Under the federal Gramm-Leach-Bliley Act, Affirm must tell you how it handles your financial data and give you the right to opt out of some, but not all, types of financial data sharing.
This analysis describes what Affirm's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
GLBA opt-out rights are narrower than many consumers expect: they apply to sharing with non-affiliated third parties for marketing but do not cover sharing for joint marketing arrangements or operational service providers.
Interpretive note: The policy does not enumerate with specificity which sharing categories are subject to GLBA opt-out versus which fall within exempt categories, creating uncertainty for consumers trying to understand the practical scope of their opt-out rights.
The updated Privacy Policy establishes that Affirm qualifies as a financial institution under the Gramm-Leach-Bliley Act, meaning personal information collected in connection with Affirm services is governed by federal banking law rather than applicable state privacy laws. The policy now explicitly discloses collection of identity and profile information including full name, date of birth, Social Security number, email, mailing address, phone number, and password. The updated terms also disclose new data sharing arrangements with fraud prevention, identity verification, and risk intelligence providers, which were not previously detailed. You can contact Affirm's privacy team using the phone number provided in the updated policy to exercise data privacy rights.
View change record →You have a federal right to opt out of certain sharing of your financial information with non-affiliated third parties, but this right does not cover all sharing; Affirm may still share your data with joint marketing partners and service providers without your opt-out being effective.
How other platforms handle this
enableGpcSdk: true, gpcSetting: { privacyPolicyLink: '/Privacy-Security-Policy-a-282.html' }
We process Global Privacy Control signals as opt-out requests for the sale or sharing of personal information.
If you are a California resident, you have the right to: Know what personal information is being collected about you; Know whether your personal information is sold or disclosed and to whom; Say no to the sale of personal information; Access your personal information; Request deletion of your person...
Monitoring
Affirm has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We are required by federal law to give you important information about how we collect, share, and protect your personal financial information. Federal law gives you the right to limit some but not all sharing of your personal financial information.— Excerpt from Affirm's Affirm Privacy Policy
REGULATORY LANDSCAPE: The Gramm-Leach-Bliley Act financial privacy rules, implemented by CFPB Regulation P, require annual privacy notices and opt-out rights for sharing with non-affiliated third parties outside specified exceptions. Joint marketing and service provider sharing are exempt from opt-out requirements under GLBA. CFPB has supervisory authority over Affirm's compliance with Regulation P as a nonbank financial service provider. GOVERNANCE EXPOSURE: Medium. The policy's statement that federal law limits opt-out rights to 'some but not all sharing' is accurate under GLBA but may not be sufficiently specific about which sharing categories are and are not subject to opt-out, creating disclosure adequacy risk under Regulation P. Affirm must also ensure that annual privacy notices are delivered in the required form and that opt-out mechanisms are functional and honored. JURISDICTION FLAGS: GLBA applies nationally to all U.S. Affirm customers. California's CCPA and CPRA provide broader opt-out rights that layer on top of GLBA for California residents. Vermont and other states have additional financial privacy requirements that may expand opt-out rights beyond the GLBA baseline. CONTRACT AND VENDOR IMPLICATIONS: Joint marketing agreements must satisfy GLBA's joint marketing exception requirements, including that the financial institution and its joint marketing partner are bound by an agreement restricting the partner's use of the shared information. Non-compliance with this contractual requirement eliminates the exception and may render the sharing unlawful under GLBA. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that GLBA annual notices are delivered on schedule, that opt-out mechanisms are clearly labeled and functional, that joint marketing partner agreements include the required use restrictions, and that the policy distinguishes which specific sharing categories are and are not subject to opt-out to satisfy Regulation P disclosure specificity requirements.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
GLBA opt-out rights are narrower than many consumers expect: they apply to sharing with non-affiliated third parties for marketing but do not cover sharing for joint marketing arrangements or operational service providers.
You have a federal right to opt out of certain sharing of your financial information with non-affiliated third parties, but this right does not cover all sharing; Affirm may still share your data with joint marketing partners and service providers without your opt-out being effective.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Affirm.