Buy Now, Pay Later Apps Are Popular, but Are They Safe?

In terms of overall ratings for the combined areas of safety, privacy, and transparency, PayPal scored the highest, at 89, followed by Klarna and Afterpay, both at 77. Perpay and Zilch pulled up the rear with scores of 69 and 70, respectively. 

PayPal earned a top score in five of the 12 criteria that CR’s testers assessed, while no other app earned a top score in more than one. Importantly, PayPal got high marks in fraud protection and also did well in offering good security practices, the two areas CR testers deemed most important and gave the most weight to.

It also edged out the competition in several other areas, including having meaningful privacy information and transparent safety practices. PayPal was also the only company to provide easy-to-understand information that helped users review and correct their own data.

“All companies should make it easy to find information about terms and fees and to control privacy settings,” say Delicia Hand, director of financial fairness at Consumer Reports, who led the analysis. “We hope this analysis helps encourage that change in the industry, plus others.”

BNPL loans have clearly caught on in a big way with consumers. A December 2022 nationally representative CR survey of 2,017 U.S. adults (PDF) found that about 1 in 5 Americans (21 percent) had used one at least once. 

At the same time, there’s growing concern among consumer advocates and regulators that these loans lack critical consumer protections. “As with other new types of financial technology, there is little oversight of BNPL services even as these products continuously evolve,” Hand says. “This vacuum can leave consumers at risk if these products end up costing more than they expected, and if their data ends up in places they didn’t expect, including with advertisers and marketers.”

Although BNPL loans are often promoted as having no fees or interest, CR’s analysis (and an earlier CR review) found that’s not always the case. For example, some charge late payment fees ranging from a few dollars up to 25 percent of the loan amount. And while loans designed to be paid off in four installments don’t charge interest, some longer-term loans offered on the same app do, and may be mistaken for a BNPL loan. 

That’s important because consumers can take out multiple loans, which can cause some people to get in over their heads, with add-on fees digging them into even deeper holes. Indeed, CR’s recent survey found that BNPL users reported being in worse financial health than nonusers in a variety of ways. Those who had used BNPL loans were more than twice as likely to say they couldn’t pay all their bills on time, and almost three times as likely to have bank account overdrafts as people who hadn’t used a BNPL service.

“We expected to see companies describe their fees in a consistent manner, whether those details appear when the consumer is registering the product or reading terms and conditions disclosures,” Hand says. But CR found that information was often inconsistent or incomplete. “No company was a standout when it came to fee disclosure.”

Consumers’ experiences bear that out. In a previous CR survey, published in August 2022 and involving 2,013 people who used BNPL loans, a third said they were unaware of at least one of the fees or penalties a company could charge. And a participant in CR’s recent discussion panel described being surprised that after purchasing a mattress using what she thought was a pay-in-four no-interest BNPL loan she was actually being charged a 4 percent APR. One possible explanation: She may have accidentally signed up for a longer-term loan. 

This doesn’t surprise Lauren Saunders, associate director at the National Consumer Law Center, who has testified before Congress about BNPL products. “With credit cards, federal law requires that all the fees be presented in a uniform fashion so a consumer can easily compare them,” she says. That law should also apply to BNPL companies, Saunders says, but whether it does is currently unclear. So consumer advocates have urged the Consumer Financial Protection Bureau to clarify consumers’ rights.

What you can do: Before you hit “Accept,” take a screenshot of each loan term page as a reference. This could help you in the event that you’re hit with a surprise fee. And if that happens, complain to customer service, and if you don’t get relief, contact the CFPB, Saunders says. Working with customer service was how the situation with the mattress was eventually resolved. The woman returned the mattress and her boyfriend ordered a similar one using a BNPL loan with no interest. 

Good to know: Using PayPal? If so, the company says that when you apply you will receive details about the terms and conditions in a downloadable file, such as a PDF. Then, once you use the loan, check your email for additional information. Afterpay says it also sends an email with detailed loan information once you sign up. Klarna, Zilch, and Zip say loan disclosure details are available online or in the app.

Fraud and identity theft are common concerns with BNPL programs, Hand says. Stephanie and Mark Guidi of Vancouver, Wash., say that’s what happened to them. They regularly used a popular BNPL service to pay for their hobby—building small-engine aircraft. But late in 2022, the couple discovered a charge on their account for a hotel stay they claimed they didn’t make. They contacted the BNPL company but couldn’t get the problem resolved. They eventually just paid the bill and closed the account, which was too bad, Stephanie says, because it was useful for purchasing hobby items. “It was quick, easy, and we always made our payments on time, so we didn’t get finance charges,” she says.

In CR’s August survey, about 3 percent of people who had used a BNPL loan said they were the victim of some type of fraud, including having someone they didn’t know make a purchase using their account.

“Consumers should not bear the burden for noticing and reporting fraud,” Hand says. She says credit card companies not only monitor accounts for fraud but also immediately notify consumers when they see signs of it. And when fraud does occur, they don’t hold credit card holders responsible for the charges. 

