When you sign up for Acorns, the app collects highly sensitive personal and financial information including your Social Security number, bank account details, and government-issued ID.
This analysis describes what Acorns's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This level of data collection is expected for a regulated financial services provider but represents significant exposure if data is breached or misused, as it includes identity documents and financial credentials sufficient to enable identity theft or account fraud.
Your Social Security number, bank account credentials, government ID, and investment profile are all collected and stored by Acorns as part of account creation, creating a concentrated repository of sensitive identity and financial data.
Cross-platform context
See how other platforms handle Collection of Sensitive Financial and Identity Data and similar clauses.
Compare across platforms →Monitoring
Acorns has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We collect information you provide to us directly, such as when you create an account or use our services. This information may include: name, address, date of birth, email address, phone number, username and password, Social Security number or tax identification number, financial account information (such as bank account and routing numbers), investment information (such as your risk tolerance and investment goals), employment and income information, and government-issued identification (such as a driver's license or passport).— Excerpt from Acorns's Acorns Privacy Policy
REGULATORY LANDSCAPE: Collection of Social Security numbers, government-issued IDs, and financial account credentials implicates the Gramm-Leach-Bliley Act Safeguards Rule administered by the FTC, which requires financial institutions to implement information security programs for nonpublic personal information. The CPRA classifies Social Security numbers and financial account details as sensitive personal information subject to heightened disclosure and opt-out obligations under California law. The CFPB's supervisory authority extends to data security practices at nonbank financial companies offering consumer financial products. GOVERNANCE EXPOSURE: High. The breadth of sensitive data collected, including government identifiers, financial credentials, and biometric-adjacent identity documents, creates significant data security and regulatory exposure. A data breach involving this category of information would trigger notification obligations under state breach notification laws in all 50 states and potentially GLBA Safeguards Rule incident response requirements. JURISDICTION FLAGS: California residents are entitled under the CPRA to know what sensitive personal information is collected and to limit its use beyond what is necessary for the primary service. Users in other states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Texas) may have analogous rights. The collection of Social Security numbers also triggers specific state-level SSN protection statutes in multiple jurisdictions. CONTRACT AND VENDOR IMPLICATIONS: Any third-party vendor or service provider receiving access to this category of data must be governed by a data processing agreement with appropriate security and use limitation obligations. Procurement teams should confirm that subprocessors handling SSNs and financial credentials are subject to SOC 2 or equivalent audits and contractual liability provisions. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that data minimization practices are in place, that SSN and government ID data is encrypted at rest and in transit, and that retention schedules for identity documents are defined and enforced. The GLBA Safeguards Rule requires a written information security program; teams should confirm this is current and reviewed annually.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This level of data collection is expected for a regulated financial services provider but represents significant exposure if data is breached or misused, as it includes identity documents and financial credentials sufficient to enable identity theft or account fraud.
Your Social Security number, bank account credentials, government ID, and investment profile are all collected and stored by Acorns as part of account creation, creating a concentrated repository of sensitive identity and financial data.
ConductAtlas has identified this type of provision across 3 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Acorns.