{"id":"https://openalex.org/W4416059960","doi":"https://doi.org/10.1145/3719027.3765072","title":"Layered, Overlapping, and Inconsistent: A Large-Scale Analysis of the Multiple Privacy Policies and Controls of U.S. Banks","display_name":"Layered, Overlapping, and Inconsistent: A Large-Scale Analysis of the Multiple Privacy Policies and Controls of U.S. Banks","publication_year":2025,"publication_date":"2025-11-19","ids":{"openalex":"https://openalex.org/W4416059960","doi":"https://doi.org/10.1145/3719027.3765072"},"language":"en","primary_location":{"id":"doi:10.1145/3719027.3765072","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765072","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3719027.3765072","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["arxiv","crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3719027.3765072","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5071264724","display_name":"Lu Xian","orcid":"https://orcid.org/0000-0001-8120-1012"},"institutions":[{"id":"https://openalex.org/I27837315","display_name":"University of Michigan","ror":"https://ror.org/00jmfr291","country_code":"US","type":"education","lineage":["https://openalex.org/I27837315"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Lu Xian","raw_affiliation_strings":["University of Michigan, Ann Arbor, Michigan, USA"],"affiliations":[{"raw_affiliation_string":"University of Michigan, Ann Arbor, Michigan, USA","institution_ids":["https://openalex.org/I27837315"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101552299","display_name":"Van Tran","orcid":"https://orcid.org/0000-0002-0835-8598"},"institutions":[{"id":"https://openalex.org/I40347166","display_name":"University of Chicago","ror":"https://ror.org/024mw5h28","country_code":"US","type":"education","lineage":["https://openalex.org/I40347166"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Van Hong Tran","raw_affiliation_strings":["University of Chicago, Chicago, Illinois, USA"],"affiliations":[{"raw_affiliation_string":"University of Chicago, Chicago, Illinois, USA","institution_ids":["https://openalex.org/I40347166"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Lauren Lee","orcid":"https://orcid.org/0009-0002-2287-9127"},"institutions":[{"id":"https://openalex.org/I27837315","display_name":"University of Michigan","ror":"https://ror.org/00jmfr291","country_code":"US","type":"education","lineage":["https://openalex.org/I27837315"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Lauren Lee","raw_affiliation_strings":["University of Michigan, Ann Arbor, Michigan, USA"],"affiliations":[{"raw_affiliation_string":"University of Michigan, Ann Arbor, Michigan, USA","institution_ids":["https://openalex.org/I27837315"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Meera Kumar","orcid":"https://orcid.org/0009-0007-3433-4067"},"institutions":[{"id":"https://openalex.org/I27837315","display_name":"University of Michigan","ror":"https://ror.org/00jmfr291","country_code":"US","type":"education","lineage":["https://openalex.org/I27837315"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Meera Kumar","raw_affiliation_strings":["University of Michigan, Ann Arbor, Michigan, USA"],"affiliations":[{"raw_affiliation_string":"University of Michigan, Ann Arbor, Michigan, USA","institution_ids":["https://openalex.org/I27837315"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Yichen Zhang","orcid":"https://orcid.org/0009-0004-9078-794X"},"institutions":[{"id":"https://openalex.org/I135310074","display_name":"University of Wisconsin\u2013Madison","ror":"https://ror.org/01y2jtd41","country_code":"US","type":"education","lineage":["https://openalex.org/I135310074"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yichen Zhang","raw_affiliation_strings":["University of Wisconsin-Madison, Madison, Wisconsin, USA"],"affiliations":[{"raw_affiliation_string":"University of Wisconsin-Madison, Madison, Wisconsin, USA","institution_ids":["https://openalex.org/I135310074"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5061205711","display_name":"Florian