Researchers at Carnegie Mellon University have released a reports comparing financial institutions’ privacy practices and what they really mean for consumer privacy. The authors of “Are They Actually Any Different? Comparing Thousands of Financial Institutions’ Privacy Practices” (pdf) are: Lorrie Faith Cranor, Kelly Idouchi, Pedro Giovanni Leon, Manya Sleeper and Blase Ur. Here’s the abstract:
Although large-scale comparisons of privacy practices across an industry have the potential to illuminate the state of consumer privacy and to uncover egregious practices, the freeform legalese of most privacy policies makes such com- parisons time-consuming and expensive. Financial institu- tions in the United States are required by the Gramm-Leach- Bliley Act to provide annual privacy disclosures. In 2009, eight federal agencies jointly released a model privacy form for these disclosures. While use of the model privacy form is not required, it has been widely adopted. With so many fi- nancial institutions’ policies available in a standard format, large-scale comparisons are now more readily achievable.
We built an automated web crawler and document parser for the model privacy form and automatically evaluated thou- sands of financial institutions’ disclosures. We found large variance in data-sharing practices, even among banks of the same class. While thousands of financial institutions share personal information without providing the opportunity for consumers to opt out, some institutions’ practices are more consumer-friendly. Institutions’ practices vary by region and by the size of the institution. Furthermore, we uncovered violations of financial regulation, such as failing to allow consumers to limit data sharing even when required to do so. We identify issues with the design and use of the model privacy form, ranging from poorly designed categories to in- stitutions making self-contradictory statements. We discuss implications for privacy in the financial industry, as well as future directions for standardized privacy notices.