ONLINE BANKING PRIVACY: A SLOW, CONFUSING START TO GIVING CUSTOMERS CONTROL OVER THEIR INFORMATION

1634 EYE STREET, NW SUITE 1100
WASHINGTON, DC 20006
TELEPHONE 202.637.9800
FACSIMILE 202.637.0968
INFO@CDT.ORG
WWW.CDT.ORG

SUMMARY

In this report, the Center for Democracy and Technology tracks the convergence of two privacy issues that have become increasingly important to Americans: Internet privacy and the privacy of personal financial information. Our study shows that, while some banks are providing their customers a wide array of privacy controls, most banks offer little or no online privacy choice. Moreover, a large percentage of banks are taking advantage of loopholes in the law to share personal information with "affiliates" and "marketing partners" while offering customers no privacy options.

In 1999, Congress passed a financial modernization law, commonly known as the Gramm-Leach-Bliley Act ("GLB"), that gave regulated financial institutions an opportunity to offer a wider array of services. The Act also provided consumers the beginnings of new privacy protections. For the first time, banks and other financial institutions were required to provide customers with notice of their privacy practices and the opportunity to stop the sharing of personal information with third parties. The privacy provisions went into full effect on July 1, 2001.

In recent years, starting before GLB, many banks have instituted online banking services, promoting those services with claims of convenience and efficiency. Indeed, one-quarter of Internet users report using online banking services at one time or another. But our study finds that, too often, this convenience is a one-way street. While privacy has been cited as a major concern for both Internet users and non-Internet users alike, banks have not been consistently offering their customers the convenience of online privacy controls, raising further questions about the effectiveness of the GLB privacy provisions.

In the wake of the July 1 deadline, the Center for Democracy & Technology decided to study a simple question of institutions allowing consumers to sign up for and use financial services online:

Can consumers ensure, by online means, that their resulting financial information is not shared for other purposes?

The answer to this question, it turned out, is not so simple.

Thirty-four of the 100 institutions surveyed acknowledged that they shared information with unaffiliated third parties but offered Internet banking customers no online privacy controls, although most provided some means of offline opt-out.
Only 22 institutions offered Internet users an online opt-in (affirmative consent policy) or a consumer friendly opt-out to get off marketing and shared lists.
Forty-four of the 100 institutions surveyed said that they did not share information with outside parties as defined by the law, and thus under the GLB Act did not have to offer any privacy choice online or off, yet two-thirds of these [30] reserved the right to share information with "marketing partners," leaving consumers uncertain as to how and by whom their information was being used and no opportunity to control such disclosures.
Even fewer companies offered privacy controls on internal use and affiliate sharing. Over 80% of the financial institutions offered customers little or no opportunity to limit this type of sharing, which is not covered by the new law. Interestingly, banks offering choices to consumers for third-party sharing were more likely to give choices to individuals for internal sharing than those who claim not to engage at all in sharing covered by the law.

Some banks make it particularly difficult to get off marketing lists:

Community First requires online banking customers to call an 800 number to be sent by regular mail a form that they must fill out and mail back in order to exercise their privacy rights.

On the other hand, there are also some innovative consumer-controls offered that could be viewed as "best practices:"

First Union, for instance, offers customers an easy to use, secure online form, linked directly to the company's privacy policy. It allows the customer to opt-out of marketing deals by email, telephone or direct mail, and to limit sharing to third parties and affiliates, while still reminding the user what information may be legally shared. The opt-out form is even available in Spanish, as is the entire privacy policy. Should users not want to opt-out online, a bilingual hotline is available from 8am to 8pm, to answer questions about the policy and to exercise the opt-out option.

Some other breakdowns also proved interesting:

Internet-only banks fared best. Many do not share information with affiliates or third parties and several offered opt-in controls to their customers.
Conversely, many online mortgage brokers, which are covered by the GLB Act, do not seem to be offering any privacy choice to consumers at all. CDT has contacted these companies and is awaiting responses. If these companies do not institute at the minimal privacy controls called for under GLB, CDT will file a complaint with the Federal Trade Commission.

Based on the results, CDT recommends that:

All financial institutions should follow the best practices adopted by industry leaders and offer online privacy controls;
online mortgage companies should institute online privacy choices or face FTC investigation;
policymakers should carefully consider the current exemptions in the new financial services privacy law, in particular the ability for companies to share with marketing partners and affiliates without any privacy controls; and
policy makers considering broader Internet privacy legislation should learn from the lessons of the GLB Act. Requiring an opt-out choice for the financial industry has not yet given consumers easy-to-use controls over redisclosure and use of personal financial information. Policy makers should be working to make sure that future privacy requirements offer better results by studying best practices and creating stricter standards.

