Is your bank keeping your secrets? New study says ‘it’s complicated’

Banks are among the most highly regulated institutions in the United States, but new research from the University of Michigan suggests they may be sharing customers’ personal data much more freely than most people realize.

Researchers analyzed the privacy policies of more than 2,000 of the nation’s largest banks and found a maze of contradictory, confusing and overlapping disclosures about how customer information is collected, used and shared. Almost half of the banks surveyed examined multiple publicly available privacy policies, which were often inconsistently written and made it difficult for consumers to know what actually happened to their data.

“In many cases, banks claimed in the federally required U.S. Consumer Privacy Notice that they did not share customer data externally, yet disclosed such sharing elsewhere or deployed marketing tracking cookies without authorization,” said study lead author Lu Xian, a doctoral student in the UM School of Information.

This analysis, posted on the arXiv preprint server, is important because it raises concerns about transparency in the financial industry and the effectiveness of existing privacy laws.

The team focused on one of the most privacy-friendly practices: third-party data sharing for marketing. They found frequent discrepancies between what banks report under the Gramm-Leach-Bliley Act, a federal law that requires financial institutions to tell customers in a concise two-page notice how their personal information will be shared and protected, and what they disclose on other parts of their websites.

“The problem is that while federal law requires short notices, banks currently have so many privacy notices attached to their online services and mobile apps that abbreviated federal notices often provide an incomplete, if not misleading, picture of a bank’s data practices,” said Florian Schaub, UM associate professor of information and lead researcher on the study.

This study highlights how overlapping and fragmented privacy laws can cause confusion for both banks and their customers, ultimately undermining transparency and trust. Consumers share vast amounts of personal information with banks to manage paychecks, bills and savings, and that data can be passed on to third parties for advertising and analysis, potentially impacting access to financial products and health care options, the researchers said.

To better protect their data, consumers can:

To limit the sharing of your financial data, use the “Limit Sharing” box in the U.S. Consumer Privacy Notice. Click the “Do Not Sell My Personal Information” link on your bank’s homepage or enable global privacy controls in your browser to limit third-party data sharing under state privacy laws, such as the California Consumer Privacy Act. Manage or reject advertising cookies through website banners, browser settings, or industry opt-out tools.

In addition to Xian and Schaub, the study also included Lauren Lee and Meera Kumar of UM, Yichen Zhang of the University of Wisconsin, and Van Hong Tran of the University of Chicago. This analysis will be presented at the ACM Conference on Computer and Communications Security (ACM CCS 2025), October 13-17 in Taipei, Taiwan.