Need to know
- Buy now, pay later (BNPL) providers collect data well beyond what is needed, including location data
- Targeted marketing from data insights may increase the risks of financial harm to consumers
- CHOICE is calling for urgent reform to the Privacy Act to ensure BNPL providers use consumer data ethically and fairly
Buy now, pay later (BNPL) services are unregulated financial products, and their use of customer data is yet another way that they pose a risk to consumers.
BNPL services use highly sophisticated data analytics systems to profile users and their spending habits for the purposes of targeted marketing and increased sales.
Some, such as Afterpay, are ramping up their data analytics services using artificial intelligence in order to boost revenue and profit.
But, while a boon for merchants, targeting can increase the financial risk to consumers.
When customers sign up to a BNPL they are consenting to the collection, storage and use of their information
When customers sign up to a BNPL they are consenting to the collection, storage and use of their information by this service as well as any of the provider's third parties or partners. And, while this is stated in BNPL privacy policies, less than half of those signing up will read them – which is understandable given the dense legal jargon they are filled with.
We've looked closely at the privacy policies and data use of some of the major BNPL players to find out what data they actually have on you, who they are sharing it with, what the risks are, and whether you can do anything about it.
Data analytics
Data analytics is the process of analysing raw data, in this case from customers making purchases using a BNPL platform.
Data is a valuable commodity to fintech companies and BNPL services are no exception with their business models being largely data driven.
The data gathered can be used to gain insights into who is using their platform, and can include:
- tracking spending habits
- identifying trends
- assessing the success of ad campaigns
- analysing customer behaviour.
The main purpose is to use this information to boost revenue and profit through the development of new products, customisation and personalised ad content.
Afterpay, Zip, Humm, Latitude Pay, Open Pay, and Klarna all mention in their privacy policies that they use your information for data analytics or research.
Buy now pay later providers collect your transaction data.
What data do BNPLs have on you?
When you apply, BNPLs will collect personal information on you such as your ID, address and contact details, banking and financial details and credit history. When you use the platforms, they also collect transactional data, and they may also collect medical information if you apply for hardship.
Some platforms such as Zip and Afterpay may collect information from your social media accounts, and others may collect specific demographic or sensitive data with consent.
Humm may also collect your call history if you have their app installed on your smartphone
When you use their apps and websites (whether you are a customer or not) they may collect device data, location, IP address, location data and information of other websites you visit via the use of cookies.
Humm may also collect your call history if you have their app installed on your smartphone.
But this is not an exhaustive list and the reality is BNPLs are collecting much more than this.
What exactly is third-party and partner data sharing?
Third parties and partners are local and international businesses and organisations that the BNPL works with to run their platforms, gather insights from, and share or use your data with. These could be companies that analyse data, subsidiary companies, ad agencies, data brokers or tools such as Google Analytics.
Afterpay ramps up data insights with AI
In September 2021, Afterpay introduced its new analytics platform for merchants – Afterpay iQ. This platform uses artificial intelligence (AI) as a component of data analytics and was developed using data from 156 million purchase transactions through Afterpay.
Afterpay iQ is described as a "sophisticated unsupervised machine-learning algorithm" and as of November 2021, 1200 merchants were already on board.
iQ is being offered free to merchants as a "better way to understand their customers". They can see real-time data such as sales, and use the platform to target specific customer groups with marketing.
Good for merchants, bad for customers?
While this seems like a boon to merchants it could be problematic for customers. From a privacy perspective it's not clear how customer data is used by iQ, how that data is protected, or if there are any additional protections in place to prevent financially vulnerable people from being targeted.
The amount of data collected and used by BNPLs is far greater than any person would willingly volunteer when shopping instore
CHOICE consumer data advocate Kate Bower
An Afterpay spokesperson tells us that "Afterpay iQ uses aggregated and anonymised data" and that they don't share "personally identifiable information with merchants or third parties."
However, privacy academics have sounded the alarm on the myth of de-identifed data, showing that re-identifying data is frighteningly simple.
"When everyone was shopping in bricks-n-mortar, merchants could get to know their customers in a face-to-face environment," says an Afterpay spokesperson. "Afterpay empowers merchants with the data they need to better understand their online shoppers."
CHOICE consumer data advocate, Kate Bower, says: "This is a false equivalence. The amount of data collected and used by BNPLs is far greater than any person would willingly volunteer when shopping instore. When was the last time a sales assistant asked to follow you around or see your call history?"
BNPL providers can increase revenue through targeted marketing informed by AI.
Data analytics increases risk for people experiencing financial hardship
Due to a lack of regulation, BNPL services are already a risky financial product for those with low income, insecure work and existing debt. They normalise debt, have weak hardship policies and many do not adequately assess customers' ability to afford debt.
Although utilising data can help merchants and BNPL platforms by driving sales, it's another story for the customers who use the services.
On the one hand, it may help people identify products they might like to buy or present them with offers.
But at its most insidious, it can be used to manipulate sales – which could lead to overspending and has the potential to push people experiencing financial hardship into greater debt.
Relation between consumer information and debt
A 2012 report by Deakin University and the Consumer Action Law Centre found that the increased use of customer information by businesses coincided with an explosion in levels of consumer debt.
"However, no doubt this has become bigger and more sophisticated over the last ten years," says Gerard Brody, CEO Consumer Action Law Centre.
"BNPL providers like Afterpay, as well as merchants who promote payment via BNPL, can increase revenue and profit through target marketing informed by AI."
The risk is that people will too easily get in over their heads with debt because of the way BNPL providers target them with marketing
Fiona Guthrie, CEO Financial Counselling Australia
"BNPL is unregulated credit, and that means we don't have the checks and balances that would apply if it was treated like other credit products," says Fiona Guthrie, CEO, Financial Counselling Australia.
"The risk is that people will too easily get in over their heads with debt because of the way BNPL providers target them with marketing."
"The use of data analytics can feel a bit like Big Brother. Once a business knows a lot about you, and potentially shares that information with other businesses, there is the potential for all sorts of issues – price discrimination is one."
CHOICE calls for urgent reform to protect consumers from harm
While you may agree to the privacy policy of a BNPL, you may not agree to the terms of third parties who all have their own privacy policies – that's assuming you even know who they are. Currently, it is not a legal requirement for businesses to disclose the names of third parties.
All of the privacy policies we read mention sharing your data with third parties but, with very few exceptions, they do not disclose who these parties are.
CHOICE is calling for urgent reform to the Privacy Act to limit the use of your data by third parties and demand that the name and type of business is included as a mandatory requirement of privacy policies, along with how those third parties use your data.
Australians urgently need stronger consumer protections in the Privacy Act to prevent their data being used to target them with dangerous financial products
Kate Bower, CHOICE
"Australians urgently need stronger consumer protections in the Privacy Act to prevent their data being used to target them with dangerous financial products," says Bower.
"The amount of data BNPL providers are collecting, like location data and call history, is well beyond what is needed to provide the service."
Limitations of the Privacy Act 1988
Under the Privacy Act 1988, businesses must only collect personal data that is absolutely necessary to the functioning of the service, and they are required to keep this data safe.
For data analytics this data is often de-identified, but when data is de-identified there are fewer regulations around its use.
CHOICE supports the expansion of the definition of personal information protected by the Privacy Act to include device identifiers and IP addresses because they can be used to identify and target people.
And with advances in technology, there are concerns about how anonymous our data really is.
Stock images: Getty, unless otherwise stated.