Author: Alena Sarri, Managing Director, Aquatots Swim School
Fintech data privacy should be a given for platforms handling your bank details, Social Security numbers and transaction history. Yet the most rigorous data protection practices in 2025 don’t come from Silicon Valley or Wall Street. They come from your local children’s swim school.
That comparison sounds ridiculous on the surface. However, enforcement records, breach data and peer-reviewed research across three continents tell a different story. Small businesses handling children’s personal information routinely outperform well-funded fintech data privacy programs on consent management, data minimisation and security controls. Here’s why that gap should concern everyone in the industry.
Fintech Data Privacy Breaches No One Can Ignore
The breach record is brutal. Cash App’s 2021 incident exposed brokerage data for 8.2 million customers after a former employee downloaded records without authorisation. In January 2025, the CFPB ordered Block (Cash App’s parent) to pay $175 million for weak security protocols and what regulators called intentionally poor dispute investigation. On top of that, 48 state regulators added another $80 million in fines for anti-money-laundering failures.
Robinhood’s November 2021 breach compromised 7 million customers through a social engineering attack on a support employee. As a result, the SEC levied a $45 million fine in January 2025 for unaddressed cybersecurity vulnerabilities. Meanwhile, the Evolve Bank ransomware attack in mid-2024 hit 7.6 million people across 15+ fintech partners including Affirm, Mercury and Wise. This breach happened just two weeks after the Federal Reserve issued a cease-and-desist against Evolve for unsafe banking practices.
These are not isolated incidents either. SecurityScorecard found that 41.8% of fintech breaches originate from third-party vendors, and nearly half of breached fintechs were repeat victims. According to IBM’s 2025 report, the average financial-sector breach now costs $6.08 million. Finance overtook healthcare as the most-breached sector in 2023, handling 27% of all tracked data breaches. For platforms that rely on AI for fraud detection, the irony is hard to miss.
What Swim Schools Get Right About Protecting Data
Now consider what a typical swim school collects during enrollment: a child’s full name, date of birth, medical conditions (epilepsy, asthma, allergies), emergency contacts, payment details and often lesson photographs. Despite operating on thin margins with no compliance department, these businesses implement fintech data privacy controls that most payment platforms skip entirely.
For example, Diamond Swim Academy in the UK deletes all customer data within 12 months of the last lesson. K&K Swim School in Canada collects only information essential for participation and reviews its privacy policy annually. Similarly, Swim4Life in Australia registers under the Notifiable Data Breaches scheme and commits to acknowledging privacy complaints within 14 days.
Photography policies reveal the starkest contrast. Under Swim England’s Wavepower framework, lesson photography requires explicit written consent with restrictions on angles, individual shots and photographer background checks. Compare that to fintech platforms that bury data-sharing permissions inside terms of service running dozens of pages.
In fact, a peer-reviewed study published in Electronic Markets found that fintech data privacy statements got worse after GDPR, not better. Researchers at the Universities of Regensburg and Bremen analysed 276 to 308 privacy policies from German fintechs. Their conclusion was stark: young companies prioritise core business over privacy compliance. They also found mimicking behaviour, with fintechs copying peers’ policies rather than doing genuine compliance work. That pattern sits in sharp contrast to swim schools, which build privacy practices around child safeguarding obligations with real consequences for failure.
The Regulatory Gap Keeps Growing
Here is where the structural problem shows up. Under COPPA (updated April 2025 with bipartisan support), any service directed at children under 13 must obtain verifiable parental consent before collecting personal information. Penalties reach $53,088 per violation per day. Epic Games paid $520 million for COPPA violations. Microsoft paid $20 million over Xbox children’s data collection.
In contrast, fintech data privacy rules amount to a patchwork of far less demanding requirements. Where banks must comply with the federal Gramm-Leach-Bliley Act, fintechs operate under state privacy laws. A 2022 Treasury Department report found virtually no regulatory oversight of data aggregators’ storage of consumer financial information. For platforms handling cross-border transactions across multiple jurisdictions, the compliance gaps multiply further.
The EU’s Digital Operational Resilience Act (DORA), effective January 2025, signals the end of the “move fast and break things” era for European financial services. It requires documented ICT risk management, incident reporting within hours and penalties up to 2% of annual worldwide turnover. Australia’s 2024 privacy reforms introduced a statutory tort for serious privacy invasions with damages up to AUD $478,550 per individual. These developments represent a clear shift toward fintech data privacy enforcement with teeth.
Still, the gap between fintech data privacy rhetoric and on-the-ground reality remains wide. Consumer trust in fintechs sits at 5.8 out of 10 compared to 7.6 for traditional banks, according to RFI Global’s 2024 data. The UK’s Payment Systems Regulator found neobanks Monzo and Starling had the highest fraudulent activity rates in 2022. Understanding the risks emerging financial models carry matters more than ever as consumer exposure grows.
Children’s data protection frameworks, built on default restriction, verified consent and the best-interests principle, offer a proven model. The question is whether fintech data privacy standards will rise to meet that benchmark before regulators force the issue.