University of Michigan researchers find that many banks send mixed messages about whether they share customer data
Study: Layered, overlapping, and inconsistent: A large-scale analysis of the multiple privacy policies and controls of U.S. banks (DOI: 10.1145/3719027.3765072)
Banks are among the most tightly regulated institutions in the United States, but a new University of Michigan study suggests they may be sharing customers' personal data far more freely than most people realize.
The researchers analyzed privacy policies from more than 2,000 of the nation's largest banks and found a maze of contradictory, confusing, and overlapping disclosures about how customer information is collected, used, and shared. Nearly half of the banks examined published multiple privacy policies-often with inconsistent statements that make it hard for consumers to know what really happens to their data.
"In many cases, banks claimed they don't share customer data with outside parties in a federally required U.S. Consumer Privacy Notice, yet disclosed such sharing elsewhere or deployed marketing tracking cookies without acknowledgement," said study lead author Lu Xian, doctoral student at the U-M School of Information.
The analysis, partially supported by the National Science Foundation (Award No. 2105734 and No. 2334996), matters because it raises concerns about transparency in the financial industry and the effectiveness of existing privacy laws.
The team focused on third-party data sharing for marketing, one of the most privacy-sensitive practices. They found frequent mismatches between what banks report under the Gramm-Leach-Bliley Act-a federal law requiring financial institutions to tell customers in a concise two-page notice how they share personal information and safeguard it-and what they disclose in other parts of their websites.
"The issue is that the federal law requires a short notice, but that banks now have so many other privacy notices accompanying their online services and mobile apps that the simplified federal notice now often provides an incomplete if not misleading picture of a bank's data practices," said Florian Schaub, U-M associate professor of information and the study's principal investigator.
The study highlights how overlapping and fragmented privacy laws can create confusion for both banks and their customers, ultimately undermining transparency and trust. Consumers share vast amounts of personal information with their banks to manage salaries, bills and savings-data that can then be passed to third parties for advertising or analytics, potentially influencing access to financial products or even health care options, the researchers noted.
To better protect their data, consumers can:
- Use the "To limit sharing" box in the U.S. consumer privacy notice to restrict financial data sharing.
- Click the "Do Not Sell My Personal Information" link on bank homepages or enable Global Privacy Control in their browsers to limit third-party data sharing under state privacy laws such as the California Consumer Privacy Act.
- Manage or reject advertising cookies through website banners, browser settings or industry opt-out tools.
In addition to Xian and Schaub, other researchers on the study included Lauren Lee and Meera Kumar of U-M, Yichen Zhang of the University of Wisconsin and Van Hong Tran of the University of Chicago. The analysis will be presented at the ACM Conference on Computer and Communications Security Oct.13-17.
