Third-Party Data Sharing for Marketing and Analytics

What it is

Stash shares personal information with a range of third parties including marketing partners and analytics providers, in addition to service providers and affiliates, for purposes that include business intelligence and promotional activities.

Why it matters (compliance & governance perspective)

Sharing personal financial and behavioral data with marketing and analytics third parties goes beyond what is strictly necessary to provide investment and banking services, and consumers may not anticipate this use when they sign up for a financial platform.

Clause Stability Stable

Consumer impact (what this means for users)

Your personal information, including financial data and behavioral data, may be shared with third-party marketing partners and analytics vendors; California residents have the right to opt out of sharing for cross-context behavioral advertising purposes under the CPRA.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: The CPRA defines sharing personal information for cross-context behavioral advertising as a regulated activity requiring an opt-out right, distinct from the right to opt out of sale. GLBA limits financial institutions' ability to share nonpublic personal information with nonaffiliated third parties and requires an opt-out for certain sharing arrangements. The FTC Act applies to material misrepresentations about data sharing practices. The CFPB has authority over data sharing practices of financial service providers subject to its jurisdiction. GOVERNANCE EXPOSURE: Medium. The policy discloses third-party sharing for marketing and analytics but the specific categories of third parties, the data fields shared, and the contractual limitations on downstream use are not fully detailed in the policy text. GLBA's opt-out requirements for nonaffiliated third-party sharing require verification that the Privacy Notice and opt-out mechanism are compliant and operational. JURISDICTION FLAGS: California creates heightened exposure under CPRA sharing opt-out requirements. Other states with comprehensive privacy laws including Virginia, Colorado, Connecticut, and Texas impose similar but not identical opt-out obligations for targeted advertising. Financial services regulators in New York (NYDFS) have specific cybersecurity and data governance requirements that may interact with third-party data sharing arrangements. CONTRACT AND VENDOR IMPLICATIONS: Data processing agreements with marketing and analytics vendors should specify permitted uses of shared data, prohibit secondary use for purposes not disclosed to consumers, and require vendors to implement appropriate security controls. If vendors are permitted to combine Stash-shared data with data from other sources, re-identification risk increases and should be addressed contractually. COMPLIANCE CONSIDERATIONS: Compliance teams should map all third-party data sharing relationships, verify that each relationship is disclosed in the policy, confirm that GLBA opt-out mechanisms are operational, and ensure CPRA sharing opt-out requests are honored within required timeframes. Marketing partner agreements should be reviewed to confirm that data use is limited to purposes disclosed in this policy.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Anonymized Data Carve-Out medium
• Selfie and Government ID Collection for Identity Verification medium
• Bank Account Credential Collection high
• California Residents Privacy Rights (CCPA/CPRA) medium
• Do Not Track Non-Response medium
• Customer Service Call Recording low

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.