Banks in the United States operate under some of the strictest rules in finance. Yet new research from the University of Michigan suggests many still share customer data in ways that most people would find confusing.
The study examined the privacy policies of more than 2,000 banks. It found that nearly half had more than one policy, often with different statements about what information is shared and how. Some banks told customers in one notice that they did not share personal data, while another policy on the same website revealed they did.
Multiple policies, mixed signals
The research looked at how banks follow the Gramm-Leach-Bliley Act, a federal rule requiring a short, two-page privacy notice that outlines how customer data is used. That document, known as the GLBA notice, is meant to be simple and easy to read. But most banks also publish other privacy statements linked to mobile apps, cookies, or state privacy laws such as California’s Consumer Privacy Act.
In total, about 45 percent of banks had several privacy notices posted online. Larger banks tended to have longer, harder-to-read policies. The study found that the typical reading level for these documents was at least equivalent to college, far above the national average.
When “we don’t share” doesn’t mean that
The review found significant contradictions. Over half of the banks with multiple privacy policies said in their official GLBA notice that they did not share personal data with third parties. Yet those same banks disclosed elsewhere that they used marketing or analytics cookies that transfer information to outside firms.
A smaller number of banks showed the opposite pattern. They confirmed data sharing in their federal notice but listed stricter limits for California residents. These differences often came from how banks interpret overlapping state and federal rules.
Many institutions used vague language such as “except as permitted by law.” The phrase can make a statement sound privacy-friendly while still allowing wide data sharing. Researchers said that such language leaves most consumers uncertain about what protections they really have.
Opt-outs that few people use
The team also analyzed how banks allow customers to opt out of sharing. Only about one in five offered any kind of privacy opt-out. Of those, most required customers to call a phone number or send a form by mail. Very few provided an online option that was easy to find or use.
Under the Gramm-Leach-Bliley Act, banks must let customers restrict certain types of sharing, such as with nonaffiliated companies for marketing. State privacy laws like California’s CCPA add further requirements, including visible “Do Not Sell or Share My Personal Information” links. But the study found these links were rare.
Tracking without transparency
Researchers also looked at bank websites for third-party cookies. About seventy percent used them, and more than sixty percent included advertising or marketing trackers. Most did not disclose these practices in their privacy policies.
In some cases, cookie settings existed but were mislabeled or buried deep on the site. Even when banks offered controls, the categories were inconsistent. What one bank called “functional cookies” another might classify as “marketing.”
A gap between policy and practice
The findings point to a broader problem. The short federal notice, once meant to simplify privacy communication, no longer reflects the full scope of how data is used in digital banking. Each new regulation (state, federal, or international) adds another layer of paperwork without solving the core issue of clarity.
Researchers argue that the overlapping system of disclosures now does the opposite of what it was designed to do. It confuses consumers and weakens trust. They suggest regulators should align federal and state rules to create consistent language and clearer privacy controls.
For customers, the study advises checking more than one source when reviewing a bank’s privacy information. Consumers can limit sharing by using the opt-out box in the federal notice, adjusting cookie preferences, or activating browser-based privacy signals such as Global Privacy Control.
Until privacy rules are harmonized, customers remain responsible for navigating an uneven landscape of digital tracking and legal fine print. The research shows that even institutions known for compliance can fail to give a clear picture of where personal data goes once it enters the banking system.
Read next: It Takes Only a Few Documents to Weaken Massive AI Systems