BACKGROUND

Privacy, especially Internet privacy, has become one of the most important issues in the lives of Americans. Concern about online privacy was the first reason consumers gave as to why they were not using the Internet. [ 1 ] A recent survey of Internet usage by the Markle Foundation confirmed that privacy ranks as one of the most important concerns for Internet users. [ 2 ] At the same time, consumers are eager to take advantage of the convenience of the Internet to satisfy their banking needs. Over a quarter of Americans who have gone online have used the Internet to bank or invest. [ 3 ] Given that many people fear improper use of their personal information, many have begun to wonder if current safeguards of financial information adequate. It is widely recognized that failure to address privacy concerns may slow growth of online marketplaces and limit the number and type of services available online. Trust is key on the Web, and consumers must feel in control of their personal information. The most recent attempt to address privacy worries is the Gramm-Leach-Bliley Act of 1999 ("GLB"), which deregulated financial institutions and implemented a series of privacy standards that went into effect July 1, 2001.

A "financial modernization" act allowing regulated financial institutions to engage in much wider practices was under discussion in Washington for decades. The first drafts of what eventually became Gramm-Leach-Bliley contained no mention of privacy. Nor was privacy of personal and financial information mentioned in the versions that passed the House and Senate Banking Committees in early 1999 [ 4 ] . By the time the bill was before the House Commerce Committee, however, privacy of information was enough of a political issue that an entire section of the bill was devoted to it.

Title V of GLB defines privacy rules that all financial institutions and other institutions under the jurisdiction of a financial regulatory body must abide by. This includes full disclosure of information gathering and sharing practices to customers. Broadly stated, personal information may not be shared with unaffiliated third parties unless the customer is given an opportunity, commonly referred to as opt-out, to prevent such sharing. The Act's privacy provisions apply to non-public personally identifiable financial information, which includes any information provided by the consumer to the institution, information from transactions and any other personal information obtained by the institution. Although the law does not address publicly available data, it does include all information derived from personal data, such as the fact that a certain individual is a customer. The law exempts from the opt-out requirement the internal use of information and the sharing of information with affiliates and "marketing partners," allowing banks to share information with those entities without offering customers the opportunity to opt-out; this exception was justified as allowing banks to continue some popular services such as frequent flyer credit cards.

As a result of the privacy provisions in GLB, almost every American has received some kind of privacy notice in the mail from a financial institution such as a credit card company, insurance agent, stock broker or bank. Several studies have been undertaken about the quality of these printed notices. For example, the Privacy Rights Clearinghouse has criticized the notices as too complex for the average consumer. [ 5 ]

Due to the unique concerns that Americans have with online banking services the Center for Democracy and Technology (CDT) felt that it was appropriate to focus on the different institutions were complying with the law in terms of Internet banking and other online services.

In marketing online services, financial institutions consistently refer to ease and convenience. Therefore, CDT believes that the banks should provide consumers with a similarly convenient set of privacy choices online. CDT surveyed Internet banking services, to determine whether banks were achieving GLB's stated objective of protecting personal information by making online opt-outs easier for consumers.

METHODOLOGY

Between July 1 and July 22, CDT examined the privacy policies of 100 financial institutions that allowed consumers to conduct all or part of their banking business on the World Wide Web,. The goal of this study was to ascertain the type of opt-out policy, if any, and its ease of use, in order to determine whether compliance with GLB adequately protected customer privacy. The banks were divided into several categories. Those that shared no information with unaffiliated third parties were placed in the "No GLB Sharing" category. Those that adhered to a more privacy-friendly opt-in policy or that provided a simple opt-out mechanism online were placed in the "Consumer Oriented Online Choice" category. The remainder of the opt-outs and those institutions that lacked an opt-out or a privacy policy were placed in the "Little or No Consumer Choice Online" group. In a preliminary test survey of a few dozen of the banks - before the law went into effect - CDT found wide variations in the type of notice and choice offered to consumers, so a wide range of subcategories were created to give a full sense of the online banking practices.

Many advocates feel strongly that the biggest concern for consumers arising out of the new financial modernization rules is the ability of financial institutions engaged in lines of business in addition to banking to share information internally among their various units, affiliates or subsidiaries. Some banks have responded by offering choices to consumers to limit this kind of sharing even though the law does not require them to. Therefore, CDT also studied the choices offered to consumers for control over their information in internal sharing.

In most cases, CDT assessed only the information offered directly on the privacy page of the Web site. However, when there was only a toll-free number offered, CDT called the number to assess the quality of the consumer choice.

These subcategories are as follows:

No GLB Sharing
- Will not share financial information
- Will only share as permitted by law (i.e. with marketing partners)
Consumer Oriented Online Choice
- Opt-in
- Convenient opt-out (including at least one online method)
- Web form
- Email with instructions
Little or No Consumer Choice online
- Toll free hotline with at least one other less convenient method
- Just a toll free hotline
- Email without instructions
- Mail in with instructions
- Mail in without instructions
- Call in to request a mail in form
- Opt-out mentioned, but not explicitly defined
- Too confusing to use
- No opt-out

RESULTS

GLB mandates that banks must provide a choice to opt-out of information sharing with unaffiliated third parties. No opt-out is required for sharing with affiliates and "marketing partners". In one sense, there is good news: Of the 100 banks surveyed that offer all or some of their services online, two-thirds (66) either did not share information with unaffiliated third parties or provided a consumer-friendly opt-out plan. Specifically, we found that:

Forty-four banks would not share any information with unaffiliated third parties; of those, 30 said they may share with marketing partners without offering an opt-out, while only 4 promised not to share with any affiliates or third parties.
Another 22 offered consumers easy choices to control the disclosure of information to unaffiliated third parties. Of those 22 entities, 13 offered an "opt-in," only sharing information when the customer requested it.

