When you sign up for Acorns, the app collects highly sensitive personal and financial information including your Social Security number, bank account details, and government-issued ID.
This analysis describes what Acorns's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This level of data collection is expected for a regulated financial services provider but represents significant exposure if data is breached or misused, as it includes identity documents and financial credentials sufficient to enable identity theft or account fraud.
The updated policy removes explicit language describing how data flows when users sign in via Apple or Google, including what information those services share with Acorns and how it is used. Previously, the policy stated that Acorns receives information such as name and email address through third-party sign-in services solely to manage accounts and provide services. The revised language also shifts the AI chatbot from an optional feature users 'may access' to a stated service Acorns 'uses' to direct users to internal articles. Users no longer have a published explanation of third-party sign-in data practices in the privacy notice, though the terms suggest data shared through third-party services remains subject to those providers' terms.
View change record →Your Social Security number, bank account credentials, government ID, and investment profile are all collected and stored by Acorns as part of account creation, creating a concentrated repository of sensitive identity and financial data.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Acorns has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We collect information you provide to us directly, such as when you create an account or use our services. This information may include: name, address, date of birth, email address, phone number, username and password, Social Security number or tax identification number, financial account information (such as bank account and routing numbers), investment information (such as your risk tolerance and investment goals), employment and income information, and government-issued identification (such as a driver's license or passport).— Excerpt from Acorns's Acorns Privacy Policy
REGULATORY LANDSCAPE: Collection of Social Security numbers, government-issued IDs, and financial account credentials implicates the Gramm-Leach-Bliley Act Safeguards Rule administered by the FTC, which requires financial institutions to implement information security programs for nonpublic personal information. The CPRA classifies Social Security numbers and financial account details as sensitive personal information subject to heightened disclosure and opt-out obligations under California law. The CFPB's supervisory authority extends to data security practices at nonbank financial companies offering consumer financial products. GOVERNANCE EXPOSURE: High. The breadth of sensitive data collected, including government identifiers, financial credentials, and biometric-adjacent identity documents, creates significant data security and regulatory exposure. A data breach involving this category of information would trigger notification obligations under state breach notification laws in all 50 states and potentially GLBA Safeguards Rule incident response requirements. JURISDICTION FLAGS: California residents are entitled under the CPRA to know what sensitive personal information is collected and to limit its use beyond what is necessary for the primary service. Users in other states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Texas) may have analogous rights. The collection of Social Security numbers also triggers specific state-level SSN protection statutes in multiple jurisdictions. CONTRACT AND VENDOR IMPLICATIONS: Any third-party vendor or service provider receiving access to this category of data must be governed by a data processing agreement with appropriate security and use limitation obligations. Procurement teams should confirm that subprocessors handling SSNs and financial credentials are subject to SOC 2 or equivalent audits and contractual liability provisions. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that data minimization practices are in place, that SSN and government ID data is encrypted at rest and in transit, and that retention schedules for identity documents are defined and enforced. The GLBA Safeguards Rule requires a written information security program; teams should confirm this is current and reviewed annually.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This level of data collection is expected for a regulated financial services provider but represents significant exposure if data is breached or misused, as it includes identity documents and financial credentials sufficient to enable identity theft or account fraud.
Your Social Security number, bank account credentials, government ID, and investment profile are all collected and stored by Acorns as part of account creation, creating a concentrated repository of sensitive identity and financial data.
ConductAtlas has identified this type of provision across 3 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Acorns.