Buy Now, Pay Later… with your data

Buy Now, Pay Later (BNPL) apps are everywhere these days. Whether you’re buying sneakers or groceries, chances are you’ve seen the option to split your payments over time. It’s quick and easy. But behind the convenience is a growing privacy concern that most users know little about.

A new study from Incogni digs into just how much personal information BNPL apps collect and share. The research looked at eight of the most popular BNPL apps in the U.S. Google Play store, including Afterpay, Klarna, Affirm, and others. What it found was a pattern of aggressive data collection and sharing, with limited transparency.

They’re collecting a lot more than just your name

To offer credit, these apps do need certain details: your name, address, maybe even a Social Security number. But researchers found that the data collection doesn’t stop there.

Apps like Sezzle and Zip collect users’ web-browsing histories. Klarna collects in-app messages. Afterpay gathers and shares up to 20 different types of data, including credit scores. Most apps also collect users’ precise location data. That means they know where you are and where you’ve been.

Afterpay shares 17 types of user data with third parties. Nine of the most sensitive data points, including names, email addresses, purchase histories, and more, are often collected and shared specifically for advertising. That means your personal data could be used to build a profile that’s then sold, traded, or used to target you with ads.

Billions of data points, millions of users

The potential reach is massive. Incogni estimates that the apps sharing precise location data (Affirm, Afterpay, and Zip) may have affected up to 53 million devices. Afterpay and Klarna’s combined reach for in-app interaction tracking totals around 52 million users. Even smaller apps like Four disclose sharing names and contact details with advertisers.

In total, the average BNPL app collected 14 data types and shared five. Developers listed dozens of reasons for doing so: everything from app functionality and fraud prevention to advertising and analytics. But with so many purposes listed per data point, users are left in the dark about how their data is really being used.

What happens when things go wrong?

Klarna had a major security incident in 2021 that let users view other people’s accounts. Block, the parent company of Afterpay, suffered a breach that exposed the personal data of 8.2 million people. Affirm’s users were caught up in a breach at one of its banking partners, Evolve Bank. These incidents show how user data can be vulnerable even if the main app isn’t directly attacked.

To make matters worse, some apps don’t give users the option to delete their data. Uplift, for example, appears to offer no way for users to request data deletion. That could put the company at odds with data privacy laws in states like California and New York.