分层、重叠且不一致：美国银行多重隐私政策与控制机制的大规模分析 (Layered, Overlapping, and Inconsistent: A Large-Scale Analysis of the Multiple Privacy Policies and Controls of U.S. Banks)

Privacy policies are often complex. An exception is the two-page standardized notice that U.S. financial institutions must provide under the Gramm-Leach-Bliley Act (GLBA). However, banks now operate websites, mobile apps, and other services that involve complex data sharing practices that require additional privacy notices and do-not-sell opt-outs. We conducted a large-scale analysis of how U.S. banks implement privacy policies and controls in response to GLBA; other federal privacy policy requirements; and the California Consumer Privacy Act (CCPA), a key example for U.S. state privacy laws. We focused on the disclosure and control of a set of especially privacy-invasive practices: third-party data sharing for marketing-related purposes. We collected privacy policies for the 2,067 largest U.S. banks, 45.2\% of which provided multiple policies. Across disclosures and controls for the \textit{same} bank, we identified frequent, concerning inconsistencies -- 53.8\% of banks with multiple privacy policies indicated in GLBA notices that they do not share with third parties but disclosed sharing in other policies. This multiplicity of policies, with the inconsistencies it causes, may create consumer confusion and undermine the transparency goals of the very laws that require them. Our findings call into question whether current policy requirements, such as the GLBA notice, are achieving their intended goals in today's online banking landscape. We discuss potential avenues for reforming and harmonizing privacy policies and control requirements across federal and state laws.

翻译：隐私政策通常较为复杂。美国金融机构根据《格雷姆-里奇-比利雷法案》（GLBA）必须提供的两页标准化通知是一个例外。然而，银行目前运营的网站、移动应用程序及其他服务涉及复杂的数据共享实践，需要额外的隐私声明和禁止销售退出机制。我们对美国银行如何根据GLBA、其他联邦隐私政策要求以及作为美国州隐私法关键范例的《加州消费者隐私法案》（CCPA）实施隐私政策与控制机制进行了大规模分析。我们重点关注一组尤其侵犯隐私的实践——用于营销目的的第三方数据共享——的披露与控制机制。我们收集了美国2067家最大银行的隐私政策，其中45.2%的银行提供了多重政策。在对同一家银行的披露与控制机制进行分析时，我们发现了频繁且令人担忧的不一致现象——在拥有多重隐私政策的银行中，53.8%的银行在GLBA通知中声明不与第三方共享数据，却在其他政策中披露了共享行为。这种多重政策及其引发的不一致性可能导致消费者困惑，并削弱要求制定这些政策的法律本身所追求的透明度目标。我们的研究结果对当前政策要求（如GLBA通知）在当今网络银行环境中是否实现其预期目标提出了质疑。我们探讨了改革与协调联邦和州法律间隐私政策及控制要求的潜在路径。