Affiliate and Third-Party Data Sharing

What it is

Chase can share your personal and financial information with other JPMorgan Chase companies and with outside vendors or partners who help run its business, including for marketing and risk management purposes.

Why it matters (compliance & governance perspective)

Your financial and personal data may flow across the entire JPMorgan Chase enterprise and to third-party service providers, which broadens the number of entities that may access your information beyond Chase itself.

Consumer impact (what this means for users)

This provision means your account activity, financial behavior, and personal details may be shared with affiliated JPMorgan Chase companies and external vendors, potentially for purposes such as targeted marketing in addition to core banking operations.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision directly engages the Gramm-Leach-Bliley Act, which requires financial institutions to provide consumers with notice and opt-out rights before sharing nonpublic personal information with non-affiliated third parties. The CFPB holds supervisory authority over GLBA compliance for consumer financial institutions. The California Consumer Privacy Act as amended by the CPRA imposes additional disclosure and opt-out requirements for sharing personal information with third parties for cross-context behavioral advertising. Where the policy asserts broad sharing permissions, GLBA and CCPA/CPRA requirements may constrain those permissions depending on the data type, sharing purpose, and consumer geography. GOVERNANCE EXPOSURE: High. The breadth of affiliate sharing across the JPMorgan Chase enterprise and the inclusion of third-party vendors creates material compliance obligations under GLBA and state privacy laws. The policy's description of sharing purposes, including marketing and risk management, must align with the specific opt-out disclosures provided in the separately required GLBA annual privacy notice. Any divergence between operational data flows and policy disclosures creates regulatory exposure. JURISDICTION FLAGS: California residents have CCPA/CPRA opt-out rights for sharing of personal information with third parties for advertising purposes. States including Virginia, Colorado, Connecticut, and Texas have enacted comprehensive privacy laws that may impose similar requirements depending on Chase's customer base in those states. The EU and UK are not the primary focus of this policy but EU/EEA users, if any, would engage GDPR requirements. CONTRACT AND VENDOR IMPLICATIONS: Third-party service providers receiving consumer financial data should be subject to contractual data processing agreements that restrict use to specified purposes consistent with this policy. Procurement and vendor management teams should confirm that data processing agreements with Chase's service providers align with the policy's stated sharing restrictions and applicable GLBA safeguards requirements. COMPLIANCE CONSIDERATIONS: Compliance teams should map operational data flows against the policy's affiliate and third-party sharing disclosures to confirm accuracy. The GLBA annual privacy notice and the online privacy policy should be reviewed together to ensure consistent opt-out disclosures. California-specific opt-out mechanisms should be tested for functionality and accessibility. Teams should assess whether recently enacted state privacy laws in Virginia, Colorado, Connecticut, or Texas create additional disclosure or consent obligations for Chase's customer populations in those states.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Cookie and Behavioral Tracking medium
• Location Data Collection medium
• California Consumer Privacy Rights medium
• Data Collection from Third Parties medium
• Marketing Communications and Opt-Out low
• Children's Privacy low

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.