Do fintechs for kids do enough to protect their privacy?

Children looking at their smartphones
Fintechs targeting children and teens with banking apps should collect far less data about their young users, erase it sooner and be more transparent in their policies, say privacy advocates.
Adobe Stock

The movement to protect children's privacy online is intensifying. But efforts at the federal level, including proposed changes to the Children's Online Privacy Protection rule, or COPPA, typically do not extend to fintechs oriented towards families with children and teens.

The Federal Trade Commission's proposed changes to COPPA, which are open to public comment until March 11, would tighten data retention limits, require a separate opt-in to disclose data to third parties, and have operators maintain a written children's personal information security program, among other updates, for websites and online services that collect personal information from children under the age of 13. There are also efforts in Congress tracing back to 2023 to achieve similar goals, including the Kids Online Safety Act, introduced by Senator Richard Blumenthal, and "COPPA 2.0," reintroduced by Senators Edward Markey and Bill Cassidy in May, which would prohibit internet companies from collecting personal information from users under the age of 17 without their consent.

In general, "The most mindful of services want some assurance that there is a parent setting up the account on behalf of the kid from whom the service will be collecting personal information." said Phyllis Marcus, a partner at law firm Hunton Andrews Kurth.

The question of how well fintechs oriented toward families with children align with the spirit of these laws is an open question to some privacy advocates. Companies such as Greenlight, GoHenry, Step, Till Financial and Goalsetter have created apps that help children spend using customizable debit cards, and save toward their goals, under the supervision of their parents. Their structures and privacy policies typically fall under the Gramm-Leach-Bliley Act rather than COPPA, because parents are ultimately signing up for these accounts rather than their children. But privacy advocates are concerned about these companies' practices and what they mean for young users at the cusp of a long financial life.

Research shows a third of younger consumers are ready to switch banks in the next year. Here are some of the features traditional institutions could offer to keep them in the fold or bring them on board.

July 23

"You are working with a vulnerable audience, you have legislation by COPPA and other state laws emerging, and you have growing calls for regulation overall," said Jeffrey Chester, executive director for the Center for Digital Democracy. "These companies need to overhaul their practices."

Why the problem is coming to light

When COPPA emerged in 1998 and GLBA was enacted a year later, "you didn't have a lot of kids with debit or credit cards and you definitely didn't have digital wallets," said Rick Lane, a volunteer advisor to child safety groups and CEO of Iggy Ventures, which invests in social impact startups. "In a cashless society, we are no longer anonymous like we used to be."

His concern is that with the growth of artificial intelligence, entities can combine multiple data points about children, including financial transactions and social media, to form "robust dossiers" on their habits and purchases. Children are especially vulnerable to a ruined credit history if their personal information is leaked in a data breach.

Chester takes issue with the sites' lack of transparent privacy policies as well.

"You shouldn't have to scroll down to the bottom of the page and spend time looking for them," said Chester. "They need to make clear up front [their] data collection practices, how they use [data] for marketing and advertising, their partnerships, and what their partners do with data."

For instance, the privacy policy for Till Financial is located by clicking on a "Policies" tab at the bottom of the homepage. This tab leads to Till's library of account agreements and terms.

In a statement, Laura Jones, director of compliance at Till Financial, said, "Till takes the privacy of our users extremely seriously. We do not sell data, and we assess any possible privacy-related impact of new product features early in the development cycle to ensure full confidence with our approach."

Speaking about privacy regulation more broadly, Jones said, "As a child and family-focused company, we are supportive of any measures that protect children's online privacy and give parents peace of mind. While some of the proposed changes are not applicable to our platform, many reflect best practices that are already well-established elements of our privacy and security program. Our platform, policies, and procedures are current and compliant with all relevant regulatory requirements."

Greenlight, GoHenry, Step and Goalsetter did not respond to American Banker by press time with answers to queries about measures to protect their young users' privacy, whether information collected would become the property of new owners in event of a sale, and whether the proposed changes to COPPA would affect their privacy practices. 

Parents are typically the main account holders for these family-oriented fintechs, said Lane, which means the transactions fall under GLBA rather than COPPA. The services remain COPPA-compliant by stating they seek a parent's consent before setting up an account for someone under 13. "The key piece is that financial transactions are not protected by COPPA when using debit cards," said Lane. "The problem is parents don't understand that when they sign up for these cards, their kids have no privacy protections. They have the same privacy protections we as adults have, which in the financial services world is an opt-out world, and there is no opt-out of affiliate sharing," or sharing data with any entity under the same umbrella. The affiliate sharing piece is problematic, Lane believes, because if a fintech is bought, this data is now owned by a new entity.

These fintechs typically collect contact and identification information — such as name, date of birth, address, email, social networking site account name, and Social Security number — as well as financial transaction details and device and location information, according to a review of their privacy policies. 

"Despite whatever rhetoric they have, the fact is they're collecting a lot of data," said Chester. "Some have marketing partnerships or advertising practices that are poorly described."

For instance, he points to a link titled "Affiliates" at the bottom of the Greenlight and GoHenry homepages, which directs the user to sign up for a "partner program" from Impact.com, a site that manages partnerships for brands.

"What is this company? What do they do with the data?" he said. Greenlight and GoHenry did not elaborate on their relationship with Impact by time of publication.

Chester believes data gathered for marketing purposes should be destroyed after a certain amount of time and should not be shared with partners.

"You need to be privacy-first if you are going to serve this market," he said. "You are working in an area that comes with a unique trust. Parents should be able to look at one page promoted high up and understand exactly what happens with their and their kids' data."

A privacy-focused alternative?

Rego Payments is one company betting that a privacy-first mandate at the forefront will be a selling point to future financial institution partners. (Lane is an advisor to Rego.) It currently operates a direct-to-consumer app called Mazoola that lets parents set spending limits on their kids' debit cards, set goals, and perform other functions like its peers in this space. The company sought certification from Privo, a COPPA Safe Harbor program approved by the FTC, as a way to give parents extra assurance about its privacy practices.

James Peil, head of partnerships at Rego, said the company does not collect any information about the child. "Data minimization is a central component of how we protect children online," he said. One exception is date of birth, which Apple Pay and Google Pay require for compliance.

Mazoola has thousands of users, but is essentially a testing ground for Rego's main business, which is developing an embedded mobile and desktop bank account for financial institutions. Financial institutions will be able to choose between a family-oriented digital wallet integrated into their own mobile apps or a standalone white-labeled app they can offer to school associations or youth groups. Rego has integrated its product with digital banking provider Q2 and is in the process with three other digital banking providers; it is also in talks with nearly 150 financial institutions.

"If you're not offering something relevant to parents that allows children to spend, save, invest and donate safely online, you're losing a demographic," said Peil. "Parents have a lot of influence in where their children bank."

Mazoola spotlights its COPPA compliance and Privo certification on its website.

However, Fairplay, a nonprofit with the mission of ending marketing to children, is one group that is generally skeptical of safe harbor programs.

"In our experience, the COPPA safe harbor programs do not work, and there is also a significant lack of transparency," said Haley Hinkle, policy counsel at Fairplay. "It is very difficult to ascertain what the programs do to actually vet members. Even with FOIA requests, we cannot obtain good insights into how they operate."

For reprint and licensing requests for this article, click here.
Data privacy Regulation and compliance Technology
MORE FROM AMERICAN BANKER