financial privacy 2026

The Privacy Laws Everyone Celebrated Have a Hole in Them. It’s the Size of Your Bank.

I read through California’s CCPA when it passed. Then Colorado’s. Then Virginia’s. Each one was covered as a meaningful step toward consumer data rights — the ability to know what’s collected, demand deletion, opt out of sales. The coverage was largely positive. Progress was being made.

What most of that coverage missed: financial institutions are explicitly carved out of nearly every one of them.

Twenty states now have comprehensive privacy laws on the books. And the CFPB’s own report acknowledges directly that most of them “exempt financial institutions and consumer financial data covered by federal law, even though states generally have authority to go beyond the federal rules.”

The federal law doing the exempting is the Gramm-Leach-Bliley Act, passed in 1999. Before smartphones. Before Venmo. Before anyone imagined that banks would someday compete with Google for advertising revenue. GLBA requires banks to send you a privacy notice — that document you’ve never fully read — and allows you to opt out of some data sharing. But it explicitly permits banks to use your transaction data internally for “their own purposes” without your consent, and the opt-out doesn’t apply to sharing with affiliated companies.

The practical result: your financial data has weaker privacy protections than your Instagram likes.

What Banks Are Actually Building With Your Data

This moved from theoretical to operational several years ago, and it’s worth being specific about what “monetizing financial data” actually means in 2026.

Chase launched Chase Media Solutions in 2023. It’s an advertising platform that lets brands target Chase customers based on their spending patterns. Buy dog food on your Chase card and Petco can now show you ads. Book a hotel and Expedia gets access to your profile. The pitch to advertisers is straightforward: “We know what your customers actually buy, not just what they click on. We can prove ROI because we see the transaction.”

Bank of America, Wells Fargo, and Capital One have built equivalent advertising products. They frame it carefully — they’re not “selling your data,” they’re selling “advertising access” to people who match a spending profile. The legal distinction is meaningful for regulatory purposes. The practical outcome for the person whose data is being used is largely the same.

Every transaction you make narrows the profile. Where you shop and when. The $347 charge at a fertility clinic. The $1,200 monthly therapy bills. The casino weekend. The pattern of charges that, taken together, suggests a marriage is in trouble before either spouse has said a word about it publicly. Banks have access to behavioral data that Facebook would find genuinely enviable — and unlike Facebook, banks are operating under a regulatory framework designed before the concept of data monetization existed.

The CFPB Rule That Helped With One Thing and Left Everything Else Untouched

In October 2024, the CFPB finalized its Personal Financial Data Rights rule under Section 1033 of Dodd-Frank. The largest banks are required to comply by April 2026, with smaller institutions phasing in through 2030.

Join The Global Frame

Money, work, and tech — one read every Saturday that actually changes how you think.

The rule does something genuinely useful: it gives you the right to demand that your bank transfer your financial data to a competitor. If you want to switch from Chase to Ally, the bank has to hand over your transaction history in a portable format rather than making you export 12 months of statements manually. Data portability is real and it matters for competition in banking.

What the rule doesn’t do: restrict what banks can do with your data for their own purposes, limit internal advertising operations, or constrain the surveillance business model. It makes your data more portable. It doesn’t make it more private.

The distinction matters because the two goals pull in different directions. Greater portability — the right to move your data between institutions — is predicated on your data being available and transmissible. That requirement is not easily compatible with a regime that significantly restricts how your data can be used in the first place. The CFPB addressed the portability problem. The privacy problem is structurally harder, and this rule doesn’t touch it.

The “Anonymized” Data Claim Is Not What It Sounds Like

When banks describe their advertising products, they typically note that data is “anonymized” before it’s used in aggregate analysis. This sounds like meaningful protection. It’s largely liability management.

Research published in Nature found that transaction patterns are unique enough to re-identify individuals with 90% accuracy using just four data points. Removing your name from a dataset doesn’t meaningfully protect your identity when the behavioral fingerprint the data contains is distinctive enough to locate you precisely within a population. What anonymization protects is the institution — it’s harder to demonstrate a privacy violation when the data lacks explicit identifiers — but it doesn’t protect you from being profiled and targeted.

The privacy-enhancing technologies that financial institutions are increasingly deploying — differential privacy, homomorphic encryption, techniques that allow analysis without exposing individual records — are genuinely sophisticated. They’re also aimed at making surveillance more compliant rather than less pervasive. Your bank still knows what you spent at a fertility clinic. The encryption steps affect how that knowledge flows through their analytical systems, not whether it exists.

