Layered, Overlapping, and Inconsistent: A Large-Scale Analysis of the Multiple Privacy Policies and Controls of U.S. Banks

TL;DR

This large-scale analysis reveals significant inconsistencies in U.S. banks' privacy policies regarding third-party data sharing, raising concerns about transparency and consumer understanding under current legal frameworks.

Contribution

The study provides a comprehensive analysis of privacy policy inconsistencies among major U.S. banks, highlighting gaps between disclosures and actual practices.

Findings

53.8% of banks with multiple policies show inconsistencies

Many banks disclose no third-party sharing in GLBA notices but do so elsewhere

Inconsistencies may undermine transparency and consumer trust

Abstract

Privacy policies are often complex. An exception is the two-page standardized notice that U.S. financial institutions must provide under the Gramm-Leach-Bliley Act (GLBA). However, banks now operate websites, mobile apps, and other services that involve complex data sharing practices that require additional privacy notices and do-not-sell opt-outs. We conducted a large-scale analysis of how U.S. banks implement privacy policies and controls in response to GLBA; other federal privacy policy requirements; and the California Consumer Privacy Act (CCPA), a key example for U.S. state privacy laws. We focused on the disclosure and control of a set of especially privacy-invasive practices: third-party data sharing for marketing-related purposes. We collected privacy policies for the 2,067 largest U.S. banks, 45.2\% of which provided multiple policies. Across disclosures and controls for the \textit{same} bank, we identified frequent, concerning inconsistencies -- 53.8\% of banks with multiple privacy policies indicated in GLBA notices that they do not share with third parties but disclosed sharing in other policies. This multiplicity of policies, with the inconsistencies it causes, may create consumer confusion and undermine the transparency goals of the very laws that require them. Our findings call into question whether current policy requirements, such as the GLBA notice, are achieving their intended goals in today's online banking landscape. We discuss potential avenues for reforming and harmonizing privacy policies and control requirements across federal and state laws.