GDPR (Articles 13 and 14) and CCPA. (3) JURISDICTION FLAGS: California (CCPA and CPRA) requires specific disclosure of categories of personal information shared with third parties and provides opt-out rights for sale or sharing of personal information. EU and UK GDPR require a clear lawful basis for processing financial data (typically consent or legitimate interests), and the adequacy of consent obtained through an app connection flow may require careful evaluation. The CFPB Section 1033 final rule creates specific authorization and revocation requirements that apply regardless of state. (4) CONTRACT AND VENDOR IMPLICATIONS: Organizations using Plaid as a vendor should assess whether Plaid's data sharing authorizations align with their own privacy notices and consumer-facing disclosures. Data processing agreements with Plaid should clearly delineate the roles of controller and processor under GDPR, and should address data retention, deletion, and security obligations consistent with GLBA Safeguards Rule requirements. Downstream developers who receive financial data via Plaid are also subject to their own GLBA and state privacy obligations. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should map the specific categories of financial data Plaid accesses (account numbers, balances, transaction data, credentials) against their data inventories and privacy notices. The adequacy of user consent should be evaluated against CFPB Section 1033 authorization standards, which include requirements for specific, informed, and revocable consent. Review the Plaid Portal (my.plaid.com) as a potential user-facing revocation mechanism and ensure it is disclosed to consumers.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Mandatory Binding Arbitration and Class Action Waiver high
• Limitation of Liability high
• Intellectual Property License Grant for User Content low
• Unilateral Right to Modify Terms medium
• Account Termination and Service Suspension medium
• Governing Law and Jurisdiction medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.