Bank of America

Bank of America is an American multinational investment bank and financial services company.

3.2/10

How we calculate ratings →

Handling

Does the policy allow personally-targeted or behavioral marketing? Yes, but you may opt-out

4/10

Score

Yes

Yes, but you may opt-out

35%

Yes, but you must opt-in

70%

100%

Citation

You have choices about how Bank of America advertises to you based on your online behavior.

There is no standard for how "do not track" consumer browser settings should work for online advertising purposes. As such, we do not respond to browser "do not track" signals from browser settings. However, there are several opt out options available to you:

Advertising on our Sites and Mobile Apps and off-line channels such as financial centers, call centers, and through direct marketing (for example email, mail, phone): If you prefer we not provide you with tailored content and advertising based on your online behavior with our Sites and Mobile Apps, you may opt out of online behavioral advertising. Please review the important Reminder section that follows.
Advertising on Non-Affiliated Third Party sites: Bank of America participates in the Digital Advertising Alliance ("DAA") self-regulatory Principles for Online Behavioral Advertising and uses the Advertising Options Icon on our behavioral ads on non-affiliated third party sites (excluding ads appearing on platforms that do not accept the icon). Ads served on our behalf by these companies do not contain unencrypted personal information and we limit the use of personal information by companies that serve our ads. To learn more about ad choices, or to opt out of interest-based advertising with non-affiliated third party sites, visit YourAdChoices layer powered by the Digital Advertising Alliance or through the Network Advertising Initiative's Opt-Out Tool. You may also visit the individual sites for additional information on their data and privacy practices and opt out-options.

Does the service allow you to permanently delete your personal data? No

0/5

Does the service allow third-party access to private personal data? Yes

0/10

This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).

Note that whether the policy allows sharing aggregated user data does not affect this question.

If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).

If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).

Score

Yes

The policy allows sharing personal data with third parties (not just critical service providers), and does not explicitly list the third parties.

Yes, all parties specified (including non-critical service providers such as advertisers)

30%

Yes, not all parties specified (but only to critical service providers)

70%

Yes, all parties specified (only to critical service providers)

80%

100%

Citation

We may share the personal information we collect from and about you online described in this Notice (and subject to other legal restrictions and notices you may have received depending on your relationship with us) with:

Affiliates and Subsidiaries of Bank of America, such as Merrill
Service Providers, Vendors and Third Party Providers who have contracts with Bank of America
Government Agencies as required by laws and regulations.

We may allow certain non-affiliated third party widgets (for example social share buttons) on our sites that enable users to easily share information on another platform, such as a social media platform. The non-affiliated third parties that own these widgets may have access to information about your browsing on pages of our Sites and Mobile Apps where these widgets are placed.

When does the policy allow law enforcement access to personal data? When reasonably requested

3/5

Score

Always

This includes cases in which law enforcement either runs the service or has a known backdoor into (or relationship with) the service.

Not specified

When reasonably requested

60%

Only when required by a court order or subpoena

80%

N/A (no personal data to share)

The service would have no personal data to share with law enforcement.

100%

Never (special legal jurisdiction)

The service operates in a jurisdiction in which sharing data with law enforcement is never required.

100%

Notes

There are multiple mentions of "complying with law", yet no section dedicated to that specifically.

Transparency

Does the policy outline the service's general security practices? Somewhat

1/3

Score

Somewhat

The policy provides only a very vague overview of its security practices.

30%

Yes

60%

Yes, including audits

"Reviews," "monitoring," etc. also count as audits.

80%

Yes, including independent audits

Independent "reviews," "monitoring," etc. also count as independent audits.

100%

N/A

The service doesn't collect any personal information.

100%

Citation

To protect personal information from unauthorized access and use, we use security measures that comply with applicable federal and state laws. These measures may include device safeguards and secured files and buildings as well as oversight of our third party service providers to ensure personal information remains confidential and secure. In the event of a data breach, we provide timely notification, in accordance with applicable laws.

Is the policy's history made available? Only the date it was last modified

3/5

Does the policy require users to be notified in case of a data breach? Yes, eventually

5/7

Will affected users be notified when the policy is meaningfully changed? No

0/5

Collection

Does the service collect personal data from third parties? Yes

0/10

Is it clear why the service collects the personal data that it does? Mostly

7/10

Score

Somewhat

30%

Mostly

70%

Yes

100%

N/A

The service doesn't collect any personal information.

100%

Citation

Personal information collected from and about you online described in this Notice may be used for many purposes such as:

Delivering products and services to you by verifying your identity (for example when you access your account information); processing applications for products or services such as to prequalify for a mortgage, apply for a credit card, or to open a retirement account, investment account or other financial product; processing transactions; finding nearby ATMs, financial centers, and other specialized location based services near your location; and consolidating your financial account information at one online location with services such as My Portfolio® and My Financial Picture®.
Personalizing your digital and mobile experience by enhancing overall Sites and Mobile Apps organization and design and analyze data to create relevant alerts, products or services.
Providing advertising on our Sites and Mobile Apps as well as non-affiliated third party sites and through off-line channels like financial centers, call centers and direct marketing (for example email, mail and phone).
Detecting and preventing fraud, identify theft and other risks to you or Bank of America.
Performing analytics concerning your use of our online services, including your responses to our emails and the pages and advertisements you view.
Complying with and enforcing applicable legal requirements, relevant industry standards, contractual obligations and our policies.
Allowing you to use features within our Sites and Mobile Apps when you grant us access to personal information from your device such as contact lists, or geo-location when you request certain services that requires such access, for example locating an ATM.

Does the service allow the user to control whether personal data is collected or used for non-critical purposes? No

0/10

Does the policy list the personal data it collects? Yes, generally

7/10

Score

The policy does not claim to not collect personal data, but it also doesn't provide any meaningful insight into the types of personal data it collects.

Only summarily

The policy uses overly vague language to provide a summary of the types of collected personal data.

30%

Yes, generally

All general categories of collected personal data are listed, though not all types of personal data are explicitly mentioned (for example, the list might use a phrase like 'such as' when listing types of personal data).

70%

Yes, exhaustively

All types of collected personal data are listed specifically

100%

N/A (no personal data is collected)

100%

Citation

The type of personal information we collect from and about you online will depend on how you interact with us and may include:

Contact Information such as name, mailing address, email address, telephone and mobile number(s),
Account Application information such as credit and income information,
Identifiers such as social security number, account number(s), driver’s license number (or comparable) or other information that identifies you for ordinary business purposes
Access Authorization such as user name, alias, PIN and passcode and security questions and answers
Information from your computer, smartphone, tablet or other mobile device, such as
- Unique device identifiers (for example Media Access Control (MAC) and Internet Protocol (IP) addresses)
- Browser type, version, language, and display/screen settings
- Information about how you use and interact with our Sites and Mobile Apps (for example page visited, links clicked)
- Responses to advertisements on the Sites and Mobile Apps where we advertise
- Log information such as your search and voice to text queries in the mobile app
- Search engine referrals
- Geolocation information with consent, for example ATM or financial center location, fraud prevention)
- Social media preference

Last Updated

January 5, 2021

Sources

Source #1 ↗

Contributors

PSalant, ibarakaiev