Data Broker and Third-Party Marketing Partner Enrichment

What it is

Cash App states it receives inferred characteristics, advertising segments, and interest data about you from data brokers and advertising platforms, and uses this information to supplement the profiles it maintains about you.

Why it matters (compliance & governance perspective)

The policy states that profiles maintained about Cash App users may be enriched with externally sourced inferred characteristics and advertising segments from data brokers, which goes beyond transactional data collection and engages CCPA/CPRA rights to know about third-party data sources and opt out of their use.

This document changed recently

Consumer impact (what this means for users)

Cash App states it receives inferred characteristics, advertising segments, and interest and preference data from data brokers and advertising platforms to supplement user profiles; California residents have the right to know about these third-party data sources and the right to opt out of the sale or sharing of personal information under the CCPA/CPRA.

What you can do

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: The CCPA/CPRA requires disclosure of categories of third-party sources from which personal information is collected, including data brokers, and grants California residents the right to opt out of the sale or sharing of personal information. The FTC Act applies to data broker practices and may apply to the use of third-party inferred data in ways that are materially inconsistent with user expectations in a financial services context. Several states including Texas, Montana, and others have enacted or proposed data broker registration and consumer opt-out requirements. 2) GOVERNANCE EXPOSURE: High. The explicit disclosure that data broker-sourced inferred characteristics and advertising segments are used to supplement user profiles in a financial services context creates CCPA/CPRA exposure regarding the adequacy of opt-out mechanisms and the completeness of the list of third-party sources disclosed. The combination of financial transaction data with data broker enrichment also raises potential questions under GLBA regarding secondary use of nonpublic personal information. 3) JURISDICTION FLAGS: California residents have existing CPRA rights to opt out of data broker-sourced sharing and to request disclosure of specific third-party sources. Colorado, Connecticut, and Virginia residents may have similar rights under applicable state comprehensive privacy laws. Data broker registration laws in California and Vermont may require that entities receiving data broker information meet specific compliance requirements. 4) CONTRACT AND VENDOR IMPLICATIONS: Data broker and advertising platform vendor contracts should be reviewed to confirm that inferred data received is covered by appropriate data processing agreements and that data broker sources are sufficiently identified to meet CCPA/CPRA 'categories of sources' disclosure requirements. The notice identifies the category of sources broadly but does not name specific data broker vendors, which may require supplemental disclosure upon consumer rights requests. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should maintain a registry of data broker and advertising platform sources from which user profile enrichment data is received. The opt-out mechanism for sale or sharing of personal information should be tested to confirm it applies to data broker-sourced enrichment data as well as Cash App-originated data. GLBA analysis should assess whether data broker enrichment falls within or outside permitted secondary use of nonpublic personal information.

Applicable agencies

Provision details

Other risks in this policy

• Biometric Data Collection high
• AI and Machine Learning Training Using Personal Data high
• Precise Geolocation Collection medium
• Credit Risk and Behavioral Profile Inference high
• Sharing with Affiliates Including Square medium
• Employment Information Collection medium