What You Can Actually Do

The options are more limited than most privacy coverage suggests, and being direct about that is more useful than overstating what’s available.

The opt-out that exists is worth using. Log into your bank’s privacy settings and find the sections on sharing with affiliates and sharing with third parties for marketing purposes. Opt out of everything available. This won’t stop internal advertising operations — the GLBA explicitly permits that without your consent — but it limits external sharing, and doing it costs nothing.

Cash remains the most effective privacy tool for sensitive purchases. Therapy, medical care, legal consultations, anything you don’t want contributing to a behavioral profile. The inconvenience is real. So is the privacy protection.

Separating your financial identities creates meaningful friction for profiling. A dedicated account for recurring bills, a separate card for discretionary spending, split across different institutions. No single institution gets the full picture of your financial behavior, which makes behavioral profiling substantially harder without eliminating it entirely.

The subscription audit question applies here with an additional dimension: every recurring charge you carry is a permanent data point that banks analyze. Removing subscriptions you don’t use is both a financial and a privacy improvement simultaneously.

Understanding which data removal services do and don’t help is worth being clear about. Services like DeleteMe and Incogni are effective at what they do — removing your information from people-search databases and data broker lists. They don’t touch financial data. Banks aren’t legally classified as data brokers under most state laws, and even if they were, the GLBA carve-out would still apply. Removing yourself from data broker databases is a separate, worthwhile project from addressing financial data privacy, and conflating the two creates false confidence.

The fintech alternative to traditional banks doesn’t solve the problem either. Venmo, Cash App, and Chime collect equivalent transaction data, often with lighter regulatory oversight than chartered banks. Switching to a fintech doesn’t exit the surveillance model — it may involve less regulatory protection than staying with a traditional institution.

The Business Model Question

The underlying issue is structural, which is why individual opt-outs only go so far.

Traditional checking accounts cost money to maintain. Processing transactions, running branches, employing customer service staff, managing fraud. Banks need to extract value somewhere. Fee-based banking is unpopular and drives customers away. Data monetization is invisible and largely uncontested.

The business model that emerged is straightforward: offer checking accounts at low or no cost, recoup the cost and profit margin through the advertising revenue your transaction data generates. The customer experiences a free or cheap banking relationship. The price is paid in data rather than dollars.

This isn’t unique to banking — it’s the same trade-off that underlies free email, free social media, and most of the consumer internet. What’s different about banking is the sensitivity of the data involved, the absence of meaningful consumer control under existing law, and the gap between the privacy protections consumers believe they have and the protections they actually have.

The smart home privacy and biometric security risks I’ve written about before share this characteristic — the surveillance is built into the service model, not bolted on afterward, which makes opting out of the surveillance without opting out of the service genuinely difficult.

Where This Leaves You

By the end of 2026, the Section 1033 compliance requirement means the largest banks will let you move your data to competitors more easily. Privacy-enhancing technologies will be more widely deployed in financial services. More banks will have formalized advertising divisions treating transaction data as a revenue stream.

What will not have changed: the GLBA carve-outs in state privacy laws, the fundamental business model of surveillance finance, or the gap between what consumers believe privacy law protects and what it actually covers.

If you want to minimize financial data surveillance, the most effective tools are the oldest ones — cash for sensitive purchases, separation of accounts across institutions, and active use of whatever opt-outs the bank is legally required to provide. None of these are complete solutions. They’re friction in a system that’s otherwise optimized to run without any.

Most people will accept the trade. Banks are running a business model that depends on that.

Share
Syed

Syed

Hi, I’m Syed. I’ve spent twenty years inside global tech companies—including leadership roles at Amazon and Uber—building teams and watching the old playbooks fall apart in the AI era. The Global Frame is my attempt to write a new one.

I don’t chase trends—I look for the overlooked angles where careers and markets quietly shift. Sometimes that means betting on “boring” infrastructure, other times it means rethinking how we work entirely.

I’m not on social media. I’m offline by choice. I’d rather share stories and frameworks with readers who care enough to dig deeper. If you’re here, you’re one of them.

Leave a Reply

Your email address will not be published. Required fields are marked *

More to read

Trending now

Dollar-Cost Averaging vs Lump Sum
The Market Crashed. You Didn’t Sell. That’s the Whole Point.
green investing strategy
The Green Investing Strategy Nobody Is Talking About (It’s Not What You Think)
Federal Reserve interest rates 2026
A New Fed Chair. A Different Rate Math.
Freelancing in 2026
Freelancing in 2026: Why the Stability Argument Just Inverted