skip to main content
research-article
Open Access

A Large-Scale Evaluation of U.S. Financial Institutions’ Standardized Privacy Notices

Published:26 August 2016Publication History
Skip Abstract Section

Abstract

Financial institutions in the United States are required by the Gramm-Leach-Bliley Act to provide annual privacy notices. In 2009, eight federal agencies jointly released a model privacy form for these disclosures. While the use of this model privacy form is not required, it has been widely adopted. We automatically evaluated 6,191 U.S. financial institutions’ privacy notices posted on the World Wide Web. We found large variance in stated practices, even among institutions of the same type. While thousands of financial institutions share personal information without providing the opportunity for consumers to opt out, some institutions’ practices are more privacy protective. Regression analyses show that large institutions and those headquartered in the northeastern region share consumers’ personal information at higher rates than all other institutions. Furthermore, our analysis helped us uncover institutions that do not let consumers limit data sharing when legally required to do so, as well as institutions making self-contradictory statements. We discuss implications for privacy in the financial industry, issues with the design and use of the model privacy form on the World Wide Web, and future directions for standardized privacy notice.

Skip Supplemental Material Section

Supplemental Material

References

  1. Annie I. Antón, Julia B. Earp, Qingfeng He, William Stufflebeam, Davide Bolchini, and Carlos Jensen. 2004. Financial privacy policies and the need for standardization. IEEE Security & Privacy 2, 2 (2004), 36--45. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Kurt Badenhausen. 2012. America’s Best and Worst Banks 2012. Forbes. http://www.forbes.com/sites/kurtbadenhausen/2012/12/18/full-list-americ as-best-and-worst-banks-2012/. (December 2012).Google ScholarGoogle Scholar
  3. Juan Pablo Carrascal, Christopher Riederer, Vijay Erramilli, Mauro Cherubini, and Rodrigo de Oliveira. 2013. Your browsing behavior for a big M: Economics of personal information online. In Proceedings of the 22nd International Conference on World Wide Web (WWW’13). 189--200. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Center for Information Policy Leadership. 2007. Ten steps to develop a multilayered privacy notice. (2007).Google ScholarGoogle Scholar
  5. Lorrie Faith Cranor. 2002. Web Privacy with P3P. O’Reilly. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Lorrie Faith Cranor. 2012. Necessary but not sufficient: Standardized mechanisms for privacy notice and choice. Journal on Telecommunications and High Technology Law 10 (2012), 273--307.Google ScholarGoogle Scholar
  7. Lorrie Faith Cranor, Serge Egelman, Steve Sheng, Aleecia M. McDonald, and Abdur Chowdhury. 2008. P3P deployment on websites. Electronic Commerce Research and Applications 7, 3 (2008), 274--293. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Lorrie Faith Cranor, Kelly Idouchi, Pedro Giovanni Leon, Manya Sleeper, and Blase Ur. 2013. Are they actually any different? Comparing thousands of financial institutions’ privacy practices. In Workshop on the Economics of Information Security (WEIS’13).Google ScholarGoogle Scholar
  9. FACTA. 2003. Fair and Accurate Credit Transactions Act. Pub. L. No. 108-159, 117 Stat. 1952. (2003).Google ScholarGoogle Scholar
  10. FDIC. 2013. Trust Examination Manual. http://www.fdic.gov/regulations/examinations/trustmanual/section_10/sec tion_x.html. (Accessed June 1, 2013).Google ScholarGoogle Scholar
  11. FDIC. 2014. Institution Directory. http://www2.fdic.gov/IDASP/. (Accessed July 26, 2014).Google ScholarGoogle Scholar
  12. Federal Reserve. 2014. Federal Reserve’s Financial Institution Types. http://www.ffiec.gov/nicpubweb/content/help/LinkAdvancedSearchAllinstitutions.htm. (Accessed July 26, 2014).Google ScholarGoogle Scholar
  13. Edward H. Freeman. 2003. Privacy notices under the Gramm-Leach-Bliley act. Information Systems Security 12, 2 (2003), 5--9.Google ScholarGoogle Scholar