Schaub","orcid":null},"institutions":[{"id":"https://openalex.org/I27837315","display_name":"University of Michigan","ror":"https://ror.org/00jmfr291","country_code":"US","type":"education","lineage":["https://openalex.org/I27837315"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Florian Schaub","raw_affiliation_strings":["University of Michigan, Ann Arbor, Michigan, USA"],"affiliations":[{"raw_affiliation_string":"University of Michigan, Ann Arbor, Michigan, USA","institution_ids":["https://openalex.org/I27837315"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5071264724"],"corresponding_institution_ids":["https://openalex.org/I27837315"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.42543358,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"3177","last_page":"3191"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11045","display_name":"Privacy, Security, and Data Protection","score":0.5532000064849854,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T11045","display_name":"Privacy, Security, and Data Protection","score":0.5532000064849854,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11437","display_name":"Digital Platforms and Economics","score":0.06780000030994415,"subfield":{"id":"https://openalex.org/subfields/1408","display_name":"Strategy and Management"},"field":{"id":"https://openalex.org/fields/14","display_name":"Business, Management and Accounting"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T10764","display_name":"Privacy-Preserving Technologies in Data","score":0.023399999365210533,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/privacy-policy","display_name":"Privacy policy","score":0.7581999897956848},{"id":"https://openalex.org/keywords/information-privacy","display_name":"Information privacy","score":0.6556000113487244},{"id":"https://openalex.org/keywords/ftc-fair-information-practice","display_name":"FTC Fair Information Practice","score":0.6535999774932861},{"id":"https://openalex.org/keywords/notice","display_name":"Notice","score":0.6326000094413757},{"id":"https://openalex.org/keywords/transparency","display_name":"Transparency (behavior)","score":0.5889999866485596},{"id":"https://openalex.org/keywords/consumer-privacy","display_name":"Consumer privacy","score":0.5429999828338623},{"id":"https://openalex.org/keywords/privacy-by-design","display_name":"Privacy by Design","score":0.5404999852180481},{"id":"https://openalex.org/keywords/privacy-software","display_name":"Privacy software","score":0.5210999846458435},{"id":"https://openalex.org/keywords/data-sharing","display_name":"Data sharing","score":0.4867999851703644},{"id":"https://openalex.org/keywords/privacy-law","display_name":"Privacy law","score":0.4352000057697296}],"concepts":[{"id":"https://openalex.org/C102938260","wikidata":"https://www.wikidata.org/wiki/Q1999831","display_name":"Privacy policy","level":3,"score":0.7581999897956848},{"id":"https://openalex.org/C123201435","wikidata":"https://www.wikidata.org/wiki/Q456632","display_name":"Information privacy","level":2,"score":0.6556000113487244},{"id":"https://openalex.org/C163981777","wikidata":"https://www.wikidata.org/wiki/Q5427184","display_name":"FTC Fair Information Practice","level":5,"score":0.6535999774932861},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.6359999775886536},{"id":"https://openalex.org/C2779913896","wikidata":"https://www.wikidata.org/wiki/Q7063001","display_name":"Notice","level":2,"score":0.6326000094413757},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.6272000074386597},{"id":"https://openalex.org/C2780233690","wikidata":"https://www.wikidata.org/wiki/Q535347","display_name":"Transparency (behavior)","level":2,"score":0.5889999866485596},{"id":"https://openalex.org/C2778656907","wikidata":"https://www.wikidata.org/wiki/Q5164712","display_name":"Consumer privacy","level":3,"score":0.5429999828338623},{"id":"https://openalex.org/C193934123","wikidata":"https://www.wikidata.org/wiki/Q7246028","display_name":"Privacy by Design","level":3,"score":0.5404999852180481},{"id":"https://openalex.org/C509729295","wikidata":"https://www.wikidata.org/wiki/Q7246032","display_name":"Privacy