“Buy now, pay later” (BNPL) apps allow users to make purchases on credit and pay off the balance in installments. They’ve been steadily rising in popularity over the years, to the point that somewhere between 1 in 4 and 1 in 3 Americans has tried at least one. These apps are often described as a double-edged sword: on one hand, they provide a low barrier to entry to obtaining credit, on the other, they may lead to people getting into financial trouble or exacerbating financial problems they already had, for example by affecting their credit scores.
While it’s true that the specters of late fees and interest rates, as well as the threats of financial exploitation and fraud, loom large over these BNPL apps, there’s a whole gamut of risks that’s too often overlooked. Apps like these require a lot of personal information to function properly while meeting relevant regulatory requirements. Given the financial nature of the transactions made through these apps, their developers also often have to collect sensitive personal information, further raising the stakes when it comes to data privacy and security.
In order to examine the data-handling practices of BNPL apps and the associated data-privacy risks, a group of researchers from privacy protection company Incogni undertook a study of some of the most popular BNPL apps in the United States. Their focus was on the data-collection and data-sharing practices of the apps, taking a deeper dive into exactly what data is collected and shared and the purposes given for, as well as the privacy implications of, both.
The extent to which the results are surprising depends on the extent to which the reader is naive to the data-handling practices of popular mobile apps in general. Incogni’s researchers found that the studied apps collected an average of 14 data types concerning their users and shared an average of 5 with third parties. The histogram below shows a breakdown of the 8 most popular BNPL apps by downloads and the data types their developers collect and/or share.
The app Afterpay: Pay over time interacts with the greatest number of user data types, handling 20 different types of user data. Klarna | Shop now. Pay Later. and Uplift – Buy Now, Pay Later each interact with 19 data types. Notably, Uplift is the only app the developers of which claim not to share most of the data they collect from its users, even as they collect such a wide range of data types.
As expected, all the investigated apps collected (and sometimes shared) at least some financial and personal information. However, Incogni’s researchers found that both Sezzle – Buy Now, Pay Later and Zip – Buy Now, Pay Later also collect web-browsing histories, while Klarna collects in-app messages. These are the kinds of data types that seem difficult to justify when considering the ostensive purpose behind their collection: the provision of a BNPL service via a mobile-app interface.
There’s a finer level of detail available when it comes specifically to the data points and data types that were found to be shared by the apps with third parties.
Afterpay’s developers reported sharing 17 data types with third parties, followed by Sezzle with 9 shared types and Klarna and Affirm with 4 each. To understand the impact of this, Incogni’s researchers also considered the apps’ download numbers: although not a reliable indicator of user counts, these at least set upper bounds for the numbers of users affected (assuming that each user will have downloaded a given app at least once).
Incogni’s researchers were then able to drill down into specific data points, which apps shared and/or collected those data points, and how many users are potentially affected by each data point being shared and/or collected.
The following shared data points are of note:
- Precise location was shared by Affirm, Afterpay, and Zip. The precise locations of as many as approximately 53 million devices and their users were potentially shared by these three apps.
- Names were shared by Afterpay and Sezzle. As many as nearly 30 million users are estimated to have been affected.
- Addresses were shared by Afterpay and Four. With a combined 21 million downloads, as many addresses could have been shared by just these two apps.
- Phone numbers were shared by Afterpay and Four. A combined 21 million downloads, representing potentially as many phone numbers shared with third parties.
- Credit scores were shared by Afterpay. This sensitive data point may have been shared for as many as 20 million users (the app having been downloaded that many times).
Some apps’ developers also collected (but didn’t admit to sharing) the following:
- Photos were collected by Klarna and Afterpay. These apps have a combined 52 million downloads.
- Web-browsing history was collected by Zip and Sezzle. 15.4 million downloads in total.
- Purchase history was collected by Klarna, Afterpay, and Uplift. Over 52 million downloads in total.
- Credit scores were collected by Klarna, Afterpay, and Uplift. Again, over 52 million downloads in total.
As concerning as it is to have credit scores collected, it’s not difficult to see how this might be justified in the context of a BNPL app. More difficult to justify is the collection of photos and browsing and purchasing histories, let alone the sharing of precise locations (under any circumstance) and contact details (which would depend on who or what they’re being shared with, and why).
Incogni’s researchers delved into the purposes given by developers for collecting and/or sharing user data. They found that these apps’ developers each claimed an average of 42 purposes for collecting data. This equates to just over 2.5 purposes for every data type collected. The figure was only slightly lower for shared data, with an average of 2.2 purposes being claimed for each data type shared.
“App functionality” was the most popular reason given for collecting data (constituting 28% of all purposes given) followed by “analytics” (20%), and “fraud prevention and security” (18%). When it comes to sharing data, “analytics” was the most common purpose given (24%), with “app functionality” and “fraud prevention and security” following closely behind (at 20% each), and “advertising or marketing” (16%) rounding out the top three positions.
Darius Belejevas, Head of Incogni, commented that:
It’s important that we don’t become desensitized or resigned to all this data collection and sharing. Our research shows clear differences between the data-handling practices of these apps. There might not be a clear “winner”—choosing the right app will involve compromises—but shopping around and comparing BNPL apps and platforms definitely makes sense, and could end up making all the difference.
Adding:
As concerning as data-sharing practices can be, data collection carries risks that many people rarely think about. Something that our researchers only touched upon in their latest report is the risk associated with a company holding large amounts of personal data. No company is immune to having its systems breached by bad actors. Klarna and Block (which acquired Afterpay) have both experienced serious data breaches in the past 5 years, with user data being stolen in both incidents. And it need not be the company itself that’s breached. For example, one of Affirm’s partners, Evolve Bank, had its systems—that contained Affirm customers’ personal data—breached, leading to at least some of that data being stolen.
It seems that the safest route involves restricting how much personal data is collected in the first place. Once it is collected, personal information tends to be shared (with third parties that may also share it with other parties and so on) and remains vulnerable to breach and exfiltration for as long as it’s stored.
Incogni’s full analysis (including public dataset) can be found here.
Read next: How to Read a Privacy Policy Without Getting Lost, and What to Look For Before You Tap "Accept"
 Apps: The Hidden Costs Aren’t What You Think){kind=link}