Third-Party and Affiliate Data Sharing

What it is

Mercury can share your personal and financial information with affiliated companies, service providers, and business partners, including for marketing purposes that may benefit those third parties.

Why it matters (compliance & governance perspective)

Data sharing with third parties for marketing purposes goes beyond what is strictly necessary to provide banking services, which means your financial data may be used in ways unrelated to your Mercury account.

Consumer impact (what this means for users)

The policy permits Mercury to share personal and financial data with business partners for marketing and promotional purposes, which means data about your business banking activity could be used by third parties to target you with offers.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: Third-party data sharing for marketing purposes by a financial institution engages GLBA's privacy notice and opt-out requirements. Under GLBA, financial institutions must provide customers with opt-out rights before sharing nonpublic personal information with non-affiliated third parties for marketing. CCPA as amended by CPRA defines sharing of personal information for cross-context behavioral advertising as a regulated activity requiring opt-out rights for California residents. The FTC and CFPB both have enforcement authority in this area depending on Mercury's regulatory classification. GOVERNANCE EXPOSURE: High. Sharing financial data with third parties for marketing creates material GLBA compliance obligations and, for California residents, CCPA opt-out obligations. If opt-out mechanisms are not clearly disclosed and operationally functional, this creates regulatory exposure under both federal and state frameworks. JURISDICTION FLAGS: California residents have the strongest protections, with CCPA opt-out of sale and sharing rights that are enforceable by the California Privacy Protection Agency and via private right of action in data breach contexts. GLBA opt-out requirements apply nationally but enforcement depends on Mercury's regulatory charter and partner bank structure. CONTRACT AND VENDOR IMPLICATIONS: Business partner data sharing agreements must be reviewed to ensure they meet GLBA's restrictions on onward transfer and CCPA's contractor and service provider definitions. Where a business partner receives data for their own marketing purposes, they may be a 'third party' under CCPA rather than a service provider, triggering different contractual requirements and user rights. COMPLIANCE CONSIDERATIONS: Compliance teams should audit all active third-party data sharing relationships to classify them correctly under GLBA and CCPA, ensure opt-out mechanisms are disclosed prominently and technically implemented, and verify that GLBA annual privacy notices are issued where required. Data sharing for marketing should be documented in the CCPA records of processing activities.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Collection of Financial and Identity Data medium
• Collection of Beneficial Owner and Authorized User Data medium
• Behavioral and Inferred Data Collection low
• California Consumer Privacy Act Rights low
• Data Retention Policy low
• Use of Data for Marketing and Product Development medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.