CR identifies steps providers can take to improve protections and tips for consumers
YONKERS, NY – A new Consumer Reports investigation of buy now, pay later apps found PayPal had the strongest privacy, transparency and security policies and practices for users. Five others – Affirm, Afterpay, Klarna, Sezzle, and Zip – got passing marks. Perpay and Zilch ranked last. CR is calling on providers to strengthen their consumer disclosures and app features to better protect users from potential risks and is offering tips to consumers who are increasingly relying on these loans to make purchases. See CR’s full analysis of BNPL apps.
BNPL loans are an extremely fast-growing form of lending that typically enables consumers to split the cost of purchases into four or more payments. The most common BNPL loans are the “pay in four” products, where consumers pay 25 percent of the cost of the item at the point of sale, and the remaining balance in three payments of 25 percent over the next six weeks. Unlike credit cards, many BNPL loans are offered to consumers without fees or interest charges, provided the consumer abides by the terms of the loan.
“Buy now, pay later loans offer a convenient way for consumers to stretch their dollars and manage their expenses, especially for those who may not have access to other forms of credit,” said Delicia Hand, director of financial fairness for Consumers Reports. “But there are some potential risks that consumers should keep in mind the next time they agree to ‘pay-in-four’ when making a purchase.”
Hand continued, “While these plans are marketed with no fees or interest, users can end up paying penalty fees if they fall behind on payments or misunderstand which loan they’ve been offered. Fraudulent transactions are a well-known industry problem but the apps we examined don’t always alert consumers when suspicious charges are detected like credit card companies do. Most apps limit consumers’ ability to control the personal data collected about them or don’t make privacy controls easily accessible.”
Between 2019 and 2021, BNPL loans issued by five top lenders (Affirm, Afterpay, Klarna, PayPal, and Zip) increased more than tenfold, from 16.8 million to 180 million. BNPL users, on average, are younger and more likely to be Black, Hispanic, and female, and have lower incomes and credit scores, than the general population, according to a Consumer Financial Protection Bureau report. A nationally representative CR survey of 2,017 U.S. adults in December 2022 found that BNPL users were more than twice as likely to say they couldn’t pay all their bills on time, and almost three times as likely to have overdrafted their bank account compared to those who hadn’t used a BNPL service.
Over the past year, Consumer Reports developed a Fair Digital Finance Framework to evaluate digital finance products and released an initial examination of peer-to-peer payment apps in January. Building on that effort, CR used the framework to evaluate the “pay-in-four” loans offered on BNPL apps by Affirm, Afterpay, Klarna, PayPal, Perpay, Sezzle, Zilch, and Zip. CR examined the technology applications and policies companies use to protect consumer data and funds; the user data companies collect and share, and their data deletion practices; and company disclosures of the legal terms and consumer legal rights.
CR found that the apps clearly disclose their fraud policies, provide adequate legal disclosures about their data collection policies, and have basic security measures in place, but identified a number of issues that raised concerns:
- Some BNPL apps don’t clearly disclose fees or changes to terms of service: Despite their marketing claims, all of the providers except for Affirm and PayPal charge fees, ranging from a few dollars up to 25 percent of the loan amount. Because there are so many different kinds of BNPL loans, including some that charge interest, consumers may be confused about the type of product they are being offered and at what cost. Six of the eight apps provide no affirmative notice to users of material changes to the terms and conditions of the service. Afterpay and Zilch are the only two that do so.
- BNPL apps don’t commit to monitor for fraud and security vulnerabilities: Most of the apps do not consistently commit to proactively monitor accounts for potential fraud and immediately notify consumers when fraud is suspected. Afterpay, Klarna, and PayPal stand out in their commitments to guard against fraud and alert users of suspicious transactions, with PayPal providing the most comprehensive protection. Some apps make only vague commitments to safeguard users’ personal information, restrict employee access to sensitive data, or respond to security vulnerabilities. None of the apps explicitly promise to notify users of cybersecurity breaches that could put their information at risk.
- BNPL apps collect and share user data that isn’t needed to process loans: Some of the apps collect data that does not appear to be necessary to provide the service, including internet browsing history, email and chat communications, video and voice recordings, geolocation information, and biometric data such as images of the user’s face. Although most companies do not sell consumer data, most share it with third parties, in many cases for targeted advertising and marketing.
- BNPL apps sometimes limit users’ ability to protect their privacy: Most of the apps offer few or no obvious settings that enable users to protect their privacy. PayPal offers the most comprehensive privacy controls, including the ability to change data tracking and sharing permissions on its app. Affirm and Klarna provide users with limited privacy settings, including the ability to track all orders and opt out from being remembered by merchants. Most apps don’t enable users to easily access and delete their data.
What industry can do: CR recommends that BNPL providers take a number of steps to help create a new industry standard for fair digital finance by ensuring greater safety, privacy and transparency for consumers:
- Clearly disclose all costs and fees that consumers may incur while using the service
- Notify consumers of suspected fraudulent transactions in real time as credit card companies do and inform users of any security breaches that put their information at risk.
- Limit the amount of data collected from all users to what is needed to provide the service and make privacy settings default to opting-out of data sharing so that users have to grant permission to allow it.
- Enable all consumers to access, control, and delete their data, not just users in states where it is legally required, such as California.
What consumers can do: Consumers can take a number of steps to minimize potential risks:
- Read the fine print of your loan’s terms before you hit “Accept.” Regularly review your account terms and conditions and any update notifications you receive. The terms and conditions may be updated and your continued use of the app may mean that you have accepted new conditions.
- Check your account regularly and read all transaction notifications to keep an eye out for fraudulent charges. If you no longer use your account, notify the company of your desire to terminate the account, delete the app, and check your credit report periodically to assure you haven’t been the victim of identity theft.
- Opt out of data sharing when you sign up. When you are asked to accept the terms and conditions for using each app, you may have the opportunity to “opt-out” of agreeing to your data being shared with a third party. Affirm, Klarna, Perpay, Sezzle, and Zip allow users of all states to opt-out of data sharing.
- Change the privacy settings in your phone. Even if the app doesn’t give you clear options for limiting data sharing, you still have some control by making adjustments to the scope of information your phone shares with the app.