The Hidden Privacy Risks of “Buy Now, Pay Later” Apps

Buy Now, Pay Later (BNPL) services have rapidly reshaped the retail landscape. Promising frictionless checkout experiences and flexible payment options, these apps have become a staple in both online and in-store shopping. But while consumers enjoy the convenience, few realize the privacy trade-offs involved.

BNPL providers collect and process vast amounts of personal data, often beyond what is necessary for the transaction. As these services expand globally, privacy risks are becoming more complex and harder to manage. This article explores how BNPL apps operate, the technical privacy risks they pose, and what retailers and consumers can do to mitigate them.

The Rise of BNPL in Retail

BNPL services have gained traction worldwide, particularly in North America, Europe, and Australia. Retailers are embracing them to boost conversion rates, reduce cart abandonment, and attract younger demographics who may be wary of traditional credit/loan services.

These apps typically allow consumers to split payments into instalments with little or no interest. While the financial model is appealing, the underlying data practices are often opaque. BNPL providers rely heavily on behavioural analytics, profiling, and third-party data sharing to assess risk and personalize offers.

Here is a fundamental truth that every organization that processes information must internalize: outsourcing services does not outsource accountability.

Under Canadian privacy legislation, whether PIPEDA, provincial private sector laws, or public sector privacy laws, organizations remain accountable for the personal information in their custody or control, even when that information is processed by a third party.

When a school board contracts with PowerSchool to manage student information, the school board remains the custodian of that information and accountability remains with it. The school board must answer to students, parents, and regulators when something goes wrong, even if the wrongdoing originated with the vendor, such as PowerSchool. This is the essence of accountability in privacy law, and it is why robust vendor management isn't optional.

BNPL apps collect a wide range of data, including:

• Personal identifiers: name, address, email, phone number

• Financial data: bank account details, credit history, repayment behaviour

• Behavioural data: shopping habits, browsing history, device usage

• Metadata: IP address, geolocation, device fingerprinting

This data is used not only to assess creditworthiness but also to build detailed consumer profiles. These profiles can be monetized through targeted advertising, shared with third parties (e.g., marketing agencies), or used to influence future lending decisions.

The concern is not just the volume of data collected, but the lack of transparency around how it’s used. Many BNPL providers operate across borders, making it difficult for consumers to understand which laws apply and how their rights are protected.

Privacy Risks to Consumers

BNPL services introduce several technical and ethical privacy risks:

• Opaque data sharing: Consumers are often unaware of how their data is shared with retailers, credit bureaus, and marketing partners. This can extend the lack of control a consumer has over their data and who it sits with.

• Varied data collection practices: BNPL apps collect user data not only during sign-up, but they may also collect data passively through device tracking and in-app interactions.

• Profiling and discrimination:  Should a consumer choose to engage in BNPL services offered via a retailer’s website, they might face unexpected rejection. BNPL algorithms make real-time decisions about whether a consumer qualifies for instalment payments, what repayment terms to offer, and how much credit to extend. These decisions by the BNPL provider can be biased if they rely on incomplete or inferred data, potentially leading to discriminatory outcomes such as denying access or offering less favourable terms based on location, device type, or a consumer’s digital history.

• Consent fatigue: Users may click through BNPL/retailer privacy policies without understanding the implications, thus exposing themselves to privacy risks as a result of making uninformed decisions.

These risks are compounded by the financial vulnerability of some users. BNPL apps can encourage overspending, and when combined with aggressive data collection, they create a risky environment for privacy and financial well-being.

At the end of the day, while retailers typically offer BNPL options as part of their checkout experience, the actual decision-making, including whether a consumer is approved and under what terms, is handled by the BNPL provider. The retailer in question is simply benefitting from a more “frictionless” checkout process that stimulates higher conversion rates, larger basket sizes, reduced financial risk, and a competitive advantage.

However, this hands-off approach by retailers doesn’t absolve them of responsibility when it comes to privacy and protecting consumers. Although the BNPL providers can most often be seen as the “data controller”, which handles the consumer consent collection during the sign-up process, transparency and due diligence are shared responsibilities with retailers. BNPL providers must clearly communicate how they collect and use personal data, but retailers are equally accountable for ensuring that any third-party services they review and onboard uphold strong privacy standards and comply with applicable laws.