On the other hand, however, a large percentage of financial institutions sharing information with unaffiliated third parties did not give consumers adequate control over their information. Of the 56 institutions that would, under some circumstances, share information with unaffiliated third parties, only 22 (the same 22 mentioned above) offered, in our judgment, adequate consumer choice. In addition:

Only a handful of banks - seven - offered convenient, easy to use opt-outs, combining online forms that can be filled out and submitted over the Internet with a means of exercising choice offline as well, preferably through a toll-free hotline.
Of the institutions with any sort of opt-out, less than a third gave customers the opportunity to opt-out online.
Thirty-four institutions surveyed did not meet CDT's standards for reasonable opt-out, and offered little or no consumer choice.
Ten companies did not offer an opt-out of any kind, and also did not explicitly deny that non-public information would be shared. In general, these ten tended to be smaller insurance brokers or mortgage brokers.
Twenty-four companies had options that lacked flexibility or convenience, offering only hotlines, giving instructions to mail in opt-out notices, failing to give adequate instructions for what to include in the user's request to opt-out, or simply being too confusing to use.

While GLB requires disclosure of all information sharing, including sharing with affiliates, institutions are not required to offer customers the opportunity to opt-out of affiliate sharing. This has been criticized as a major loophole in GLB. However, institutions wishing to offer customers a higher level of privacy protection may choose to offer choices. CDT examined the ability of customers to control disclosure of their non-public personal information inside an extended corporate family. For smaller independent banks, we looked for control over internal information sharing (typically used for marketing purposes). Unlike the federally mandated third party information sharing, the results were not reassuring for consumers:

Over 80% of the banks surveyed allowed customers little or no control over sharing of information with affiliates.
Only four did not share information internally, or with a corporate affiliate, defined as a subsidiary, parent firm or subsidiary of a parent firm.
Another 14 presented customers with a simple and direct way to opt-out
Forty gave no opt-out options at all.

Moreover, many firms were vague as to exactly who would receive information. A few companies, such as Old Kent, had good notice practices and listed all affiliates in the corporate family. [ 6 ] Schwab and others listed the parent company, but none of the parent's subsidiaries that might also legally receive a customer's information. [ 7 ] There were many, including CNL and Patagon, that explicitly informed customers that they would share with affiliates, but did not list these affiliates anywhere in their privacy policies. [ 8 ] [ 9 ]

Certain types of banks appeared to be more likely to offer convenient online choices than others. We broke down the surveyed institutions by size, and by the range of services offered.

Large banks, those with over 500 branches or with comparably large client bases had a poor record, with almost half of the 26 large firms offered little or no consumer choice.
Online banks with no physical branches had the best record, with 19 out of 40 firms stating that no third party information would be shared, and another 11 offering convenient online opt-out..
Over a third of the banks offering both a wide variety of banking and other financial services such as online brokerages or online insurance retail failed to offer an online opt-out. Firms that offer only business and consumer banking products, by comparison, have half that amount.
Banks that offered convenient choices for third parties were far more likely to offer controls for internal sharing.
Independent mortgage companies were the least likely to provide consumers with any opt-out online.

Internal/Affilaite vs. Third Party Sharing

EXAMPLES: ONLINE BANKING PRIVACY CHOICES

The range of opt-outs was truly remarkable. Some were extremely easy to use, and designed to be quick and accessible by anyone. A Best Practice might look something like any of those who fell into the convenient opt-out category.

First Union, for instance, offers customers an easy to use, secure online form, linked directly to the privacy policy. It allows the customer to opt-out of marketing deals by email, telephone or direct mail, and to limit sharing to third parties and affiliates, while still reminding the user what information may still be legally shared. The opt-out form is even available in Spanish, as is the entire privacy policy. Should users not want to opt-out online, a bilingual hotline is available from 8am to 8pm, to answer questions about the policy, opt-out and give feedback. [ 10 ]

Unfortunately, only a few banks gave consumers a convenient choice online. Many more had confusing, difficult and sometimes frustrating choices. For example:

Community First informs the user, "To opt-out, all you need to do is call us toll-free [the hotline number] to request an opt-out form." So, to be removed from information sharing with marketing partners and affiliates, a customer who uses a wide range of online services in order to bank, must call a hotline, wait for a form to arrive in the mail, fill out the form and post it. In this case, the customer is responsible for return postage. [ 11 ]

Several firms, rather than offering either online or real world opportunities to opt-out, force the user to use both.

Six banks, including Comerica and Mellon, required that one print an online form, fill it out by hand and mail it to the bank at the customer's expense. This would prove highly inconvenient for customers who lack easy access to printers, or simply are not eager to mail in something that complicated. [ 12 ] [ 13 ]

More than a few banks failed to include instructions as to how to opt-out, providing only an address or email address to which a user may send a request to stop information sharing.

