As Regulators Probe BNPL Practices, Data Privacy and Localization Rules Come Into Play

As more consumers begin using buy now, pay later (BNPL) offerings, regulators will not be far behind.

Regulatory bodies have an interest in ensuring that consumers aren’t accumulating debt that they have difficulty repaying, so they are likely to focus on trust and transparency, ensuring customers can make informed choices.

“It’s going to be a very interesting landscape, I think, over the next six months to watch and see how things evolve,” Julie Rea, vice president of compliance and risk at Digital River, told PYMNTS.

California and Germany Lead the Way 

In the U.S., California is leading the way on looking at BNPL offerings and regulating them as loan products. Rea said she expects that other states will follow California’s lead, as they have done in other issues such as emission standards and privacy regulations.

See also: BNPL and Other Alt Payments Need Stronger Authentication

“Regulations are going to be rooted in consumer protection, ensuring that consumers understand the implications of the plans, any fees that might be associated and any ramifications that there may be for late or missed payments,” Rea said.

Germany seems to be the European Union (EU) leader on BNPL and is expected to implement new regulations.

“Paying in installments in Germany is becoming increasingly popular, but with that popularity — Germany being on that leading edge — they’re concerned with ensuring that their citizens understand whether those offered terms are more expensive than other consumer-facing options, whether those low installment rates and due dates that seem to be sort of further out in the distant future might tempt consumers to act hastily and put them at risk of accumulating debt,” Rea said.

Once the laws in California and Germany go into effect, the industry will see how they start to play out and how they affect consumers.

Data Privacy and Data Localization Are Trending 

Business must also pay attention to data privacy regulations. In the EU, the General Data Protection Regulation (GDPR) has set forth the framework for processors of personal data and the ways they can use and protect the data.

In the U.S., there is no single privacy law — privacy rights have been granted on a sector-by-sector basis, with health information covered by the Health Insurance Portability and Accountability Act (HIPAA) and bank information covered by the Gramm-Leach-Bliley Act (GLBA).

California has led the way here, too, and other states are following with their own comprehensive privacy laws. These include mandates for data minimization — requiring that businesses only collect the data that they need for the transaction, don’t keep more data than they need for longer than they need and ensure that they have the appropriate safeguards around that data.

“As you see in the news, there have been massive fines in the EU for not keeping data secure, for large data breaches — even small breaches can expose you to risk of fines,” Rea said. “It’s very costly to manage through any sort of event with regulators, so it really behooves businesses to do this right, upfront, and to get it right, keep data secure and don’t keep more data than you need.”

Read more: Third Generation of BNPL Holds Potential to Reshape Entire Credit Industry

Another trend is around data localization laws and laws that govern not only what you can do with data but where you can store it. Some countries are mandating that businesses store data within their borders, with cross-border transfers only allowed under certain circumstances.

“That could force businesses to change some of their business practices and even their business models,” Rea said.