The risk of retailers overlooking key vendor due diligence steps can be showcased by the recent data breach of Klarna, a popular BNPL provider, which exposed customer login credentials, revealing how vulnerable consumer data can be when handled by third-party providers. Even though the breach occurred on Klarna’s side, consumers are likely to associate the incident with the retailer they purchased from, leading to reputational damage and loss of trust.

BNPL Apps Ranked by Privacy Risk

A study by Incogni analyzed the privacy practices of popular BNPL apps and revealed significant differences in how they handle user data. The study ranked apps based on the number of permissions requested, the types of data collected, and the extent of third-party sharing.

Key findings include:

• Zip was identified as the least privacy-friendly, collecting extensive personal and behavioural data and sharing it with multiple third parties.

• Affirm and Afterpay also ranked poorly, with broad data collection practices and limited transparency around data use.

• Klarna, while widely used, was found to request fewer permissions than its competitors but still engages in behavioural profiling.

• PayPal Pay Later emerged as one of the more privacy-conscious options, with relatively restrained data collection and clearer privacy policies.

These rankings highlight the importance of choosing BNPL providers carefully. Retailers and consumers alike should consider not just the financial terms but the privacy implications of each app.

Legal and Regulatory Considerations

BNPL services often fall into regulatory grey areas. As per Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act), BNPL providers must obtain meaningful consent, limit data collection to necessary purposes, and ensure transparency and accountability. However, enforcement can be challenging when providers operate internationally.

In the United States, the CCPA (California Consumer Privacy Act) and emerging state privacy laws give consumers rights to access, delete, and opt out of data sales. Yet many BNPL providers are not classified as financial institutions, allowing them to sidestep stricter regulations. The Consumer Financial Protection Bureau has begun scrutinizing BNPL providers, especially regarding data harvesting, consumer disclosures, and financial risk. While BNPL is not yet fully regulated like credit cards or loans, increased oversight is expected

Globally, frameworks like the GDPR (General Data Protection Regulation) in Europe offer stronger protections, but cross-border data flows and jurisdictional gaps remain problematic.

Retailers integrating BNPL apps must ensure their partners comply with applicable privacy laws and uphold consumer rights.

Recommendations for Retailers

Retailers play a critical role in safeguarding consumer privacy when offering BNPL options. Key steps include:

• Conducting Privacy Impact Assessments (PIAs) before onboarding BNPL providers.

• Ensuring transparency in how consumer data is collected and shared by having robust privacy policies that highlight third-party services and clarifying the relationship a retailer has with a BNPL partner (especially if data sharing is taking place between them).

• Conducting vendor due diligence and choosing partners with robust privacy and security practices is key when evaluating BNPL options.

• Have contracts in place where possible, because, while it is possible for retailers to simply embed a BNPL link in their website, relying solely on a technical integration without a contract exposes them to legal, operational, and reputational risks.

• Providing a link to the BNPL provider’s privacy policy at the point of selection or checkout.

• Monitoring compliance with Canadian, US, and international privacy laws, depending on your legislative requirements.

Retailers should also consider the reputational risks of partnering with providers that lack strong privacy governance.

Recommendations for Consumers

Consumers can take proactive steps to protect their privacy when using BNPL services:

• Read privacy policies carefully before signing up

• Use BNPL only with trusted retailers and providers

• Monitor financial statements and credit reports regularly

• Exercise privacy rights under applicable laws (e.g. access, deletion, opt-out)

• Limit unnecessary data sharing by adjusting app permissions and settings 

Awareness is key. Consumers should understand that BNPL is not just a financial tool, it’s also a data exchange and uninformed consumers may be giving away more personal information than they intended.

Your Privacy Starts Here

BNPL services offer convenience, but they come with hidden privacy costs. As adoption grows, both retailers and consumers must take steps to ensure that personal data is handled responsibly. Privacy should not be the price of flexibility.

Bamboo Data Consulting is well-versed in all things “privacy” and “retail”. As your trusted retail privacy partners, we can help you build a retail ecosystem that respects consumer rights, fosters trust, and grows the business with the right type of privacy best practices.