Bank Caroline, gave no indication as to what personal information, such as account number or social security number is required to process an opt-out request. Since the bank "may collect information volunteered by [the customer]", it is ironic that a confused customer might reveal more information than necessary to opt-out, and the bank is entitled under its privacy policy to keep that information (and share it with its affiliates and marketing partners, though not with third parties.) [ 14 ]

Some banks even required different opt-outs for different products.

Greenpoint Financial, for instance, applies the same privacy standards for each of its several business units, but each unit requires its own opt-out. A customer with a checking account and a credit card at the bank, for example, would have to fill out one form to opt-out of the sharing of his or her banking information, but call a hotline to prevent Greenpoint from sharing personal information it obtained from the credit card account. [ 15 ]

One of the worst offenders seemed to work contrary to privacy, offering to share personal information, rather than protect it.

Ameriwest Mortgage LLC, a small mortgage broker, features a privacy policy that makes no mention of the protection of personal information. Instead, the president of the firm offers to "gladly furnish the names of people like yourself who used his services and were pleased they did." [ 16 ]

ANALYSIS

An online opt-out can and should be simple and easy for customers to use. The wide range of policies shows that while most institutions are complying with the GLB law, not all comply with its spirit, which aimed to make it easy for consumers to gain control of their financial information. If financial services are offered online, why were less than one third of the opt-outs surveyed available online? It is not sufficient privacy protection for a bank to offer online services but demand customers mail in their privacy preferences, instead of using a secure web form that would clearly be easier, faster and cheaper for the user, and very likely for the bank itself.

There are also several large holes in the legislated limits on information sharing. The most obvious is that banks may freely share information with their affiliates. Given the size of corporate families in today's economy, the number of firms that may legally exchange information with each other is immense. GLB does, however, prescribe a study of information sharing among affiliates that will examine the purposes and advantages of sharing information between corporate family members, as well as the potential risks for consumer privacy. The study, which will seek the input of both industry and consumer privacy representatives, will be submitted by January 1, 2002 to serve as a foundation for any further action.

Gramm-Leach-Bliley also allows free sharing with "joint marketing partners." These are defined in the Act as parties with whom a firm has signed a formal written contract to jointly "offer, endorse or sponsor a financial product or service." Customers are not guaranteed a right to opt-out of this sharing. Many institutions in their GLB notices stated simply that they will share information "as permitted by law." Undoubtedly, this practice led to some of the more confusing policies that CDT examined. Of the 44 banks CDT surveyed that stated that they would not share information with a third party, two thirds of them can, under their policy, legally share customer information with joint marketing partners. In most cases this is buried in the fine print. Unlike other valid exemptions in the law, which allow third parties to perform necessary services, this sharing is not related to the operation of the financial institution. In many cases, a fully-informed opt-out would offer better consumer control than a policy that promises no sharing under the Act, but involves sharing with certain unnamed "partners" or other third parties. Customers should have the right to opt-out of information that would be shared for marketing purposes, or at very least be informed of where this information is going.

Why did more banks not offer online opt-outs? In general, why has implementation of the GLB privacy provisions produced so much confusion?

To answer these questions CDT contacted the Chief Privacy Officers of a few of the larger institutions surveyed. From these interviews, CDT found that there were three major reasons that more companies were not offering better online choices:

Some institutions have had difficulty coordinating opt-outs from different sources. The law provides no direct incentive to make opt-outs convenient, nor does it force banks with online services to make opt-outs available online. But even if a bank wishes to make its opt-out available in an easy online format, it may not be easy. A simple online form may require a central database that could not exist. Many of the large banks use several different legacy systems, the products of older technology of mergers and acquisitions. First Union, which offered an easy-to-use web form opt-out, has gained a reputation in the banking world for having excellent information services. A complex back office information back office system may make an integrated opt-out system impossible, or too expensive to be a top priority.
Some institutions did not know what to expect and were concerned about the number of opt-outs that could come and the quality of customer service that they could provide. Since this was the first time that many of these companies were offering privacy choices, they did not know what to expect and erred on the conservative side in providing services. One privacy officer suggested that banks may be reluctant to provide something as simple as a toll free hotline, because of the fears that it would be swamped with calls, irritating clients and providing overall worse customer service. Furthermore, a bank must be completely confident of any online service it offers before making it available to the public, making such a system even more expensive and still a risk if it doesn't work.
Some institutions were trying to evade the spirit of the law. There are always a few regulated institutions that will only comply to the letter of the law rather than offering consumers real protections in order to save in costs. One officer suggested that the number of these companies was shrinking, but it seems obvious that at least a few institutions are still trying to make it as difficult as possible for consumers to opt-out.

While these responses rationalize the actions of many of the companies, they do not offer consumers a strong degree of confidence in privacy protections for online banking. Technology experts have said repeatedly that privacy needs to be built into information systems from the start. Waiting until after systems have been put in place makes it harder to implement convenient privacy options. Similarly, how can consumers have confidence in a complex banking service when the company is not able to assure proper customer support for the relatively easy service of removing a name from a marketing list? It seems that, in too many cases, user-controlled privacy protections have not been a priority for financial institutions.