software","level":3,"score":0.5210999846458435},{"id":"https://openalex.org/C2779965156","wikidata":"https://www.wikidata.org/wiki/Q5227350","display_name":"Data sharing","level":3,"score":0.4867999851703644},{"id":"https://openalex.org/C141972696","wikidata":"https://www.wikidata.org/wiki/Q1247836","display_name":"Privacy law","level":4,"score":0.4352000057697296},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.40869998931884766},{"id":"https://openalex.org/C175968658","wikidata":"https://www.wikidata.org/wiki/Q839447","display_name":"Privacy laws of the United States","level":3,"score":0.3928000032901764},{"id":"https://openalex.org/C169093310","wikidata":"https://www.wikidata.org/wiki/Q3702971","display_name":"Personally identifiable information","level":2,"score":0.387800008058548},{"id":"https://openalex.org/C78524284","wikidata":"https://www.wikidata.org/wiki/Q6031155","display_name":"Information privacy law","level":4,"score":0.3725999891757965},{"id":"https://openalex.org/C69360830","wikidata":"https://www.wikidata.org/wiki/Q1172237","display_name":"Data Protection Act 1998","level":2,"score":0.3582000136375427},{"id":"https://openalex.org/C48103436","wikidata":"https://www.wikidata.org/wiki/Q599031","display_name":"State (computer science)","level":2,"score":0.3386000096797943},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.3294999897480011},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.31949999928474426},{"id":"https://openalex.org/C71745522","wikidata":"https://www.wikidata.org/wiki/Q2476929","display_name":"Confidentiality","level":2,"score":0.3140000104904175},{"id":"https://openalex.org/C109986646","wikidata":"https://www.wikidata.org/wiki/Q546113","display_name":"Public policy","level":2,"score":0.3100000023841858},{"id":"https://openalex.org/C2778137410","wikidata":"https://www.wikidata.org/wiki/Q2732820","display_name":"Government (linguistics)","level":2,"score":0.2994999885559082},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.2971000075340271},{"id":"https://openalex.org/C2781140086","wikidata":"https://www.wikidata.org/wiki/Q557945","display_name":"Confusion","level":2,"score":0.2858000099658966},{"id":"https://openalex.org/C2989499966","wikidata":"https://www.wikidata.org/wiki/Q664183","display_name":"Consumer protection","level":2,"score":0.28299999237060547},{"id":"https://openalex.org/C178005623","wikidata":"https://www.wikidata.org/wiki/Q308859","display_name":"Anonymity","level":2,"score":0.28110000491142273},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.28040000796318054},{"id":"https://openalex.org/C199521495","wikidata":"https://www.wikidata.org/wiki/Q181487","display_name":"Audit","level":2,"score":0.2782000005245209},{"id":"https://openalex.org/C3019808023","wikidata":"https://www.wikidata.org/wiki/Q546113","display_name":"State policy","level":3,"score":0.25290000438690186}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3719027.3765072","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765072","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3719027.3765072","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},{"id":"pmh:oai:arXiv.org:2507.05415","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2507.05415","pdf_url":"https://arxiv.org/pdf/2507.05415","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"}],"best_oa_location":{"id":"doi:10.1145/3719027.3765072","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765072","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3719027.3765072","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1657108676","display_name":"Collaborative Research: EAGER: CPS: Data Augmentation and Model Transfer for the Internet of Things","funder_award_id":"2334996","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G1664904877","display_name":null,"funder_award_id":"2105734, 