  14. FTC. 1998. Privacy online: A report to Congress. (June 1998).Google ScholarGoogle Scholar
  15. FTC. 2000. Privacy of Consumer Financial Information; Final Rule. Federal Register. (May 2000).Google ScholarGoogle Scholar
  16. Mark Furletti and Stephen Smith. 2003. Financial privacy: Perspectives from the payment cards industry. Payment Cards Center Discussion Paper (2003).Google ScholarGoogle Scholar
  17. Loretta Garrison, Manoj Hastak, Jeanne M. Hogarth, Susan Kleimann, and Alan S. Levy. 2012. Designing evidence-based disclosures: A case study of financial privacy notices. Journal of Consumer Affairs 46, 2 (2012), 204--234.Google ScholarGoogle ScholarCross RefCross Ref
  18. Mark A. Graber, Donna M. D’Alessandro, and Jill Johnson-West. 2002. Reading level of privacy policies on internet health web sites. Journal of Family Practice 51, 7 (2002), 642--645.Google ScholarGoogle Scholar
  19. Gramm-Leach-Bliley 1999. Gramm-Leach-Bliley Act. Pub. L. No. 106-102, 113 Stat. 1338. (1999).Google ScholarGoogle Scholar
  20. Oliver Ireland and Rachel Howell. 2003. The fear factor: Privacy, fear, and the changing hegemony of the American people and the right to privacy. North Carolina Journal of International Law and Commercial Regulation 29 (2003), 671.Google ScholarGoogle Scholar
  21. Edward J. Janger and Paul M. Schwartz. 2001. The Gramm-Leach-Bliley act, information privacy, and the limits of default rules. Minnesota Law Review 86 (2001), 1219--1262.Google ScholarGoogle Scholar
  22. J. D. Power & Associates. 2012. 2012 U.S. Credit Card Satisfaction Study. Press release. http://www.jdpower.com/content/press-release/xdTqU1T/2012-u-s-credit-card-satisfaction-study.htm. (August 2012).Google ScholarGoogle Scholar
  23. Carlos Jensen and Colin Potts. 2004. Privacy policies as decision-making tools: An evaluation of online privacy notices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI’04). 471--478. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W. Reeder. 2009. A “nutrition label” for privacy. In Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS’09).Google ScholarGoogle Scholar
  25. Kleimann Communication Group Inc. 2006. Evolution of a Prototype Financial Privacy Notice. http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf. (February 2006).Google ScholarGoogle Scholar
  26. Kleimann Communication Group Inc. 2009. A Report on Validation Testing Results. http://www.ftc.gov/reports/financial-privacy-notice-report-validation-t esting-results-kleimann-validation-report. (2009).Google ScholarGoogle Scholar
  27. Balachander Krishnamurthy and Craig E. Wills. 2009. Privacy diffusion on the web: A longitudinal perspective. In Proceedings of the 18th International Conference on World Wide Web (WWW’09). 541--550. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Jeffrey M. Lacker. 2002. The economics of financial privacy: To opt out or opt in? Economic Quarterly-Federal Reserve Bank of Richmond 88, 3 (2002), 1--16.Google ScholarGoogle Scholar
  29. Pedro Giovanni Leon, Lorrie Faith Cranor, Aleecia M. McDonald, and Robert McGuire. 2010. Token attempt: The misrepresentation of website privacy policies through the misuse of P3P compact policy tokens. In Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society (WPES’10). 93--104. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Alan Levy and Manoj Hastak. 2008. Consumer Comprehension of Financial Privacy Notices. Interagency Notice Project. http://ftc.gov/privacy/privacyinitiatives/Levy-Hastak-Report.pdf. (December 2008).Google ScholarGoogle Scholar
  31. Jonathan R. Macey. 1999. The business of banking: Before and after Gramm-Leach-Bliley. Journal of Corporation Law 25 (1999), 691.Google ScholarGoogle Scholar
  32. Macro International Inc. 2008. Mall Intercept Study of Consumer Understanding of Financial Privacy Notices: Methodological Report. http://www.ftc.gov/reports/quantitative-research-macro-international-report. (September 2008).Google ScholarGoogle Scholar
