A recent study from the University of Michigan has found that U.S. banks may be sharing customer data more widely than many people realize, despite strict federal regulations. The research team analyzed privacy policies from over 2,000 major banks and discovered that nearly half published multiple privacy policies with conflicting or unclear statements about how personal information is collected, used, and shared.
“In many cases, banks claimed they don’t share customer data with outside parties in a federally required U.S. Consumer Privacy Notice, yet disclosed such sharing elsewhere or deployed marketing tracking cookies without acknowledgement,” said Lu Xian, lead author of the study and a doctoral student at the University of Michigan School of Information.
The study was partly funded by the National Science Foundation and focused on third-party data sharing for marketing purposes. Researchers found discrepancies between what banks report under the Gramm-Leach-Bliley Act—a law requiring financial institutions to provide customers with a clear notice about data sharing—and what is disclosed in other sections of their websites.
“The issue is that the federal law requires a short notice, but that banks now have so many other privacy notices accompanying their online services and mobile apps that the simplified federal notice now often provides an incomplete if not misleading picture of a bank’s data practices,” said Florian Schaub, associate professor of information at the University of Michigan and principal investigator for the study.
The findings point to challenges created by overlapping and fragmented privacy laws. This complexity can confuse both consumers and banks, making it difficult for individuals to understand how their personal information is handled. According to the researchers, consumers routinely provide sensitive details to manage their finances—information that could end up being shared with third parties for advertising or analytics. This could affect access to financial products or even health care options.
In addition to Xian and Schaub, contributors to the study included Lauren Lee and Meera Kumar from the University of Michigan, Yichen Zhang from the University of Wisconsin, and Van Hong Tran from the University of Chicago. The results will be presented at the ACM Conference on Computer and Communications Security taking place October 13-17.
