thodonal - stock.adobe.com
Fintech ‘unicorn’ Klarna probed over data misuse
Online bank blames misuse of user data on human error as Information Commissioner’s Office weighs in
The Information Commissioner’s Office (ICO) is investigating online bank Klarna over an apparent accidental misuse of data obtained from the online retailers to which it provides services.
The ICO received more than 90 complaints from angry consumers who received a weekly newsletter email from Klarna on 12 October 2020, despite never having used its service themselves, or given it their data or permission to use it.
Klarna, which is based in Stockholm, is one of a number of startups described as a unicorn – meaning it has a valuation of more than a billion dollars. It is best known for providing “buy now, pay later” payment services to online retailers, enabling consumers to take advantage of interest-free financing on sites such as Asos, H&M, River Island and Topshop.
However, besides financing purchases for consumers, it also supplies checkout services to retailers to allow them to process payments on their website, which means it processes all credit and debit card transactions made on their site, and collects data to do this, including personal data, which is how it obtained the data in question.
An ICO spokesperson said: “Businesses should only contact individuals for electronic marketing purposes where consent has been provided or, in limited circumstances, where they have an existing relationship with a customer. Some members of the public have made us aware of an email sent by Klarna and we will be making enquiries.”
A spokesperson for Klarna said: “We are aware that on 12 October, some people received our weekly newsletter by mistake. This was a human error and the email was incorrectly sent, for which we are extremely sorry.
“The email was sent to Klarna consumers who have recently used one of Klarna’s products or services, including Klarna’s checkout technology. When you use Klarna, you agree to our terms and conditions and our privacy notice.
“Please rest assured, you have not been added to a marketing database. In accordance with our internal policies, you will not receive any further newsletters unless you opt in or download our app at a later date.
“We are currently investigating how this happened and are taking action to ensure nothing like this can happen again in the future.”
Richard Mathias, senior technology architect at LiveArea, a supplier of e-commerce services, said the disruption caused by the Covid-19 pandemic meant more and more consumers were interacting with brands online, and were encountering services such as Klarna for the first time. He said it was incumbent on the e-commerce sector to do its best to engender trust in this process.
“During times such as those we have faced this year, it is certainly not the time to be breaking trust with consumers,” said Mathias. “A slip such as this is potentially damaging not just for Klarna, but also the retailer in question.
Read more about e-commerce security
- Canadian e-commerce company Shopify disclosed a data breach involving two insider threats, but questions remain about the breach and how it was discovered.
- RiskIQ has identified that variations in software tools used for Magecart e-commerce site attacks are based on kits from the same group.
- A researcher has found a critically insecure Pulse Connect Secure VPN version belonging to UK retailer Monsoon Accessorize, but claims the firm is ignoring his disclosures.
“In this instance, we are talking about the clarity and control in what we share with brands and third parties. Clear opt-in and opt-out capabilities and terms give users control. Providing flexibility in their settings, choices about their workflow, options around their data and absolute transparency allows customers to feel authentic engagement and build trust.
“A slip such as this can completely undermine that consumer trust element, and make us question those other elements of trust, which, in today’s ‘cancel culture’, can be extremely damaging.”
Camilla Winlo, director of consultancy services at privacy and data protection specialist DQM GRC, said Klarna appeared to be “confused” about its obligations under the General Data Protection Regulation (GDPR), particularly with regard to the information it provides to shoppers about its use of their data, and how they consent to handing it over.
Klarna claims that by using its checkout technology the consumer agrees to its terms and conditions and privacy notice but this cannot indicate consent to marketing under GDPR, said Winlo, because consent requires shoppers to be fully informed, to have a free choice about whether or not to consent, and an explicit mechanism to do so.
She added that Klarna’s privacy notice appeared to be at odds with its explanation regarding the lawful basis for processing personal data for marketing and noted that the firm also seemed confused over whether or not it even believed it had legitimate interest in processing consumer data for marketing, given that the firm’s spokesperson was allowed to say it was taking action to ensure this could not happen again.
Winlo said Klarna should: ensure that all the online retailers that use its technology make it clear what data is being given to Klarna and under what services; take action to ensure the data shared with it is only made available to teams and processes with a legitimate business reason; and take steps to offer more clarity about the legal basis it is using for data processing.
Consumers who are concerned after having received Klarna’s emails can learn more about their rights to find out what personal data organisations hold on them, how they are using and sharing it, and where they got it, from the ICO. Consumers may also object to the use of their data.