  33. Kristen J. Mathews. 2013. Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age. Practicing Law Institute. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Peter L. McCorkell and Andrew M. Smith. 2009. Fair credit reporting act. Update—2008. Business Lawyer 64, 2 (2009), 579--591.Google ScholarGoogle Scholar
  35. Aleecia M. McDonald and Lorrie Faith Cranor. 2008. The cost of reading privacy policies. I/S: A Journal of Law and Policy for the Information Society 4, 3 (2008), 540--565.Google ScholarGoogle Scholar
  36. Richard Joseph McMahon. 2006. Developments in the Gramm-Leach-Bliley act during 2005--06: An overview of important changes in case law and pending legislation. I/S: A Journal of Law and Policy for the Information Society 2, 3 (2006), 737--759.Google ScholarGoogle Scholar
  37. Ralph Nader and others. 2001. Joint Petition for Rulemaking on Privacy Notices. http://www.ftc.gov/bcp/workshops/glb/comments/. (July 2001).Google ScholarGoogle Scholar
  38. Andrea Lee Negroni and John P. Kromer. 2001. Gramm-Leach-Bliley: Tip of the privacy iceberg. Banking Law Journal 118, 10 (2001), 958--969.Google ScholarGoogle Scholar
  39. Gregory T. Nojeim. 2000. Financial privacy. New York Law School Journal of Human Rights 17 (2000), 81.Google ScholarGoogle Scholar
  40. OECD. 1980. Guidelines on the protection of privacy and transborder flows of personal data. (1980).Google ScholarGoogle Scholar
  41. Ian Reay, Scott Dick, and James Miller. 2009. A large-scale empirical study of P3P privacy policies: Stated actions vs. legal obligations. ACM Transactions on the Web (TWEB) 3, 2 (April 2009), 6:1--6:34. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Julia C. Schiller. 2003. Informational privacy v. the commercial speech doctrine: Can the Gramm-Leach-Bliley act provide adequate privacy protection. Commlaw Conspectus 11 (2003), 349.Google ScholarGoogle Scholar
  43. Xinguang Sheng and Lorrie Faith Cranor. 2005. An evaluation of the effect of US financial privacy legislation through the analysis of privacy policies. I/S: A Journal of Law and Policy for the Information Society 2 (2005), 943.Google ScholarGoogle Scholar
  44. Bernard Shull. 2002. Banking, commerce and competition under the Gramm-Leach-Bliley act. Antitrust Bulletin 47 (2002), 25.Google ScholarGoogle ScholarCross RefCross Ref
  45. Peter P. Swire. 2001. The surprising virtues of the new financial privacy law. Minnesota Law Review 86 (2001), 1263.Google ScholarGoogle Scholar
  46. Peter P. Swire. 2003. Efficient confidentiality for privacy, security, and confidential business information. Brookings-Wharton Papers on Financial Services 2003, 1 (2003), 273--310.Google ScholarGoogle ScholarCross RefCross Ref
  47. Zhulei Tang, Yu (Jeffrey) Hu, and Michael D. Smith. 2008. Gaining trust through online privacy protection: Self-regulation, mandatory standards, or caveat emptor. Journal of Management Information Systems 24, 4 (2008), 153--173. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Terms of Service; Didn’t Read. 2015. http://tosdr.org/. (2015).Google ScholarGoogle Scholar
  49. Janice Y. Tsai, Serge Egelman, Lorrie F. Cranor, and Alessandro Acquisti. 2011. The effect of online privacy information on purchasing behavior: An experimental study. Information Systems Research 22, 2 (June 2011), 254--268. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Blase Ur, Manya Sleeper, and Lorrie Faith Cranor. 2013. {Privacy, Privacidad, Πpиbathoct} Policies in social media: Providing translated privacy notice. I/S: A Journal of Law and Policy for the Information Society 9, 2 (2013), 201--243.Google ScholarGoogle Scholar
  51. U.S. Federal Register. 2009. Final model privacy form under the Gramm-Leach-Bliley act. Federal Register 74 (December 1, 2009), 62890--62994.Google ScholarGoogle Scholar
  52. Lawrence J. White. 2009. The Gramm-Leach-Bliley act of 1999: A bridge too far—Or not far enough. Suffolk University Law Review 43 (2009), 937.Google ScholarGoogle Scholar

Index Terms

  1. A Large-Scale Evaluation of U.S. Financial Institutions’ Standardized Privacy Notices

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!