The fintech company Greenlight says that its app and debit card for kids is a financial literacy tool that gives parents “superpowers” to set strict controls on their children’s spending. Parents can use the app to pay allowances, choose which stores the connected debit cards work at, set spending limits, and receive instant notifications whenever their child makes a purchase.
But there’s one thing Greenlight makes it very hard for parents to control: What the company does with the mountains of sensitive data it collects about children.
The Atlanta-based company told Motherboard that, despite what parents must agree to when they sign up for the app, Greenlight doesn’t “monetize or sell customer data in any way.”
The permissions listed in the policy do not just apply to aggregated and anonymous information, however. They appear under sections titled “Personal Information We Collect and How,” “How we Use Personal Information,” and “How We Share Personal Information.” They also do not only apply to parents, because by signing up for the service, parents must sign away the data rights of their children as well.
Greenlight is one example of the growing—and increasingly competitive—fintech-for-kids industry. It and other companies, like Step, have achieved quick success with aggressive marketing campaigns that promise their services will bring financial literacy to Gen Z and peace of mind to parents.
Greenlight is now valued at $2.3 billion, thanks to a recent funding round led by the venture capital firm Andreesen Horowitz. Step—another service which also offers an app and debit card accounts for kids—is financially backed by a combination of VC firms and celebrities, including Charli D’Amelio, Jared Leto, and Stephen Curry. Both companies have embraced the influencer marketing model and offer referral fees and special perks to “affiliates” who promote their products on social media.
Step declined to answer questions about how it uses children’s data for this article. “We take the security, data, and privacy of our customers very seriously, and therefore, will not be speaking about it,” company spokesperson Ellen Kiehl wrote to Motherboard in an email.
In theory, the rules are slightly stricter for children under the age of 13, thanks to the 23-year-old Children’s Online Privacy Protection Act (COPPA), which requires companies to receive “verifiable parental consent” in order to collect and use minors’ data. That consent must be "clearly and understandably written, complete, and must contain no unrelated, confusing, or contradictory materials,” according to the Federal Trade Commission, which enforces the law.
But in reality, the process for giving parental consent for the collection and use of data for children under the age of 13 is the exact same: clicking the sign up button and entering your debit card information.
Step, Greenlight, and other kid fintech apps say they comply with COPPA because they have links to their privacy policies on their sign-up pages and allow parents to opt-out of data collection and use after sign-up.
Experts argue that these companies are willfully stretching the bounds of the FTC’s rules. The policies are lengthy documents full of legalese, vague definitions, and open-ended phrases like “other service providers.” They don’t specify which third parties data will be shared with and in many cases they use phrases like “may be shared,” leaving doubt about what a parent or teenager is actually consenting to.
Motherboard set up test accounts for Greenlight and Step. Beyond links to the companies’ privacy policies—in small font at the bottom of pages—at no point during the setup processes are parents informed about what kind of children’s data they’re signing away rights to or how that data will be used.
Vanamali Medina, a parent of two children under the age of 13 who use Greenlight, told Motherboard that signing away digital privacy rights has become a normal, but unfortunate, part of parenting.
“Do I feel like what they’re doing is a bit exploitative?” she said of companies like Greenlight. “Definitely. I don’t think they’re being necessarily malicious compared to other avenues [targeting kids] … If we’re talking about action at a state or federal level that would put better disclosure laws on all these companies? Yes please. On the micro level of me as a parent, I don’t really feel like I have much agency to do anything about it.”
California recently passed its own, stricter privacy laws that expand upon COPPA by requiring businesses operating in the state to obtain opt-in consent from children aged 13 to 16 before selling their data.
The type of data collected by debit card-for-kids companies would be particularly attractive to advertisers. It reveals where they are, where they like to go, how much money they have, what they’ve bought, and, in the case of cookies that track children across websites over time, what they may like to buy next.
By analyzing when a child has received a targeted ad compared to when they or their parent went on to buy that product, advertisers can learn more than just what a child wants—they can calculate what time of day or month a child is most susceptible to advertising.
“Children are uniquely vulnerable to the persuasive effects of advertising because of immature critical thinking skills and impulse inhibition,” the American Academy of Pediatrics wrote in a recent policy statement. Research has shown that digital advertising is “associated with unhealthy behaviors, such as intake of high-calorie, low-nutrient food and beverages; use of tobacco products and electronic cigarettes; use of alcohol and marijuana; and indoor tanning.”
Golin, from Fairplay, said that his organization frequently sees new industries masquerading before parents as solutions to “invented” problems in order to gather behavioral data.
“This is just one more way that these companies are acting like they’re doing parents a favor. Like, ‘here’s the way to instill healthy spending habits in your child,’ and in fact, anybody you talk to who’s an expert in financial literacy in children would tell you this is a terrible way to do that,” he said. “What you’re doing is creating all this valuable data.”