The policy states that Acorns collects financial account numbers, investment account data, transaction history, government-issued identification numbers including Social Security numbers, and standard contact identifiers from users who engage with its services.
This analysis describes what Acorns's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the scope of sensitive financial and identity data Acorns collects as a condition of platform use, encompassing data categories that are subject to heightened regulatory obligations under GLBA and that carry elevated risk in the event of unauthorized access or disclosure.
The updated policy removes explicit language describing how data flows when users sign in via Apple or Google, including what information those services share with Acorns and how it is used. Previously, the policy stated that Acorns receives information such as name and email address through third-party sign-in services solely to manage accounts and provide services. The revised language also shifts the AI chatbot from an optional feature users 'may access' to a stated service Acorns 'uses' to direct users to internal articles. Users no longer have a published explanation of third-party sign-in data practices in the privacy notice, though the terms suggest data shared through third-party services remains subject to those providers' terms.
View change record →Severity increased from medium to high, and collection scope narrowed to exclude investment preferences, employment data, and address/date of birth, while adding transaction history detail.
View full change record →The agreement authorizes collection of bank account numbers, investment account data, transaction history, Social Security numbers, and contact information from users. Under these terms, this sensitive financial and identity data is held by Acorns and subject to the sharing and retention practices described elsewhere in the policy.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Acorns has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We collect information you provide to us when you use our Services, including: financial account information (such as bank account numbers, investment account information, and transaction history); government-issued identification numbers (such as Social Security numbers); and contact information (such as name, email address, phone number, and mailing address).— Excerpt from Acorns's Acorns Privacy Policy
1) REGULATORY LANDSCAPE: Collection of nonpublic personal financial information including account numbers, transaction history, and Social Security numbers is governed by the Gramm-Leach-Bliley Act, enforced by the FTC for non-bank financial institutions, and by applicable state financial privacy laws. CCPA classifies Social Security numbers as sensitive personal information subject to heightened disclosure and opt-in requirements under CPRA amendments. 2) GOVERNANCE EXPOSURE: High. The collection of Social Security numbers and financial account numbers as standard onboarding data creates significant data security and regulatory obligations, including GLBA Safeguards Rule compliance requirements for information security program documentation and third-party service provider oversight. 3) JURISDICTION FLAGS: California's CPRA creates specific obligations around sensitive personal information including Social Security numbers, requiring disclosure of the purpose for which such data is used and limiting use to disclosed purposes. Financial services entities operating in New York are subject to the SHIELD Act's data security requirements for private information including financial account numbers. 4) CONTRACT AND VENDOR IMPLICATIONS: Service provider agreements covering systems that store or process financial account numbers and Social Security numbers require assessment for GLBA-compliant data security standards and breach notification obligations. Procurement teams should verify that data processing agreements with relevant vendors include contractual controls consistent with the GLBA Safeguards Rule. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should confirm that data retention schedules for financial account numbers, transaction history, and Social Security numbers are documented and consistent with both GLBA requirements and any applicable state-level data minimization obligations. Purpose limitation documentation for Social Security number usage should be reviewed against CPRA's sensitive personal information requirements for California residents.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the scope of sensitive financial and identity data Acorns collects as a condition of platform use, encompassing data categories that are subject to heightened regulatory obligations under GLBA and that carry elevated risk in the event of unauthorized access or disclosure.
The agreement authorizes collection of bank account numbers, investment account data, transaction history, Social Security numbers, and contact information from users. Under these terms, this sensitive financial and identity data is held by Acorns and subject to the sharing and retention practices described elsewhere in the policy.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Acorns.