CONCLUSION AND POLICY RECOMMENDATIONS

The privacy provisions of the Gramm-Leach-Bliley Act have raised the level of privacy awareness in financial services industry. Yet, compliance with the law does not guarantee adequate consumer options for privacy protection. Based on the results of the study, CDT makes the following recommendations:

Financial institutions should follow the best practices identified in this report. Thirteen institutions adhered to an opt-in policy for unaffiliated third-party sharing. Seven banks offered customers the opportunity to opt-out through a range of means, including the opportunity to opt-out online. Others should be living up to these standards, as a minimum.
Policy makers should carefully consider the exceptions in the GLB law. Many large institutions that do not share information with third parties reserve the right to share with affiliates and "marketing partners.".
The Federal Trade Commission should look into the practices of the online mortgage companies that do not give consumers notice of their choices. The FTC has oversight responsibility for many institutions under the law, including the independent mortgage companies. These companies fared worst in the study.
Policy makers considering broader Internet privacy legislation should learn from the lessons of the GLB Act. Requiring an opt-out choice for the financial industry has not yet given consumers easy-to-use controls over redisclosure and use of personal financial information. Policy makers should be working to make sure that future privacy requirements offer better results by studying best practices and creating stricter standards. The inconsistency in online implementation of financial privacy rules need be addressed. We hope that companies will recognize that their customers care about privacy and we urge the industry to offer online opt-outs as the minimum industry standard. Control of personal financial information should be easy, simple and tailored to the needs of the customers to whom it belongs.

