Under the federal Gramm-Leach-Bliley Act, Affirm must tell you how it handles your financial data and give you the right to opt out of some, but not all, types of financial data sharing.
This analysis describes what Affirm's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
GLBA opt-out rights are narrower than many consumers expect: they apply to sharing with non-affiliated third parties for marketing but do not cover sharing for joint marketing arrangements or operational service providers.
Interpretive note: The policy does not enumerate with specificity which sharing categories are subject to GLBA opt-out versus which fall within exempt categories, creating uncertainty for consumers trying to understand the practical scope of their opt-out rights.
You have a federal right to opt out of certain sharing of your financial information with non-affiliated third parties, but this right does not cover all sharing; Affirm may still share your data with joint marketing partners and service providers without your opt-out being effective.
How other platforms handle this
California law gives residents the right to know what personal information we collect, use, share or sell; to delete personal information under certain circumstances; to opt-out of the sale or sharing of their personal information; to correct inaccurate personal information; to limit the use and dis...
If you are a California resident, you have the right to opt out of the sale or sharing of your personal information. You also have the right to know what personal information we have collected about you, the right to delete your personal information, the right to correct inaccurate personal informat...
If you are a California resident, you may have certain rights under the California Consumer Privacy Act (CCPA). These rights may include: the right to know about personal information collected, disclosed, or sold; the right to delete personal information collected from you; the right to opt-out of t...
Monitoring
Affirm has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We are required by federal law to give you important information about how we collect, share, and protect your personal financial information. Federal law gives you the right to limit some but not all sharing of your personal financial information.— Excerpt from Affirm's Affirm Privacy Policy
REGULATORY LANDSCAPE: The Gramm-Leach-Bliley Act financial privacy rules, implemented by CFPB Regulation P, require annual privacy notices and opt-out rights for sharing with non-affiliated third parties outside specified exceptions. Joint marketing and service provider sharing are exempt from opt-out requirements under GLBA. CFPB has supervisory authority over Affirm's compliance with Regulation P as a nonbank financial service provider. GOVERNANCE EXPOSURE: Medium. The policy's statement that federal law limits opt-out rights to 'some but not all sharing' is accurate under GLBA but may not be sufficiently specific about which sharing categories are and are not subject to opt-out, creating disclosure adequacy risk under Regulation P. Affirm must also ensure that annual privacy notices are delivered in the required form and that opt-out mechanisms are functional and honored. JURISDICTION FLAGS: GLBA applies nationally to all U.S. Affirm customers. California's CCPA and CPRA provide broader opt-out rights that layer on top of GLBA for California residents. Vermont and other states have additional financial privacy requirements that may expand opt-out rights beyond the GLBA baseline. CONTRACT AND VENDOR IMPLICATIONS: Joint marketing agreements must satisfy GLBA's joint marketing exception requirements, including that the financial institution and its joint marketing partner are bound by an agreement restricting the partner's use of the shared information. Non-compliance with this contractual requirement eliminates the exception and may render the sharing unlawful under GLBA. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that GLBA annual notices are delivered on schedule, that opt-out mechanisms are clearly labeled and functional, that joint marketing partner agreements include the required use restrictions, and that the policy distinguishes which specific sharing categories are and are not subject to opt-out to satisfy Regulation P disclosure specificity requirements.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
GLBA opt-out rights are narrower than many consumers expect: they apply to sharing with non-affiliated third parties for marketing but do not cover sharing for joint marketing arrangements or operational service providers.
You have a federal right to opt out of certain sharing of your financial information with non-affiliated third parties, but this right does not cover all sharing; Affirm may still share your data with joint marketing partners and service providers without your opt-out being effective.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Affirm.