is my bank’s privacy policy stupid, or am I being too pedantic?

I got an email this week from one of my banks. It is the annual reminder of their privacy policy, and is meant to make me feel good that the bank is taking my privacy and security seriously. But it does just the opposite. I realize, though, that given my personal nature, my background in quality assurance, and my lifelong hobby of playing games with complex rules, I may interpret their statement a lot more literally than they expect. Am I being a rules lawyer, or is this really as bad as it sounds? Read on…

For Your Security


Thank you for choosing First National Bank for your financial service needs. We appreciate the trust and confidence you have placed in us and understand the importance of protecting your personal information.

As part of our commitment to our customers, First National Bank annually notifies customers of the policy we have in place to protect private information. We would like to take a moment to assure you of the following:

  • First National Bank has always been and will remain committed to protecting our customers’ privacy.
  • We do not share your personal information except where required to complete a transaction on your behalf or where permitted by law.
  • There is no need for you to opt-out in order to prevent information sharing. First National Bank already limits the circumstances in which your personal information is disclosed.

The part I have a problem with is in the line in bold above. It’s the second part of that sentence that bothers me. Their statement isn’t “…or where required by law” it is “…or where permitted by law.” It seems like they’re saying that they may share my personal information in any way that isn’t illegal. They can do anything with it right up to the point of the law, but not past that. Isn’t that strange?

Given that, the rest of this could just be simplified to say, “We may do anything that isn’t illegal with your data.” It’s good to know they don’t intend to break the law, but this doesn’t give me any warm fuzzy feeling that they’re going above and beyond the minimum required by banking laws.

What do you think?


1 comment

  1. It’s probably bad writing combined with the lawyers’ desire to give them as much latitude as possible—hence “permitted.” That way they can go beyond legal requirements if the government pressures them but doesn’t actually have a law to back up the request for data.

Leave a Reply

%d bloggers like this: