Abstract
Financial institutions in the United States are required by the Gramm-Leach-Bliley Act to provide annual privacy notices. In 2009, eight federal agencies jointly released a model privacy form for these disclosures. While the use of this model privacy form is not required, it has been widely adopted. We automatically evaluated 6,191 U.S. financial institutions’ privacy notices posted on the World Wide Web. We found large variance in stated practices, even among institutions of the same type. While thousands of financial institutions share personal information without providing the opportunity for consumers to opt out, some institutions’ practices are more privacy protective. Regression analyses show that large institutions and those headquartered in the northeastern region share consumers’ personal information at higher rates than all other institutions. Furthermore, our analysis helped us uncover institutions that do not let consumers limit data sharing when legally required to do so, as well as institutions making self-contradictory statements. We discuss implications for privacy in the financial industry, issues with the design and use of the model privacy form on the World Wide Web, and future directions for standardized privacy notice.
Supplemental Material
Available for Download
Supplemental movie, appendix, image and software files for, A Large-Scale Evaluation of U.S. Financial Institutions’ Standardized Privacy Notices
- Annie I. Antón, Julia B. Earp, Qingfeng He, William Stufflebeam, Davide Bolchini, and Carlos Jensen. 2004. Financial privacy policies and the need for standardization. IEEE Security & Privacy 2, 2 (2004), 36--45. Google Scholar
Digital Library
- Kurt Badenhausen. 2012. America’s Best and Worst Banks 2012. Forbes. http://www.forbes.com/sites/kurtbadenhausen/2012/12/18/full-list-americ as-best-and-worst-banks-2012/. (December 2012).Google Scholar
- Juan Pablo Carrascal, Christopher Riederer, Vijay Erramilli, Mauro Cherubini, and Rodrigo de Oliveira. 2013. Your browsing behavior for a big M: Economics of personal information online. In Proceedings of the 22nd International Conference on World Wide Web (WWW’13). 189--200. Google Scholar
Digital Library
- Center for Information Policy Leadership. 2007. Ten steps to develop a multilayered privacy notice. (2007).Google Scholar
- Lorrie Faith Cranor. 2002. Web Privacy with P3P. O’Reilly. Google Scholar
Digital Library
- Lorrie Faith Cranor. 2012. Necessary but not sufficient: Standardized mechanisms for privacy notice and choice. Journal on Telecommunications and High Technology Law 10 (2012), 273--307.Google Scholar
- Lorrie Faith Cranor, Serge Egelman, Steve Sheng, Aleecia M. McDonald, and Abdur Chowdhury. 2008. P3P deployment on websites. Electronic Commerce Research and Applications 7, 3 (2008), 274--293. Google Scholar
Digital Library
- Lorrie Faith Cranor, Kelly Idouchi, Pedro Giovanni Leon, Manya Sleeper, and Blase Ur. 2013. Are they actually any different? Comparing thousands of financial institutions’ privacy practices. In Workshop on the Economics of Information Security (WEIS’13).Google Scholar
- FACTA. 2003. Fair and Accurate Credit Transactions Act. Pub. L. No. 108-159, 117 Stat. 1952. (2003).Google Scholar
- FDIC. 2013. Trust Examination Manual. http://www.fdic.gov/regulations/examinations/trustmanual/section_10/sec tion_x.html. (Accessed June 1, 2013).Google Scholar
- FDIC. 2014. Institution Directory. http://www2.fdic.gov/IDASP/. (Accessed July 26, 2014).Google Scholar
- Federal Reserve. 2014. Federal Reserve’s Financial Institution Types. http://www.ffiec.gov/nicpubweb/content/help/LinkAdvancedSearchAllinstitutions.htm. (Accessed July 26, 2014).Google Scholar
- Edward H. Freeman. 2003. Privacy notices under the Gramm-Leach-Bliley act. Information Systems Security 12, 2 (2003), 5--9.Google Scholar
- FTC. 1998. Privacy online: A report to Congress. (June 1998).Google Scholar
- FTC. 2000. Privacy of Consumer Financial Information; Final Rule. Federal Register. (May 2000).Google Scholar
- Mark Furletti and Stephen Smith. 2003. Financial privacy: Perspectives from the payment cards industry. Payment Cards Center Discussion Paper (2003).Google Scholar
- Loretta Garrison, Manoj Hastak, Jeanne M. Hogarth, Susan Kleimann, and Alan S. Levy. 2012. Designing evidence-based disclosures: A case study of financial privacy notices. Journal of Consumer Affairs 46, 2 (2012), 204--234.Google Scholar
Cross Ref
- Mark A. Graber, Donna M. D’Alessandro, and Jill Johnson-West. 2002. Reading level of privacy policies on internet health web sites. Journal of Family Practice 51, 7 (2002), 642--645.Google Scholar
- Gramm-Leach-Bliley 1999. Gramm-Leach-Bliley Act. Pub. L. No. 106-102, 113 Stat. 1338. (1999).Google Scholar
- Oliver Ireland and Rachel Howell. 2003. The fear factor: Privacy, fear, and the changing hegemony of the American people and the right to privacy. North Carolina Journal of International Law and Commercial Regulation 29 (2003), 671.Google Scholar
- Edward J. Janger and Paul M. Schwartz. 2001. The Gramm-Leach-Bliley act, information privacy, and the limits of default rules. Minnesota Law Review 86 (2001), 1219--1262.Google Scholar
- J. D. Power & Associates. 2012. 2012 U.S. Credit Card Satisfaction Study. Press release. http://www.jdpower.com/content/press-release/xdTqU1T/2012-u-s-credit-card-satisfaction-study.htm. (August 2012).Google Scholar
- Carlos Jensen and Colin Potts. 2004. Privacy policies as decision-making tools: An evaluation of online privacy notices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI’04). 471--478. Google Scholar
Digital Library
- Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W. Reeder. 2009. A “nutrition label” for privacy. In Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS’09).Google Scholar
- Kleimann Communication Group Inc. 2006. Evolution of a Prototype Financial Privacy Notice. http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf. (February 2006).Google Scholar
- Kleimann Communication Group Inc. 2009. A Report on Validation Testing Results. http://www.ftc.gov/reports/financial-privacy-notice-report-validation-t esting-results-kleimann-validation-report. (2009).Google Scholar
- Balachander Krishnamurthy and Craig E. Wills. 2009. Privacy diffusion on the web: A longitudinal perspective. In Proceedings of the 18th International Conference on World Wide Web (WWW’09). 541--550. Google Scholar
Digital Library
- Jeffrey M. Lacker. 2002. The economics of financial privacy: To opt out or opt in? Economic Quarterly-Federal Reserve Bank of Richmond 88, 3 (2002), 1--16.Google Scholar
- Pedro Giovanni Leon, Lorrie Faith Cranor, Aleecia M. McDonald, and Robert McGuire. 2010. Token attempt: The misrepresentation of website privacy policies through the misuse of P3P compact policy tokens. In Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society (WPES’10). 93--104. Google Scholar
Digital Library
- Alan Levy and Manoj Hastak. 2008. Consumer Comprehension of Financial Privacy Notices. Interagency Notice Project. http://ftc.gov/privacy/privacyinitiatives/Levy-Hastak-Report.pdf. (December 2008).Google Scholar
- Jonathan R. Macey. 1999. The business of banking: Before and after Gramm-Leach-Bliley. Journal of Corporation Law 25 (1999), 691.Google Scholar
- Macro International Inc. 2008. Mall Intercept Study of Consumer Understanding of Financial Privacy Notices: Methodological Report. http://www.ftc.gov/reports/quantitative-research-macro-international-report. (September 2008).Google Scholar
- Kristen J. Mathews. 2013. Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age. Practicing Law Institute. Google Scholar
Digital Library
- Peter L. McCorkell and Andrew M. Smith. 2009. Fair credit reporting act. Update—2008. Business Lawyer 64, 2 (2009), 579--591.Google Scholar
- Aleecia M. McDonald and Lorrie Faith Cranor. 2008. The cost of reading privacy policies. I/S: A Journal of Law and Policy for the Information Society 4, 3 (2008), 540--565.Google Scholar
- Richard Joseph McMahon. 2006. Developments in the Gramm-Leach-Bliley act during 2005--06: An overview of important changes in case law and pending legislation. I/S: A Journal of Law and Policy for the Information Society 2, 3 (2006), 737--759.Google Scholar
- Ralph Nader and others. 2001. Joint Petition for Rulemaking on Privacy Notices. http://www.ftc.gov/bcp/workshops/glb/comments/. (July 2001).Google Scholar
- Andrea Lee Negroni and John P. Kromer. 2001. Gramm-Leach-Bliley: Tip of the privacy iceberg. Banking Law Journal 118, 10 (2001), 958--969.Google Scholar
- Gregory T. Nojeim. 2000. Financial privacy. New York Law School Journal of Human Rights 17 (2000), 81.Google Scholar
- OECD. 1980. Guidelines on the protection of privacy and transborder flows of personal data. (1980).Google Scholar
- Ian Reay, Scott Dick, and James Miller. 2009. A large-scale empirical study of P3P privacy policies: Stated actions vs. legal obligations. ACM Transactions on the Web (TWEB) 3, 2 (April 2009), 6:1--6:34. Google Scholar
Digital Library
- Julia C. Schiller. 2003. Informational privacy v. the commercial speech doctrine: Can the Gramm-Leach-Bliley act provide adequate privacy protection. Commlaw Conspectus 11 (2003), 349.Google Scholar
- Xinguang Sheng and Lorrie Faith Cranor. 2005. An evaluation of the effect of US financial privacy legislation through the analysis of privacy policies. I/S: A Journal of Law and Policy for the Information Society 2 (2005), 943.Google Scholar
- Bernard Shull. 2002. Banking, commerce and competition under the Gramm-Leach-Bliley act. Antitrust Bulletin 47 (2002), 25.Google Scholar
Cross Ref
- Peter P. Swire. 2001. The surprising virtues of the new financial privacy law. Minnesota Law Review 86 (2001), 1263.Google Scholar
- Peter P. Swire. 2003. Efficient confidentiality for privacy, security, and confidential business information. Brookings-Wharton Papers on Financial Services 2003, 1 (2003), 273--310.Google Scholar
Cross Ref
- Zhulei Tang, Yu (Jeffrey) Hu, and Michael D. Smith. 2008. Gaining trust through online privacy protection: Self-regulation, mandatory standards, or caveat emptor. Journal of Management Information Systems 24, 4 (2008), 153--173. Google Scholar
Digital Library
- Terms of Service; Didn’t Read. 2015. http://tosdr.org/. (2015).Google Scholar
- Janice Y. Tsai, Serge Egelman, Lorrie F. Cranor, and Alessandro Acquisti. 2011. The effect of online privacy information on purchasing behavior: An experimental study. Information Systems Research 22, 2 (June 2011), 254--268. Google Scholar
Digital Library
- Blase Ur, Manya Sleeper, and Lorrie Faith Cranor. 2013. {Privacy, Privacidad, Πpиbathoct} Policies in social media: Providing translated privacy notice. I/S: A Journal of Law and Policy for the Information Society 9, 2 (2013), 201--243.Google Scholar
- U.S. Federal Register. 2009. Final model privacy form under the Gramm-Leach-Bliley act. Federal Register 74 (December 1, 2009), 62890--62994.Google Scholar
- Lawrence J. White. 2009. The Gramm-Leach-Bliley act of 1999: A bridge too far—Or not far enough. Suffolk University Law Review 43 (2009), 937.Google Scholar
Index Terms
A Large-Scale Evaluation of U.S. Financial Institutions’ Standardized Privacy Notices
Recommendations
Privacy-preserving data sharing in cloud computing
Storing and sharing databases in the cloud of computers raise serious concern of individual privacy. We consider two kinds of privacy risk: presence leakage, by which the attackers can explicitly identify individuals in (or not in) the database, and ...
Generalized bucketization scheme for flexible privacy settings
Bucketization is an anonymization technique for publishing sensitive data. The idea is to group records into small buckets to obscure the record-level association between sensitive information and identifying information. Compared to the traditional ...
Measuring privacy loss and the impact of privacy protection in web browsing
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and securityVarious bits of information about users accessing Web sites. some of which are private, have been gathered since the inception of the Web. Increasingly the gathering, aggregation, and processing has been outsourced to third parties. The goal of this ...






Comments