Sharing with Affiliates Including Square

What it is

Cash App states it may share your personal information with its parent company Block, Inc. affiliates including Square and other business units within the Block corporate group.

Why it matters (compliance & governance perspective)

The policy identifies internal affiliates including Square as a category of entities with whom personal data collected through Cash App may be shared, which means data provided to Cash App may flow across Block's broader suite of business and financial services products.

This document changed recently

Consumer impact (what this means for users)

The policy states that personal information collected through Cash App may be shared with Block, Inc. group companies including Square; users should be aware that data provided in the context of personal payments may be accessible across Cash App's affiliated business services platforms.

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: Intragroup data sharing within a financial services group engages GLBA, which permits sharing of nonpublic personal information with affiliated entities subject to notice and, in some cases, opt-out requirements. The CCPA/CPRA applies to sharing within a common ownership group if the entities operate under separate brand identities, and users retain the right to opt out of sharing that constitutes a 'sale' or 'sharing' under CPRA. FTC oversight applies to deceptive representations about the scope of affiliate data sharing. 2) GOVERNANCE EXPOSURE: Medium. The notice discloses affiliate sharing broadly but does not specify which categories of personal data are shared with specific affiliates, or the purposes for which each affiliate uses the data. This level of generality may be sufficient under GLBA affiliate disclosure requirements but may require more specificity to satisfy CCPA/CPRA 'categories of third parties' disclosure standards. 3) JURISDICTION FLAGS: California residents have CPRA rights to opt out of sharing with affiliates where that sharing constitutes 'cross-context behavioral advertising.' GLBA affiliate sharing opt-out rights apply to all US residents for certain categories of information. The adequacy of the current disclosure for multi-state compliance should be assessed against each applicable state privacy law. 4) CONTRACT AND VENDOR IMPLICATIONS: Intragroup data sharing agreements between Cash App and Square and other Block affiliates should be reviewed to confirm they address data minimization, purpose limitation, and applicable state privacy law compliance. If affiliates use shared data for their own marketing or product development, additional consumer notice or opt-out mechanisms may be required. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should maintain a current inventory of Block affiliate entities that receive Cash App user data and the specific data categories and purposes involved. GLBA affiliate sharing notices should be reviewed for accuracy. CCPA/CPRA 'Do Not Sell or Share My Personal Information' mechanisms should be tested to confirm they apply to affiliate sharing that constitutes cross-context behavioral advertising.

Applicable agencies

Provision details

Other risks in this policy

• Biometric Data Collection high
• AI and Machine Learning Training Using Personal Data high
• Data Broker and Third-Party Marketing Partner Enrichment high
• Precise Geolocation Collection medium
• Credit Risk and Behavioral Profile Inference high
• Employment Information Collection medium