Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.
At 1,400 words, this briefing is about a 6-minute read.
At a glance.
- New research reveals privacy risks on buy now, pay later apps.
- $8 billion Meta lawsuit set to begin.
New report reveals privacy risks in popular buy now, pay later apps.
The news.
On Wednesday, Incogni, a data broker removal service, released new research examining how popular Buy Now, Pay Later (BNPL) applications collect and share user data, including sensitive personal information. From this research, Incogni found that on average, “[BNPL] apps collected fourteen data types concerning their users and shared five with third parties.”
Incogni’s head, Darius Belejevas, highlighted the tension between convenience and privacy, writing:
“Access to affordable credit is vital for many consumers, especially in difficult times. However, this convenience comes with significant trade-offs. Our research shows that millions of users’ data is shared widely, often without their knowledge. The growing use of BNPL apps must be balanced with strong privacy protections to ensure users’ financial and personal data are not exposed and exploited.”
The knowledge.
Incogni’s research looked at some of the largest BNPL applications such as Klarna, Afterpay, Affirm, Zip, Uplift, Four, and Sezzle. According to Incogni’s research, data collection practices vary widely across providers. Incogni found:
- Afterpay collected the most data, collecting twenty different data types.
- Klarna and Uplift followed closely behind Afterpay, each collecting nineteen data types.
- Afterpay shared seventeen of its collected data types with third parties, including credit scores.
- Sezzle and Zip tracked users’ web-browsing histories, while Klarna collected in-app messaging data.
- Most apps, except for Four, also gathered and shared user location data.
While these high-level oversights are only a small portion of Incogni’s research, these findings reflect a significant concern within a rapidly expanding industry regarding both data collection and data privacy.
Outside of data collection, many of these BNPL services have had a concerning history of data breaches. Incogni noted three instances where these services were tied to data breaches.
- In 2021, Klarna suffered a breach that allowed users to access other people’s accounts.
- That same year, Block, who now owns Afterpay, experienced a data breach that exposed the personal data of 8.2 million users.
- In 2024, Affirm’s partner, Evolve Bank, was breached, resulting in the exposure of Affirm customers’ personal data.
These privacy concerns are particularly relevant given the growing popularity of BNPL applications. In 2025, CapitalOne found that nearly one in five American consumers had used these BNPL services in 2023, with an estimated 86.5 million American users using these services in 2024. This growth represents a nearly seven percent increase year-over-year.
While BNPL services are not alone in facing privacy concerns, they do represent a rapidly expanding financial service that remains largely unaddressed.
The impact.
As BNPL services continue to grow in popularity, the risks associated with user privacy will continue to become more concerning. While these services do offer greater financial flexibility, Incogni’s findings emphasize the clear need for greater oversight and transparency in the sector.
For both consumers and retailers who partner with these BNPL applications, it is important to understand what data is being collected, shared, and stored by these organizations. While BNPL services are certainly not the only fintech providers that have privacy concerns, the rapid emergence of the industry warrants greater attention and accountability.
Meta privacy lawsuit kicks off.
The news.
This week, another high-profile lawsuit kicked off between Meta and its shareholders. This lawsuit stems from Meta shareholders alleging that Meta violated a 2012 agreement between Facebook and the Federal Trade Commission (FTC) to protect user data. More specifically, the trial is accusing Meta’s Chief Executive Officer, Mark Zuckerberg, of operating Facebook as an illegal enterprise that allows user data to be harvested without consent.
Defendants include former Chief Operating Officer, Sheryl Sandberg, current board member, Marc Andreessen, and former board members, Peter Thiel, Palantir Technologies, and Reed Hastings.
The non-jury trial began on Wednesday, July sixteenth, and is scheduled to last eight days. Furthermore, Mark Zuckerberg is expected to testify during the trial.
The knowledge.
While this trial is the most recent and most high-profile case seen against Meta recently, the case dates back to 2018, when Cambridge Analytica scraped data from millions of Facebook users. At the time, the political consulting firm harvested data from over fifty million Facebook users without their consent for political modeling purposes. The fallout from this incident involved Facebook facing numerous governmental inquiries both domestically and internationally, as well as facing numerous lawsuits from its users.
However, outside of seeking financial punishment, the trial also seeks to establish what Meta’s board knew about the data harvesting efforts and when the board became aware of it. Although the misconduct is well-documented, plaintiffs will face an uphill battle in this trial. Perhaps the most difficult challenge they will face is proving that Facebook’s directors utterly failed in their duty regarding oversight. Furthermore, the plaintiffs will also need to prove that Zuckerberg and Sandberg knowingly caused the company to violate the law. Lastly, the plaintiffs are also alleging that Zuckerberg offloaded his stock in advance of the 2018 story breaking to earn over a billion dollars in profit.
Legal experts have noted that this may be the first trial to test some of these claims, meaning that the burden of proof will be especially high for the plaintiffs to have a ruling in their favor.
The impact.
While this lawsuit is far from being concluded, it could carry significant implications outside of just those directly involved, but also for the broader tech industry, as well as user data rights. A ruling in favor of the plaintiffs could set a new precedent for how platforms must handle user data and how legally accountable their board members are.
Facebook users should stay informed and monitor this trial as it continues to unfold. While the trial will take some time to resolve, its outcome could have impacts on them.
Highlighting key conversations.
In this week’s Caveat Podcast, our team covers the Department of Justice’s (DOJ) lawsuit against the entire federal district court in Maryland. In this story, our team breaks down this lawsuit where the DOJ claims that the Maryland court overstepped when it issued a forty-eight-hour pause on deportations. Alongside this story, our team also looks into the Electronic Frontier Foundation (EFF) telling a Virginia Appeals Court that Constitutional privacy protections prevent law enforcement from using reverse keyword search warrants. The EFF noted how these warrants invert privacy protections, threaten free speech and inquiry, and conflict with the Fourth Amendment.
Like what you read, and curious about the conversation? Head over to the Caveat Podcast for the full scoop and additional compelling insights. Our Caveat Podcast is a weekly show where we discuss topics related to surveillance, digital privacy, cybersecurity law, and policy. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.
Other noteworthy stories.
UK arrests four people tied to cyberattacks.
What: Four people were arrested as part of an investigation into cyberattacks that targeted several major organizations.
Why: Last week, Britain’s National Crime Agency announced that it had arrested four people allegedly tied to a ransomware attack that targeted retailer Marks & Spencer (M&S) in April. For reference, this incident involved ransomware forcing M&S to suspend its online shopping for several weeks and is estimated to have cost the company over $400 million in operating profits.
The four arrestees are currently being detained by the police under suspicion of the following:
- Computer Misuse Act offences
- Blackmail
- Money laundering
- Participating in organized crime
Pennsylvania passed a new law criminalizing nonconsensual AI impersonation.
What: Governor Josh Shapiro signed SB 649 into law, which defines deepfakes and establishes criminal penalties associated with publishing them.
Why: On July 7th, Pennsylvania passed SB 649, which made it a first-degree misdemeanor to make nonconsensual digital impersonations and also made it a third-degree felony if an individual made these impersonations with fraudulent intent.
In a statement, Governor Shapiro stated, “by signing this bill into law, we’re sending a clear message that if you use [artificial intelligence] to defraud or exploit Pennsylvanians, you will be held accountable.”
Pennsylvania now joins over a dozen other states that have introduced and passed deepfake legislation related to artificial intelligence.