Why Revolut is going to start sharing your data with credit bureaus

7 Nov 2019

Image: Revolut

Digital challenger bank Revolut is rolling out a series of new data practices that every customer is opted into by default.

From 12 November, Revolut will share user data with credit bureaus, social media companies and analytics firms. The changes to the privacy policy were announced in an email sent out to users earlier this week.

The company said that user data will be shared by default, instead of expressly asking users for consent prior to sharing. If users do not want to have to have their data shared, they need to opt out. When asked by Siliconrepublic.com, Revolut declined to comment on why users are automatically opted into these measures.

To opt out of having information shared for targeted marketing purposes, users have to go to the settings button in the top-right corner of the dashboard tab in the app. From there, users can click the ‘privacy’ option under the security sub-heading and toggle the opt-out button there.

Screenshot from Revolut app, showing how settings look when targeted advertising is turned off. Image: Eva Short

If users do not want their information shared with credit bureaus, however, the process is a little more complicated. Customers need to go to the chat button, also in the top-right of the dashboard tab, and then scroll down to the very bottom and click ‘new chat’.

From there, users will have to write in saying that they do not want their data shared with credit bureaus. Upon doing so, users are instructed that the changes will be implemented within 24 hours, and that sending any further response will reverse the opt-out instruction.

Screenshot from Revolut app. Image: Eva Short

When asked why the credit bureau opt-out does not have a toggle option, the company said that since the data is provided to credit agencies once a month, it is better to have a record via email or chat to ensure that the status of consent is as accurate as possible.

Revolut also said that data provided to credit agencies would not impact a user’s credit score, except in the case where a user applies for credit products through the app. The company noted that this is the case with any credit product in general.

The data will be sent, the company said, to credit bureaus to help Revolut form its future lending strategies and develop its own credit products by determining what it thinks its customers can afford.

‘A better user experience’

A spokesperson from Revolut said in a statement: “We are proactively informing customers of changes to our privacy policy that will be introduced on 12 November in order to allow time for users to choose how we treat and use their data.

“Any data we do collect is used in order to provide a better user experience, through targeted products and pricing, and the customer remains in control of their data at all times. As clearly stated in the terms and conditions, Revolut will never sell customer data.”

According to Revolut, data collected and sent to analytics companies is to help provide relevant customer advertisements. The information, which can include names and email addresses, will be hashed. Hashing data is a form of cryptographic security, but it is not regarded as the same as encryption. This data will be collected and sent to advertisers, according to Revolut, to inform customers of products that may benefit them.

The company also said that collecting this data will help it recommend other services to users within the Revolut app. The digital bank also said that it would collect location and usage data in order to let users know if their contacts are nearby or if they have used similar products, in order to help with social interactions.

‘A matter of urgency’

The Irish Data Protection Commission (DPC) has confirmed that it is in talks with Revolut regarding the planned changes to the privacy policy.

It said in a statement: “The DPC has contacted Revolut as a matter of urgency in relation to changes it has made to its privacy policy to ensure compliance with the GDPR.” It also noted, however, that the DPC is not the lead supervisory authority for Revolut.

Under GDPR, direct marketing generally requires affirmative consent, such as by specifically opting in, under regulation 13 of the EU ePrivacy Regulations. There are some exceptions, however, such as when a company is marketing its own products or services to its users.

Updated, 1:39pm, 8 November 2019: This article was updated to include comments from the Irish Data Protection Commissioner and information about GDPR.

Eva Short was a journalist at Silicon Republic