Debit Card Apps for Kids Are Collecting a Shocking Amount of Personal Data

The fintech company Greenlight says that its app and debit card for kids is a financial literacy tool that gives parents “superpowers” to set strict controls on their children’s spending. Parents can use the app to pay allowances, choose which stores the connected debit cards work at, set spending limits, and receive instant notifications whenever their child makes a purchase.

But there’s one thing Greenlight makes it very hard for parents to control: What the company does with the mountains of sensitive data it collects about children. 

Greenlight reserves the right to share that personal information—including names, birth dates, email addresses, GPS location history, purchase history, and behavioral profiles—with “ad and marketing vendors,” “insurance companies,” “collection agencies,” and the catch-all category of “other service providers,” according to its privacy policy. Greenlight’s policy also says that it can use the data it collects to deliver “tailored content” advertisements, a kind of marketing that youth privacy and education advocates say is particularly manipulative and damaging for children.

“This is extremely concerning,” Josh Golin, executive director of Fairplay, a nonprofit that advocates for ad-free childhoods, told Motherboard after reviewing the company’s privacy policy. “Obviously this must be extremely valuable data for the companies that can get their hands on it to understand the spending habits of young people and to target ads based on that information… Children are already much more vulnerable to advertising than adults are.”

The Atlanta-based company told Motherboard that, despite what parents must agree to when they sign up for the app, Greenlight doesn’t “monetize or sell customer data in any way.”

In an email, a company spokesperson said Greenlight inserted those permissions into its privacy policy “in case we ever decide to offer merchant-funded offers to parents in the future based on aggregated and anonymous information.” 

The permissions listed in the policy do not just apply to aggregated and anonymous information, however. They appear under sections titled “Personal Information We Collect and How,” “How we Use Personal Information,” and “How We Share Personal Information.” They also do not only apply to parents, because by signing up for the service, parents must sign away the data rights of their children as well.

Greenlight is one example of the growing—and increasingly competitive—fintech-for-kids industry. It and other companies, like Step, have achieved quick success with aggressive marketing campaigns that promise their services will bring financial literacy to Gen Z and peace of mind to parents. 

Greenlight is now valued at $2.3 billion, thanks to a recent funding round led by the venture capital firm Andreesen Horowitz. Step—another service which also offers an app and debit card accounts for kids—is financially backed by a combination of VC firms and celebrities, including Charli D’Amelio, Jared Leto, and Stephen Curry. Both companies have embraced the influencer marketing model and offer referral fees and special perks to “affiliates” who promote their products on social media.

The competition between the two companies has become acrimonious, with Greenlight suing two Step employees for stealing its business model and trade secrets.]

Step declined to answer questions about how it uses children’s data for this article. “We take the security, data, and privacy of our customers very seriously, and therefore, will not be speaking about it,” company spokesperson Ellen Kiehl wrote to Motherboard in an email.

According to its privacy policy, Step uses a wide variety of children’s personal information to “tailor content, advertisements, and offers.” It also reserves the right to use personally identifying information “for any other purpose for which you have given express permission or consent to Step” and “otherwise with your consent.”

What constitutes consent? Simply by clicking the “sign up or log in” button on the Step app, anyone over the age of 13 agrees to those essentially boundary-less conditions, according to a small note at the bottom of the sign up screen that says users must agree to the privacy policy in order to create an account. 

In theory, the rules are slightly stricter for children under the age of 13, thanks to the 23-year-old Children’s Online Privacy Protection Act (COPPA), which requires companies to receive “verifiable parental consent” in order to collect and use minors’ data. That consent must be "clearly and understandably written, complete, and must contain no unrelated, confusing, or contradictory materials,” according to the Federal Trade Commission, which enforces the law.

But in reality, the process for giving parental consent for the collection and use of data for children under the age of 13 is the exact same: clicking the sign up button and entering your debit card information.

Step, Greenlight, and other kid fintech apps say they comply with COPPA because they have links to their privacy policies on their sign-up pages and allow parents to opt-out of data collection and use after sign-up.

Experts argue that these companies are willfully stretching the bounds of the FTC’s rules. The policies are lengthy documents full of legalese, vague definitions, and open-ended phrases like “other service providers.” They don’t specify which third parties data will be shared with and in many cases they use phrases like “may be shared,” leaving doubt about what a parent or teenager is actually consenting to.

“That is a shortcoming of COPPA right now,” Ariel Fox Johnson, senior counsel for global policy at the nonprofit Common Sense Media, told Motherboard. “Basically, if you get parental consent you have a whole lot of leeway. You can do behavioral advertising, profiling, whatever you want. A lot of people, once they sign up, they’re not going to figure out a complicated way to opt out and they’re not going to read the privacy policy.”

Motherboard set up test accounts for Greenlight and Step. Beyond links to the companies’ privacy policies—in small font at the bottom of pages—at no point during the setup processes are parents informed about what kind of children’s data they’re signing away rights to or how that data will be used.

Vanamali Medina, a parent of two children under the age of 13 who use Greenlight, told Motherboard that signing away digital privacy rights has become a normal, but unfortunate, part of parenting.

“Do I feel like what they’re doing is a bit exploitative?” she said of companies like Greenlight. “Definitely. I don’t think they’re being necessarily malicious compared to other avenues [targeting kids] … If we’re talking about action at a state or federal level that would put better disclosure laws on all these companies? Yes please. On the micro level of me as a parent, I don’t really feel like I have much agency to do anything about it.”

California recently passed its own, stricter privacy laws that expand upon COPPA by requiring businesses operating in the state to obtain opt-in consent from children aged 13 to 16 before selling their data.

Fintech companies are liberally interpreting that law as well. Greenlight’s privacy policy, for example, says that it is “currently unclear” whether the sharing of child data with advertisers constitutes a "sale" of data that would violate the California Consumer Protection Act.

"We work to identify whether any of our data sharing arrangements would constitute a 'sale' under the CCPA; however, due to the complexities and ambiguities in the CCPA, we will continue to evaluate some of our third party relationships as we wait for final implementing regulations and guidance," the privacy policy says. "For example, it is currently unclear whether the use of certain types of advertising partners would be considered a sale under CCPA."

After being contacted by Motherboard, a Greenlight spokesperson said the company would remove that section from its privacy policy in its next update.

The type of data collected by debit card-for-kids companies would be particularly attractive to advertisers. It reveals where they are, where they like to go, how much money they have, what they’ve bought, and, in the case of cookies that track children across websites over time, what they may like to buy next. 

By analyzing when a child has received a targeted ad compared to when they or their parent went on to buy that product, advertisers can learn more than just what a child wants—they can calculate what time of day or month a child is most susceptible to advertising.

“Children are uniquely vulnerable to the persuasive effects of advertising because of immature critical thinking skills and impulse inhibition,” the American Academy of Pediatrics wrote in a recent policy statement. Research has shown that digital advertising is “associated with unhealthy behaviors, such as intake of high-calorie, low-nutrient food and beverages; use of tobacco products and electronic cigarettes; use of alcohol and marijuana; and indoor tanning.”

Golin, from Fairplay, said that his organization frequently sees new industries masquerading before parents as solutions to “invented” problems in order to gather behavioral data.

“This is just one more way that these companies are acting like they’re doing parents a favor. Like, ‘here’s the way to instill healthy spending habits in your child,’ and in fact, anybody you talk to who’s an expert in financial literacy in children would tell you this is a terrible way to do that,” he said. “What you’re doing is creating all this valuable data.”