APPENDIX: FULL SURVEY RESULTS

Bank Name	Services (roughly catalogued)	url of privacy policy
accessBroker.com	7	http://www.accessbroker.com/trading/security.shtml
Advantage Mortgage	11	NONE (site: http://www.advantagemortgageonline.com/index1.htm)
Allfirst Financial	1, 2, 4	http://www.firstmd.com/legal/privacy_statement.html
Amarillo Naitonal Bank	1, 2, 3, 8	http://www.amarillonationalbank.com/privacy.htm
American Bank	1, 2	http://www.americanbank.com/Privacy/Privacy.asp
American Express	1, 7, 4, 9	http://home3.americanexpress.com/corp//consumerinfo/privacy/privacystatement.asp and http://home3.americanexpress.com/corp/consumerinfo/principles.asp
Ameriquest Mortgage	11	http://www.ameriquestmortgage.com/privacy.html
Ameritrade	7, 9	http://www.ameritrade.com/tell_me_more/index.html?startpage=privacy_policy.fhtml
Ameriwest	11	http://www.ameriwest.com/about/privacy.html
Artisans' Bank	1, 2	http://www.artisansbank.com/privacy.html
Bank Caroline	1, 2, 6, 8	http://www.bankcaroline.com/prodinfo.asp?intProd=24
Bank of America	1, 2, 3	http://www.bankofamerica.com/privacy/index.cfm?template=privacysecur_cnsmr.cfm
Bank of Internet	1, 2	http://www.bankofinternet.com/privacy/default.asp
Bank of New York	1, 2	http://www.bankofny.com/pages/u_disclosures_retail_bnyonline.htm
Bank One	1, 2, 3, 5, 6	http://www.bankone.com/privacy/
BankDirect	1, 2	http://www.bankdirect.com/frames_01.asp?LINK=privacy.htm
BB&T	1, 2, 4, 7	http://www.bbandt.com/privacy/privacynotice.html
Brown & Co.	7	http://www.brownco.com/privacy.html
Central New England Mortgage	11	http://www.newenglandmortgages.com/feedback.htm
Centura	1, 2, 4, 6	http://www.centura.com/about/overview/legal_and_privacy.cfm
Charter One	1, 2, 3	http://www.charterone.com/general/privacy.asp
Chase	1, 4, 8	http://www.chase.com/chase/gx.cgi/FTcs?pagename=Chase/Href&urlname=privacy
CitiBank	1, 2, 7	https://web.da-us.citibank.com/cgi-bin/citifi/scripts/help_desk/help_desk_subtopic.jsp?BV_UseBVCookie=yes&BS_Id=HD_ST_036
Citizens Bank	1, 2, 3	http://www.citizensbank.com/privacy.htm
Clarity Bank	1, 2, 4, 8	http://www.claritybank.com/privacystatement.cfm
CNL Bank	1, 2, 3, 8	http://www.alliancebnk.com/privacy.htm
Colorado Online Mortgage	11	http://www.coloradoonlinemortgage.com/cookies.htm
Comerica	1, 2, 3, 7, 9	http://www.insweb.com/privacy.shtml
Commerce Bank	1, 4, 5, 8	http://www.commerceonline.com/privacy_policy/index.cfm
Community First	1, 2, 7	http://www.cfbx.com/resources/privacy_info.htm
Compass Bank	1, 2, 4, 7	http://www.compassweb.com/compass/privacy/disclosure.html
Datek Online	7	http://www.datek.com/popinframe.html?ref=/advantage/privacy.html&navNumber=0
Deep Green Bank	Loans & CDs only	http://www.deepgreenbank.com/privacy.asp
Dime Bank	1, 2	http://www.dime.com/privacy.htm
Directbanking.com	1, 3, 8, 5	http://www.directbanking.com/privacy.htm
e*trade	7, 1, 2, 9	http://www.etrade.com/cgi-bin/gx.cgi/AppLogic+Home?gxml=hpa_privacy.html
ebank	1, 2, 3,	http://www.ebank.com/scripts/oneweb.nl/ebank3?UID=MTJWJVV389FF87O3HBJI&Page=List_Display&Group=672&List=4371
ERATE	11	http://www.erate.com/privacy.htm
everbank.com	1, 2, 7, 5	http://www.everbank.com/pops/disclosure_pop.asp?loc=xmlCanvas.asp?id=1384
FinancialCafe.com	6, 7, 9, 10	http://www.thefinancialcafe.com/about/privacy.html
FiNet.com	11,	http://www.finet.com/securityandprivacy.html
First Internet Bank of Indiana	1, 2, 4	http://www.firstib.com/privacy/
First Tennessee	1, 2, 3, 8	http://www.firsttennessee.com/ft_docs/cfm/ft_2_col.cfm?section_name=company_information &menu_name=company_information&body_name=privacy_policy
First Union	1, 2, 4, 7	http://personalfinance.firstunion.com/pf/cda/cs/privacy/
Firstar	1, 2, 4	http://www.firstar.com/about/ii-privacy-pledge-fr.html
Fleet Boston Financial	1, 2, 3, 7, 9	http://www.fleet.com/legal_privacypolicy.asp
Franklin Mint Federal Credit Union	1, 2	https://www.fmfcu.org/prodserv/disclosure_fees.html
freetradez.com	7	http://www.freetradez.com/logon/welcome/welcome_privacy.asp
G & L Internet Bank	1, 4	http://www.glbank.com/about%20us/about_us.htm#Privacy & Security
giantbank.com	1, 2, 3,	http://www.giantbank.com/pri_sta.asp
GM Mortgage Corporation	11	NONE(site: http://www.gmmortgage.net)
GreenPoint Financial	1, 2, 11	http://www.greenpoint.com/index.cfm?spPathname=static/privacy.htm
Harris Bank	1, 2, 4, 8	http://www.harrisbank.com/privacy.html
Hibernia Bank	1, 2, 7	http://www.hiberniabank.com/hibernia_bank/hb_privacy_policy.shtml
HSBC	1, 2, 4, 9	http://us.hsbc.com/inside/privacy.asp
Huggins/Dreckman Insurance	5	http://www.insureyouforless.com/html/privacy.htm
Insurance.com	5	http://www.insurance.com/about_us/security_privacy.asp
InsWeb	5	http://www.insweb.com/privacy.shtml
JNGrace Online	5	NONE (site: http://www.jngrace.com)
Juniper Bank	1, 2, 6	http://www.juniper.com/app/legal/privacy.jsp
Key Bank	1, 2, 8	http://www.key.com/templates/generic.jhtml?nodeID=K
LaSalle Bank	1, 4, 7	http://www.lasallebanks.com/privacy_statement.html
MBNA	1, 2	http://www.mbna.com/privacy.html
Mellon Bank	1, 2	https://www.mellon.com/privacy/index.html
Monroe Insurance	11	NONE (site: http://www.monroe-insurance.com/)
Morgan Stanley	7, 9	http://www.online.msdw.com/cgi-bin/Help/priv_policy
MyBank USA	1, 2, 8, 9	http://www.mybankusa.com/privacy.cfm
National City	1, 2, 4	http://www.nationalcity.com/privacy.asp
National Discount Brokers	7, 9	http://www.ndb.com/privacy.html
National InterBank	1, 2	http://www.nationalinterbank.com/privacy.shtml
nBank	1, 2, 4, 8	http://www.nbank.com/privacypolicy.asp
NetBank	1, 2, 8	http://www.compubank.com/security_privacy.htm
Nexity Bank	1, 2, 4	http://www.nexitybank.com/aboutus/privacy.asp
Old Kent	1, 2, 8	http://www.wellsfargo.com/privacy/policy.jhtml
Online Mortgage Corporation	11	NONE (site: http://www.mortgageweb.com/)
Patagon USA	5, 7, 9	First Tennessee
PayPal	4, 9	http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/privacy-outside
PC Banker	1, 2, 4, 8	http://www.pcbanker.com/banking/privacy.asp
PNC	1, 2, 9	http://www.treasury.pncbank.com/legal_privacy.html
Presidential Bank	1, 2, 4, 8	http://www.presidentialonlinebank.com/privacy_new.htm
Progressive	5,	http://www.progressive.com/privacy.htm
Regions Bank	1, 2, 4	http://www.regions.com/about/privacy_pledge.html
RushTrade.com	7, 9	http://www.rushtrade.com/html/privacy_statement.htm
Schwab	7, 9	http://www.schwab.com/SchwabNOW/navigation/mainFrameSet/0,4528,817,00.html
Security First Network Bank	1, 2, 8, 6	http://www.sfnb.com/global_links/glo_privacypolicy.asp
SouthTrust Bank	1, 2, 4	http://www.southtrust.com/privacy/fair_credit.html
Sovereign	1, 2	http://www.sovereignbank.com/privacy/index.html
Sterling Mortgage Corporation	11	NONE (site: http://www.sterlingmortgagecorp.com)
SunTrust	1, 2, 4, 7	https://www2.suntrust.com/privacy.html
TD Waterhouse	1, 3, 7	http://www.tdwaterhouse.com/legal/privacy.html
Trade.com	7, 9	http://www.trade.com/content/privacy.asp
Umbrellabank.com	1, 2	http://www.umbrellabank.com/policy.asp
US Bank	1, 2, 3	http://www.usbank.com/privacy/privacy_pledge.html
Virtual Bank	1, 2	http://www.virtualbank.com/about_virtualbank_privacy_statement.asp
Wachovia	1, 2, 3, 7,	http://www.wachovia.com/privacy/privacy.asp
Washington Mutual	1, 2	http://www.wamu.com/servlet/wamu/public/eng/pages/privacy.html
Washington Trust	1, 2, 4	http://www.watrust.com/home15.html
Wells Fargo Bank	1, 2, 3, 5, 7	http://www.wellsfargo.com/privacy/policy.jhtml
Wingspan Bank	1, 2, 5, 7	http://www.wingspanbank.com/sessionManager/dispatch?service=PRIVACY&MainContent=about_privacy.htm
Zion Bank	1, 2, 4, 7	http://www.zionsbank.com/privacy.html