2334996","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G6962632272","display_name":null,"funder_award_id":"2105734","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G848032724","display_name":null,"funder_award_id":"Science","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4416059960.pdf","grobid_xml":"https://content.openalex.org/works/W4416059960.grobid-xml"},"referenced_works_count":32,"referenced_works":["https://openalex.org/W1967897164","https://openalex.org/W2025711826","https://openalex.org/W2108554506","https://openalex.org/W2376050373","https://openalex.org/W2508414746","https://openalex.org/W2517394750","https://openalex.org/W2983117593","https://openalex.org/W3000190958","https://openalex.org/W3015767612","https://openalex.org/W3032324689","https://openalex.org/W3080917700","https://openalex.org/W3123673015","https://openalex.org/W3125057561","https://openalex.org/W3137759237","https://openalex.org/W3161163131","https://openalex.org/W3176409842","https://openalex.org/W3179937365","https://openalex.org/W3208601859","https://openalex.org/W3208891205","https://openalex.org/W3214522776","https://openalex.org/W3216667748","https://openalex.org/W4210764005","https://openalex.org/W4225161578","https://openalex.org/W4288086187","https://openalex.org/W4293783549","https://openalex.org/W4308643689","https://openalex.org/W4323349092","https://openalex.org/W4362452929","https://openalex.org/W4366393666","https://openalex.org/W4376626871","https://openalex.org/W4393299261","https://openalex.org/W4404519480"],"related_works":[],"abstract_inverted_index":{"Privacy":[0,74],"policies":[1,58,108,139,216],"are":[2,197],"often":[3],"complex.":[4],"An":[5],"exception":[6],"is":[7],"the":[8,19,71,88,110,126,163,173,177,194],"two-page":[9],"standardized":[10],"notice":[11],"that":[12,33,39,144,180],"U.S.":[13,54,81,113],"financial":[14],"institutions":[15],"must":[16],"provide":[17],"under":[18],"Gramm-Leach-Bliley":[20],"Act":[21,75],"(GLBA).":[22],"However,":[23],"banks":[24,55,135],"now":[25],"operate":[26],"websites,":[27],"mobile":[28],"apps,":[29],"and":[30,44,59,70,90,123,171,213,217,222],"other":[31,65,156],"services":[32],"involve":[34],"complex":[35],"data":[36,100],"sharing":[37,101,154],"practices":[38],"require":[40,181],"additional":[41],"privacy":[42,57,67,83,107,138,215],"notices":[43,143],"do-not-sell":[45],"opt-outs.":[46],"We":[47,85,105,207],"conducted":[48],"a":[49,77,93],"large-scale":[50],"analysis":[51],"of":[52,92,95,116,134,160,176],"how":[53],"implement":[56],"controls":[60,124],"in":[61,141,155,202],"response":[62],"to":[63],"GLBA;":[64],"federal":[66,221],"policy":[68,190],"requirements;":[69],"California":[72],"Consumer":[73],"(CCPA),":[76],"key":[78],"example":[79],"for":[80,102,109,125,211],"state":[82,223],"laws.":[84,224],"focused":[86],"on":[87],"disclosure":[89],"control":[91,218],"set":[94],"especially":[96],"privacy-invasive":[97],"practices:":[98],"third-party":[99],"marketing-related":[103],"purposes.":[104],"collected":[106],"2,067":[111],"largest":[112],"banks,":[114],"45.2%":[115],"which":[117],"provided":[118],"multiple":[119,137],"policies.":[120,157],"Across":[121],"disclosures":[122],"same":[127],"bank,":[128],"we":[129],"identified":[130],"frequent,":[131],"concerning":[132],"inconsistencies---53.8%":[133],"with":[136,149,162],"indicated":[140],"GLBA":[142,195],"they":[145],"do":[146],"not":[147],"share":[148],"third":[150],"parties":[151],"but":[152],"disclosed":[153],"This":[158],"multiplicity":[159],"policies,":[161],"inconsistencies":[164],"it":[165],"causes,":[166],"may":[167],"create":[168],"consumer":[169],"confusion":[170],"undermine":[172],"transparency":[174],"goals":[175,201],"very":[178],"laws":[179],"them.":[182],"Our":[183],"findings":[184],"call":[185],"into":[186],"question":[187],"whether":[188],"current":[189],"requirements,":[191],"such":[192],"as":[193],"notice,":[196],"achieving":[198],"their":[199],"intended":[200],"today's":[203],"online":[204],"banking":[205],"landscape.":[206],"discuss":[208],"potential":[209],"avenues":[210],"reforming":[212],"harmonizing":[214],"requirements":[219],"across":[220]},"counts_by_year":[],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2025-10-10T00:00:00"}