This article was originally published in 1999 and was last updated on June 9, 2025
- Tension: We want personalized convenience but recoil when our data is used without our awareness.
- Noise: Media sensationalism around scandals blinds us to the slow mechanics embedding surveillance into everyday platforms.
- Direct Message: True digital autonomy demands not just reaction to scandals, but structural insistence on transparency, consent, and control.
Learn how we uncover deeper insights with the Direct Message Methodology
In June 1999, U.S. Bancorp’s stock plunged after revelations it shared customers’ sensitive data—including Social Security numbers, account balances, and credit card details—with MemberWorks, a telemarketing affiliate. The controversy landed the bank in lawsuits and led to multi-state settlements mandating stricter privacy controls.
In 2025, the stakes have grown. Our financial lives play out online—through banking apps, digital wallets, and integrated platforms—transforming data collection from obvious leaks into silent harvesting.
Civil cases and new state legislation, like California courts approving lawsuits over tracking pixels, signal a shift in the privacy battleground.
What it is and how it works
The 1999 scenario was direct: banks sold customer lists to marketing vendors with explicit permissions embedded in fine print.
MemberWorks received $4 million plus commissions from U.S. Bancorp for selling health and travel packages, prompting a sweeping settlement.
Today, what counts as “data sharing” is invisible. Banks embed tracking pixels or SDKs in apps and websites. These tools collect data silently—IP addresses, click behavior, device IDs—often shared with third-party analytics firms.
In April 2025, California’s Northern District ruled such pixel-based data transfers could fall under the California Consumer Privacy Act, potentially opening the door to statutory action.
At the federal regulatory level, the Gramm-Leach-Bliley Act (GLBA) still governs financial privacy, requiring disclosures and opt-outs.
But enforcement gaps and digital evolution mean GLBA’s protections often lag behind today’s tracking technologies.
The deeper tension behind this topic
We crave personalized, frictionless service, expecting apps to remember our preferences and proactively assist. Yet we balk at the realization that our data—moves, balances, spending—is silently tracked and monetized.
Emotionally, this creates a rupture: trust vs. surveillance. We want intimacy with trusted platforms, not covert data economies. Culturally, this reveals an acronym mismatch: we sign up for convenience but end up leasing our privacy.
What gets in the way
Mainstream media casts these issues as sensational scandals: “bank data hack” or “telemarketing scandal.” That framing misleads us into thinking privacy violations are episodic. In reality—they reflect anarchic system defaults built to extract value indefinitely.
The real barrier is structural: GLBA allows opt-out, not opt-in; vendor agreements and contracts are opaque; and banking systems embed analytics as standard, not accidental.
Meanwhile, public outrage cycles flare and fade, without addressing root causes or demanding enforceable transparency.
The Direct Message
True digital autonomy doesn’t come from outrage over the next scandal—it emerges when we insist on systems designed for transparency, meaningful consent, and user control.
Integrating this insight
To shift from passive reaction to active control, we must engage at four structural levels:
Reframe consent as active, not default
No more buried checkboxes. Institutions should present clear, informed options—”opt-in” rather than “opt-out”—for every tracking tool and data-sharing setup. California’s court rulings on pixels strengthen this demand.
Audit the plumbing
Banks must scan for tracking pixels or SDKs, and block those that collect sensitive identifiers without justified use. FTC precedent suggests deceptive practices could violate Section 5, the GLBA, or CCPA.
Legislate structural transparency
Lobby for laws requiring automated logs: who accessed data, when, and for what purpose. Grant users right to delete or export that log. Pushing for GLBA updates or state laws like CalFIPA to mandate these disclosures is essential.
Reorient public narrative
Support stories that explain systems—not just scandals. Highlight banks or fintechs that publish transparency dashboards or limit sharing by default. This builds a cultural shift toward privacy as baseline, not afterthought.
Closing perspective
The MemberWorks case was a preview of what was to come—but in 2025, data collection has become systemic. Fighting only when privacy breaches go headline viral keeps us locked into cycles of outrage, not reform.
Instead, let’s treat each tracking pixel, every algorithmic vendor, as a symptom of a bigger system—and redirect energy toward building digital environments that respect individuals by design, not by exception.