Services (roughly catalogued)
1 = basic banking (savings, loans, credit cards, money markets, etc)
2 = bill payment services
3 = business banking (many services targetted towards businesses & corporate clients)
4 = some business services, but not a full range
5 = insurance products
6 = affiliated with insurance service provider
7 = on site online brokerage/trading
8 = affiliated with brokerage
9 = other financial services (ie factoring)
10 = affiliated with banking services provider
11 = mortgage broker only

APPENDIX: FULL SURVEY RESULTS

Bank Name	affiliate opt-out code	third party opt-out code	third party scored code	affiliate scored code	size code
accessBroker.com	NONE	z	no share	none	1
Advantage Mortgage	NONE	NONE	none	none	1
Allfirst Financial	NONE	b	b	NONE	3
Amarillo National Bank	NONE	y	opt-in!	none	2
American Bank	NONE	q	q	none	2
American Express	b, d	d	d	d	4
Ameriquest Mortgage	NONE	q	q	none	2
Ameritrade	NONE	c, d	good	none	1
Ameriwest	NONE	NONE	none	none	2
Artisans' Bank	NONE	z	no share	NONE	2
Bank Caroline	h	h	h	h	4
Bank of America	a, b,c, f	q	q	c	4
Bank of Internet	y	y	opt-in!	opt-in!	1
Bank of New York	NONE	b	b	none	4
Bank One	b	b	b	b	4
BankDirect	NONE	z	no share	none	1
BB&T	b	q	q	b	4
Brown & Co.	NONE	z	no share	none	1
Central New England Mortgage	NONE	NONE	none	none	1
Centura	NONE	y	opt-in!	none	3
Charter One	b	q	q	b	3
Chase	b	b	b	b	4
CitiBank	g	g	mentioned	mentioned	4
Citizens Bank	NONE	q	q	none	3
Clarity Bank	a, c	a, c	c	c	1
CNL Bank	NONE	q	q	none	2
Colorado Online Mortgage	NONE	z	no share	none	1
Comerica	e	e	a	a	3
Commerce Bank	b	b	b	b	3
Community First	l	q	l	l	3
Compass Bank	none	q	q	none	3
Datek Online	g	z	no share	mentioned	1
Deep Green Bank	none	y	opt-in!	none	1
Dime Bank	NONE	NONE	none	none	3
Directbanking.com	b, h	q	q	b+	1
e*trade	none	b, c, d	good	none	1
ebank	x	q	q	no share	1
ERATE	none	z	no share	none	1
everbank.com	c, d (not easily found), h, j	q	q	good	1
FinancialCafe.com	j	j	j	j	1
FiNet.com	NONE	z	no share	none	1
First Internet Bank of Indiana	x	y	opt-in!	no share	1
First Tennessee	b	q	q	b	3
First Union	b, d, f	b, d, f	good	good	4
Firstar	b, d, f	b, d, f	good	good	4
Fleet Boston Financial	a, b	q	q	b+	4
Franklin Mint Federal Credit Union	a	y	opt-in!	a	2
freetradez.com	k	z	no share	k	1
G & L Internet Bank	e, l	e, l	a	a	1
giantbank.com	NONE	z	no share	none	1
GM Mortgage Corporation	NONE	NONE	none	none	2
GreenPoint Financial	e	e	a	a	3
Harris Bank	a, b	q	q	b+	3
Hibernia Bank	e	e	a	a	3
HSBC	b	q	q	b	3
Huggins/Dreckman Insurance	none	none	none	none	2
Insurance.com	none	y	opt-in!	none	1
InsWeb	b, j	z	no share	b+	1
JNGrace Online	NONE	NONE	none	none	2
Juniper Bank	b, k	b, k	good	good	1
Key Bank	b	b	b	b	4
LaSalle Bank	e	q	q	a	3
MBNA	b	b	b	b	1
Mellon Bank	e	e	a	a	4
Monroe Insurance	NONE	NONE	none	none	1
Morgan Stanley	a, b	q	q	b+	3
MyBank USA	NONE	q	q	none	1
National City	a	q	q	a	4
National Discount Brokers	NONE	q	q	none	1
National InterBank	x	q	q	no share	1
nBank	b	y	opt-in!	b	2
NetBank	h, j	y	opt-in!	j	1
Nexity Bank	x	z	no share	no share	1
Old Kent	NONE	q	q	none	4
Online Mortgage Corporation	NONE	NONE	none	none	1
Patagon USA	NONE	y	opt-in!	none	4
PayPal	d	d	d	d	1
PC Banker	none	q	q	none	1
PNC	a	a	a	a	4
Presidential Bank	none	q	q	none	2
Progressive	g	g	mentioned	mentioned	1
Regions Bank	b, d	y	opt-in!	good	4
RushTrade.com	none	z	no share	none	1
Schwab	NONE	y	opt-in!	none	3
Security First Network Bank	a, b, c	q	q	c	1
SouthTrust Bank	a, b, f	q	q	b+	4
Sovereign	b, d, f	b, d, f	good	good	3
Sterling Mortgage Corporation	NONE	NONE	none	none	2
SunTrust	a, b	a, b	b+	b+	4
TD Waterhouse	e	q	q	a	3
Trade.com	j	b, j	b+	j	1
Umbrellabank.com	confusing	confusing	confusing	confusing	1
US Bank	b, d, f	b, d, f	good	good	4
Virtual Bank	b, h, j	y	opt-in!	b+	1
Wachovia	b	q	q	b	4
Washington Mutual	e	e	a	a	4
Washington Trust	NONE	q	q	none	2
Wells Fargo Bank	b	b	b	b	4
Wingspan Bank	b	b	b	b	4
Zion Bank	b	b	b	b	3

