Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Layered, Overlapping, and Inconsistent: A Large-Scale Analysis of the Multiple Privacy Policies and Controls of U.S. Banks

Lu Xian, Van Tran, Lauren Lee, Meera Kumar, Yichen Zhang, Florian Schaub

TL;DR

This study analyzes the privacy disclosures of the 2,073 largest U.S. banks to understand how GLBA, CCPA, and other laws shape policy multiplicity and consumer control. It finds that nearly half of banks provide multiple privacy policies, which, together with long, complex text, reduces readability and increases consumer confusion. A central result is widespread inconsistency: many banks say they do not share for GLBA-defined marketing purposes yet disclose sharing elsewhere, and many fail to provide adequate opt-outs, especially for CCPA and cookie-related practices. The authors recommend harmonizing privacy requirements across laws, expanding GLBA disclosures to reflect modern data practices, and centralizing opt-out mechanisms to restore transparency and consumer empowerment. The work also contributes a labeled dataset and methodological pipeline for policy analysis that can support ongoing monitoring and cross-sector studies.

Abstract

Privacy policies are often complex. An exception is the two-page standardized notice that U.S. financial institutions must provide under the Gramm-Leach-Bliley Act (GLBA). However, banks now operate websites, mobile apps, and other services that involve complex data sharing practices that require additional privacy notices and do-not-sell opt-outs. We conducted a large-scale analysis of how U.S. banks implement privacy policies and controls in response to GLBA; other federal privacy policy requirements; and the California Consumer Privacy Act (CCPA), a key example for U.S. state privacy laws. We focused on the disclosure and control of a set of especially privacy-invasive practices: third-party data sharing for marketing-related purposes. We collected privacy policies for the 2,067 largest U.S. banks, 45.2\% of which provided multiple policies. Across disclosures and controls for the \textit{same} bank, we identified frequent, concerning inconsistencies -- 53.8\% of banks with multiple privacy policies indicated in GLBA notices that they do not share with third parties but disclosed sharing in other policies. This multiplicity of policies, with the inconsistencies it causes, may create consumer confusion and undermine the transparency goals of the very laws that require them. Our findings call into question whether current policy requirements, such as the GLBA notice, are achieving their intended goals in today's online banking landscape. We discuss potential avenues for reforming and harmonizing privacy policies and control requirements across federal and state laws.

Layered, Overlapping, and Inconsistent: A Large-Scale Analysis of the Multiple Privacy Policies and Controls of U.S. Banks

TL;DR

This study analyzes the privacy disclosures of the 2,073 largest U.S. banks to understand how GLBA, CCPA, and other laws shape policy multiplicity and consumer control. It finds that nearly half of banks provide multiple privacy policies, which, together with long, complex text, reduces readability and increases consumer confusion. A central result is widespread inconsistency: many banks say they do not share for GLBA-defined marketing purposes yet disclose sharing elsewhere, and many fail to provide adequate opt-outs, especially for CCPA and cookie-related practices. The authors recommend harmonizing privacy requirements across laws, expanding GLBA disclosures to reflect modern data practices, and centralizing opt-out mechanisms to restore transparency and consumer empowerment. The work also contributes a labeled dataset and methodological pipeline for policy analysis that can support ongoing monitoring and cross-sector studies.

Abstract

Privacy policies are often complex. An exception is the two-page standardized notice that U.S. financial institutions must provide under the Gramm-Leach-Bliley Act (GLBA). However, banks now operate websites, mobile apps, and other services that involve complex data sharing practices that require additional privacy notices and do-not-sell opt-outs. We conducted a large-scale analysis of how U.S. banks implement privacy policies and controls in response to GLBA; other federal privacy policy requirements; and the California Consumer Privacy Act (CCPA), a key example for U.S. state privacy laws. We focused on the disclosure and control of a set of especially privacy-invasive practices: third-party data sharing for marketing-related purposes. We collected privacy policies for the 2,067 largest U.S. banks, 45.2\% of which provided multiple policies. Across disclosures and controls for the \textit{same} bank, we identified frequent, concerning inconsistencies -- 53.8\% of banks with multiple privacy policies indicated in GLBA notices that they do not share with third parties but disclosed sharing in other policies. This multiplicity of policies, with the inconsistencies it causes, may create consumer confusion and undermine the transparency goals of the very laws that require them. Our findings call into question whether current policy requirements, such as the GLBA notice, are achieving their intended goals in today's online banking landscape. We discuss potential avenues for reforming and harmonizing privacy policies and control requirements across federal and state laws.

Paper Structure

This paper contains 43 sections, 4 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Background
  3. The Gramm-Leach-Bliley Act
  4. Other Privacy Notice Requirements
  5. California Privacy Laws
  6. Related Work
  7. Methods
  8. Data Collection
  9. Privacy policy collection
  10. Privacy policy retrieval.
  11. Policy classification.
  12. Opt-Out control collection
  13. Cookie opt-out controls
  14. CCPA opt-out controls
  15. Third-party cookies
  16. ...and 28 more sections

Figures (4)

  • Figure 1: 2-page GLBA model privacy form SEC34-61003. We analyzed the (a) data-sharing table, (b) opt-out box, (c) OII box (blue annotations added for clarity, not part of the template).
  • Figure 2: Data collection pipeline.
  • Figure 3: Word count and readability of all policies combined per bank. Banks are ranked by consolidated assets, a proxy for their sizes, and are then grouped into sets of 100 by rank for visualization purposes. Larger banks tend to provide more privacy policy content, but their policies are less readable.
  • Figure 4: Data-sharing statements and indication of whether consumers can limit the corresponding sharing practice in GLBA notices (n=2,002).