But CR found that only three of the companies—Afterpay, Klarna, and PayPal—commit to real-time monitoring for fraud and notify consumers when fraud is suspected, Hand says. PayPal provided the most comprehensive protection. 

Hand says that Sezzle, after discussing CR’s findings with our app testers, created a new page that more clearly outlines how the company protects consumer accounts. That company, along with Klarna, also agreed to consider other ways they could clarify how they monitor potential fraud.

“All BNPL companies can do better to protect vulnerable consumers from fraudulent activity,” Hand says. “And they should inform consumers of any cybersecurity breach where their information is at risk, and not hold consumers liable for fraudulent charges.” 

What you can do: Check your BNPL app account regularly to monitor for fraudulent charges. Always review transaction notifications and email from your BNPL provider. For example, Afterpay, Klarna, PayPal, and Zilch say they will send you email if they suspect a suspicious log-in. Zip says you’ll see a notice in your account online or in the app.

If you no longer use your account, notify the company of your desire to close it. Then delete the app, and check your credit report regularly to make sure you haven’t been a victim of identity theft, says Chuck Bell, who focuses on consumer financial services at CR. If you notice any fraudulent activity, notify the company immediately.

BNPL companies typically need to collect some of your personal information when you apply for a loan, such as your name, address, and all or part of your Social Security number. For payment purposes, they also collect your bank account or debit or credit card information. And for ID verification, they may even collect “biometric” data, such as images of your face or a fingerprint you’ve already stored on your phone. 

But some of the apps appear to collect significantly more data than that, Hand says. That may include your internet browsing history, calendar invites, contacts list, email and chat messages, personal video and voice recordings, and real-time location data. 

For example, a participant in CR’s panel said he learned while reviewing his account page that the company had collected all the reviews he had written about products he’d purchased using the BNPL service.

Also worrisome is that the vague language used in company disclosures “appears to enable them to use the data they collect about you for virtually any purpose,” Hand says.

CR’s analysis also found that seven of the eight companies share data with third parties, such as unaffiliated advertisers or e-commerce companies. Only PayPal commits to not selling or sharing data with nonaffiliates for advertising purposes.

“Some of this data may be used instead for targeted advertising and promotions,” Hand says. For example, while geolocation or address information may be used to verify your identity or to help prevent fraud, it could theoretically also be used to push product or service promotions based on your location.

CR’s review found that PayPal offer users the most comprehensive privacy controls, including the ability to change data tracking and sharing permissions. Affirm and Klarna offer some limited controls. Afterpay’s privacy settings only allow users to control ad communications, and Perpay, Sezzle, and Zip all fall short in allowing users to control their privacy settings. Zilch performs worst of all in that measure, as well as in data sharing.

Zilch said it complies with state and federal data privacy laws and gives users the ability to opt out of certain data collection. But Hand says the process can be very confusing and in some cases requires users to send an email to the company. The company also says it doesn’t share user data, though its disclosures suggest it has the ability to do so, Hand says. 

Users looking to delete the data that the apps have collected face some challenges. Klarna and PayPal users must close their accounts entirely. Affirm users must do the same unless they live in California. With Afterpay, Perpay, Sezzle, Zilch, and Zip, it’s unclear whether data is deleted when users close their accounts. 

After discussing CR’s findings with our app testers, Sezzle made a few changes to improve policies and practices, and, along with Klarna, agreed to consider making several important changes in areas where CR’s evaluators think they fall short. In addition, all of the companies said they thought their users had sufficient control over their data. But Hand says, “It is our view that in a mobile app environment, much is lost in translation or missed if the default is the privacy policy and these instructions are not simplified into specific user-friendly app controls.”

What you can do: Change the privacy settings on your phone. Even if the app doesn’t give you clear options for how to limit data sharing from within the app itself, you still have some control by making adjustments to the scope of information your phone shares with the app, says Jerry Beilinson, a CR electronics editor and an expert in digital privacy. 

To do this on an iPhone, go to Settings and scroll down until you find the BNPL app among the list of apps on your phone. Select it and you’ll see a list of data sources the app is tapping, such as your phone’s camera and microphone, location tracking, or your contacts. Beilinson’s advice is to deny those permissions. 

For Android phones, the steps are similar except that under Settings you should look for Privacy, then Permission Manager, then select Permission Type. You can then select individual apps and revise the settings.

What you can do: Opt out of data sharing when you sign up. When you’re asked to accept the terms and conditions for using each app, you might have the opportunity to opt out of agreeing to having your data shared with a third party. For example, Affirm, Afterpay, Klarna, Perpay, Sezzle, and Zip allow consumers in all states to opt out of data sharing. (Zilch grants the ability to opt out of data sharing only to California residents.) PayPal alone doesn’t sell or share data for targeted advertising and marketing, so opting out is unnecessary.

Having trouble finding the opt-out feature on a company’s app? Beilinson suggests trying a company’s website instead. “You might find it easier than adjusting it on the app,” he says.