Size
1 = online only
2 = small (under 25 branches)
3 = medium sized (26-499 branches)
4 = large (over 500 branches or equivalent customer base)

Opt-out code
a = mail address supplied - must post a letter
b = phone number given to call
c = email address given to contact
d = web form or online preference page
e = printable form supplied, must mail in to given address
f = in person
g = opt out policy mentioned, but no specific instructions
h = mail without instructions
j = email without instructions
k = opt out at joining / signing up
l = call in to request mail-in form
x = no non-essential affiliate info sharing
y = opt in policy
q = may share, but no opt out required by GLB
z = no n-essential 3rd party info sharing

ACKNOWLEDGEMENTS

This report was funded with a grant from the Denis v. Metromail Cy Pres Foundation.

The primary researcher on this report was Allan Friedman. Other research and drafting was completed by Dan Lerner and Kmele Tulloch Foster.

CDT would like to thank the Privacy Rights Clearinghouse, Consumers Union and Peter Swire for their input.

We would also like to thank the industry leaders who gave us background information and feedback on our results.

Graphic design and layout was done by Aleksandr Gembinski.

Notes

Links will open in a new browser window, and were verified on August 29, 2001.

1. Business Week / Harris Poll: "Online Insecurity" Business Week, March 16, 1998.

2. Markle Foundation, "Toward a Framework for Internet Accountability" 2001.

3. Ibid.

4. Kempler, Cecilia & Woody, Robert, "Living with Gramm-Leach-Bliley" March 15, 2000. (http://www.insurelegal.com/livingwith031500.html)

5. Hochhauser, Mark, Lost in the Fine Print: Readability of Financial Privacy Notices (.http://www.privacyrights.org/ar/GLB-Reading.htm)

6. Old Kent Bank Privacy Policy (http://www.oldkent.com/about/policy.html)

7. Schwab Privacy Policy (http://www.schwab.com/SchwabNOW/navigation/mainFrameSet/0,4528,817,00.html)

8. CNL Bank Privacy Policy (http://www.alliancebnk.com/privacy.htm)

9. Patagon USA Privacy Policy (http://usa.patagon.com/about/privacy.html)

10. First Union Privacy Policy (http://www.firstunion.com/legal/privacy.html)

11. Community First Privacy Policy (http://www.cfbx.com/resources/privacy_info.htm)

12. Comerica Privacy Policy (http://www.comerica.com/comerica/pprinciple_c.html)

13. Mellon Bank Privacy Policy (https://www.mellon.com/privacy/index.html)

14. Bank Caroline Privacy Policy (http://www.bankcaroline.com/prodinfo.asp?intProd=24)

15. Greenpoint Financial Privacy Policy(http://www.greenpoint.com/index.cfm?spPathname=static/privacy.htm)

16. Ameriwest Mortgage LLC Privacy Policy (http://www.ameriwest.com/about/privacy.html)

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action!
Previous Headlines | Legislative Tracking | CDT's Privacy Policy

The Center For Democracy & Technology
1634 Eye Street NW, Suite 1100
Washington, DC 20006
(v) 202.637.9800
(f) 202.637.0968
Contact CDT

Copyright © 2005 by Center for Democracy and Technology.
The content throughout this Web site that originates with CDT can be freely copied and used as long as you make no substantive changes and clearly give us credit. Details.