As the holiday shopping season comes into full swing, many consumers may be surprised to learn that their purchase data is being monetized by an unlikely source—their bank. 

2024 has been a year with a renewed focus in marketing and advertising on first-party data, or data that is collected directly from consumers and able to be associated with individuals. Advertisers LOVE first-party data. It helps them gain insights into consumer behavior, identify high-value customers, and better personalize ad targeting to new and existing customers. The challenge is that advertisers themselves are only able to collect first-party data when consumers are directly interacting with their brand. Wouldn’t a company love to know where else their consumers are shopping and what they are spending their disposable income on? Well, who could answer these questions? The customer’s financial institutions, of course! 

Beginning in the spring of 2024, a new source of consumer data was made available with the introduction of Financial Media Networks. Popular finance providers such as Chase Bank, Citibank, Revolut, PayPal, and Klarna have each introduced their own media network solutions where they package their own first-party data about consumers—information like amount of income, transactions, and spending habits—and make it available to other organizations for use in marketing and advertising. 

If, as a consumer, this makes you a little bit uneasy, you are not alone. According to a U.S. Consumer Reports survey, 76 percent of respondents said it is very important to them that their permission is required to share banking data with any other company and 90 percent found it important that banks limit their sharing of banking data for purposes such as advertising. 

The next natural question becomes, how is this possible? Aren’t there any protections in place? Currently in the United States, there is no federal privacy law on the books. Financial institutions are subject to some obligations for privacy under laws such as the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA). The GLBA broadly protects consumers’ “nonpublic personal information”. This is all information the financial institution receives about a consumer while providing their financial service that is not already publicly available. 

So your transaction and banking details are technically protected. The gap comes in the extent to which those protections apply. Under GLBA, a financial institution generally cannot share nonpublic personal information with a nonaffiliated third party unless it clearly discloses the sharing to the consumer and proves the consumer an ability to exercise the nondisclosure option (i.e. provides the ability to opt-out). In the wild, these obligations are met via terminology in the privacy notice and terms of service and opt-out options often buried in settings. According to the same Consumer Reports survey referenced earlier, 79 percent of consumers are either unaware of the sharing of their information or concerned about the activity. Yet, according to a recent Wall Street Journal article, less than 7 percent of consumers opt-out of this sharing. For the 93 percent of consumers where their information is fair game, a majority are likely either unaware of the sharing or unaware of how they can opt out. 

An excellent question then becomes, why is it even necessary to opt out? Why does this behavior not require an explicit consent acknowledgment? Here things get very interesting. While there is not a federal privacy law in the United States, 19 states have their own comprehensive state privacy laws signed. Nearly universally, these laws characterize personal financial data as “sensitive information”, which requires explicit consent (for most states) in order to share for purposes such as advertising. While this requirement would be applicable for any retailer operating in the States with privacy laws, each of the state laws exempt financial institutions that are covered by federal laws such as GBLA. Thus, a loophole is created permitting the sharing of consumers’ banking data for advertising purposes by financial institutions. 

What does this mean then for consumers? You still have rights! The first step is being aware of the process, which if you’ve made it this far, you certainly are. Now it is up to you to decide if you are comfortable with this sharing or not. If not, all financial institutions are legally required to offer the ability to opt out of these sharing practices. Most often this option is available via your online banking interface in the settings. 

What does this mean for advertisers? It’s true that, as a business, acquiring purchase history and financial information for consumers can be very helpful in improving consumer understanding and adding context for audience creation and targeting. It’s up to you to weigh your organization’s stance on privacy against how much such a practice can improve business outcomes. On the other hand, it is also very important to understand that consumers are largely not comfortable with the practice. Weighing these privacy considerations against potential business value will be necessary, with the calculus coming down to where your organization stands from an ethical marketing perspective. At the very least, if you do decide to use such data, it is important to ensure internal privacy controls are in place to only process data for users who have consented or not opted out and to properly protect the acquired data. 

The renewed focus on first-party data is introducing new sources of data to use for marketing and advertising. As a consumer, it is important to understand how and where your data is being collected and used for these purposes. As an advertiser, it is important to consider consumer preferences related to their privacy to ensure that consumer privacy rights are respected. Consumer financial data is an interesting litmus test for where the industry stands on consumer privacy.