do banks share your personal information?It was reported recently that Facebook is in talks with banks to implement data-sharing partnerships and gather financial information as well as social media user data. While Facebook has denied that it’s asking for financial data, this whole situation has made plenty of people, including us, wonder exactly what kind of personal information banks share with third parties and whether it’s possible to opt out. Just how transparent are banks required to be when it comes to collecting and sharing your data? We did some digging, and here’s what you should know about banks and their policies on sharing personal information to better protect your privacy.

What kind of information do banks collect?

Before getting into whether banks share your personal information with third parties or not, you might want to know what kind of information we’re talking about and why you should care about this information being shared in the first place. To better understand the implications, we first looked toward finding out what kinds of customer data banks gather and share. After all, it’s difficult to know what’s at stake if you don’t know what’s been collected.

When you use a product or service a bank provides, such as when you swipe a credit card or apply for a loan, the bank collects your information. Depending on the service you use, the information that’s collected could include your credit history, transaction history, account balances, social security number, investment experience and more – much of this information you wouldn’t want out on display in a public arena. Add to this the information your bank collects when you apply for an account, such as your contact details or home address, and that adds up to a lot of collected data. So, if this nonpublic personal information that your bank collects ends up being shared with third parties, the risk of it falling into the wrong hands increases. In the event of a data breach, if the third party doesn’t secure your personal information, you could become an unwitting victim of identity theft. That’s just the worst-case scenario – another potential risk of third-party data sharing by your bank is unwanted advertising.

Do banks share your personal information with third parties?

So, now that you know what banks collect, let’s get to the meat of this post: when and how do your banks share your personal information with third parties?

Based on our research of the privacy policies published on most bank websites, including Bank of America, Chase, Citibank, Wells Fargo and online banks like Ally Bank, collecting and sharing information is a regular occurrence. Most of the privacy policies we read mention that financial companies “need to share customers’ personal information to run their everyday business.” The extent to how much information is shared (and who gets the shared information), however, varies from bank to bank.

How do banks share information?

Each bank has different policies when it comes to how much information is shared and with who, but under the Gramm-Leach-Bliley Act of 1999, financial institutions are federally required to protect nonpublic personal information to an extent, such as by complying with specific security guidelines. A number of institutions have even come to rely on using a widely-adopted model privacy form, which you can think of as a standardized privacy notice format, to make privacy disclosures to consumers – something you’ll notice if you compare the policies of multiple banks to one another. However, according to a paper published in ACM Transactions on the Web in 2016, after evaluating 6,191 U.S. financial institutions’ privacy notices, researcher Lorrie Faith Cranor at Carnegie Mellon University “found large variance in stated practices, even among institutions of the same type.” Furthermore, when it comes to these model privacy forms, Cranor and her students discovered that there are “deficiencies in both the specification and the use of the model privacy form that may counter-intuitively limit consumers’ access to information about financial institutions’ privacy practices.” For example, in the section of these forms covering the types of personal information collected and shared, they found that there are “redundant and potentially ambiguous” terms used.

What this means is that it’s important to read your bank’s privacy notices to get a bit more insight on their individual information-sharing policies – even if they may not provide as much information as you’d like – so you understand exactly what it does with your data. For example, if you read the U.S. Consumer Privacy Notices on their websites, you’ll discover that Bank of America and Wells Fargo don’t share your personal information when it comes to nonaffiliates marketing to you, whereas Citibank and Chase do. That said, while banks follow differing policies, there are several core information-sharing policies we noted across many of the U.S. Consumer Privacy Notices we dug up. Banks may share personal information for the following reasons:

  • Everyday internal business purposes (e.g., when your bank reports to credit bureaus, processes your transactions or when it provides requested data according to court orders or legal investigations).
  • Internal marketing and joint marketing with affiliates (e.g., your bank may share data with certain service providers it works with to advertise new products or services to you).
  • External marketing by both affiliates and nonaffiliates of your bank (e.g., companies that market certain financial products or services to you, which the Federal Deposit Insurance Corporation cites as telemarketers, airlines, retailers and nonprofits).
  • Affiliates’ everyday business purposes (e.g., providing information about your creditworthiness).

Within these broad instances, there may be many more specific reasons your bank shares data. Your bank’s stance on sharing your personal information in these areas and others can be highly specific. As such, reading up on your bank’s privacy notices can be helpful to you.

How can you find out more about your bank’s policies?

Besides accessing privacy notices for your bank online, there are other ways you can get the details on these policies. According to the FTC, the Gramm-Leach-Bliley Act of 1999 requires financial institutions to give each of their customers a privacy notice – usually provided when you first open an account. This privacy notice is one way to learn more about your bank’s policies on information sharing. Privacy notices are delivered to customers through writing or, if you agree to it, electronically. Your bank is also required to give you a full, updated privacy notice once a year. If you don’t have a current copy or would like a new one, you can contact your bank to request it.

What can you do if you want to limit this sharing?

After learning more about your bank’s information-sharing policies, you may find yourself wanting to limit some of this sharing. If so, you can take some steps to do just that – though it’s important to know right off the bat that you won’t be able to prevent certain types of information from being shared. Federal law gives banking consumers the right to limit sharing for affiliates and nonaffiliates to market to you as well as block affiliates from being shared information about your credit limits. You may not be able to limit your bank from using or sharing your data for everyday business purposes, its marketing purposes and joint marketing with other financial institutions. State laws, as well as rules enacted by individual institutions, may give you additional rights when it comes to limiting the sharing of your information, so your best option is to contact your bank to request that your data be shared in as few ways as possible.

To find out exactly which areas of sharing you can limit and what your bank’s contact information is for making such requests, you can again turn to its U.S. Consumer Privacy Notice. This document will outline the types of data your bank collects, how it is used and whether or not you can opt out or limit its sharing. You can also keep an eye out for opt-out notices that come from your bank. To comply with the Gramm-Leach-Bliley Act, financial institutions are required to offer these to customers if they plan to share nonpublic personal information with certain nonaffiliates. As such, when these opt-out notices come your way, they will give you the opportunity to opt out of information sharing that you’re not comfortable with.

Now that you know more about whether banks share your personal information with third parties or not, learn more must-knows about personal finance and privacy. To get started, check out our personal finance blog and privacy blog.