Third-Party Financial Partner Data Sharing

What it is

Walmart states it shares customer personal information with co-branded credit card issuers and other financial partners for joint financial products, and those partners' own privacy notices govern how they use the shared data.

Why it matters (compliance & governance perspective)

The policy states that data shared with financial partners is governed by those partners' separate privacy notices, meaning consumers interacting with Walmart co-branded financial products should review both Walmart's notice and the applicable financial institution's privacy disclosures to understand the full scope of data use.

Consumer impact (what this means for users)

The policy states that Walmart shares customer identifiers, purchase history, and financial information with co-branded credit card issuers and financial service partners, and that those partners maintain their own independent privacy notices that govern their use of the shared data, creating a separate data processing relationship outside Walmart's direct control.

What you can do

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: Sharing personal information with financial institutions in connection with co-branded credit products may implicate the Gramm-Leach-Bliley Act (GLBA), which governs financial institution privacy notices and opt-out rights for non-affiliated third-party data sharing. The CFPB has oversight authority over GLBA compliance for financial institutions receiving shared customer data. The CPRA's service provider and third-party categorization framework requires Walmart to assess whether financial partners are operating as independent third parties (triggering opt-out rights under CCPA) or as service providers. 2) GOVERNANCE EXPOSURE: Medium. The notice's statement that data sharing with financial partners is 'subject to those partners' privacy notices' may be interpreted as acknowledgment that those partners operate as independent third parties rather than service providers, which under CCPA/CPRA would require those transfers to be treated as sales or sharing subject to opt-out rights. 3) JURISDICTION FLAGS: California CPRA creates the primary exposure for characterizing financial partner data transfers. GLBA's opt-out framework applies nationally but provides more limited consumer rights than CPRA. 4) CONTRACT AND VENDOR IMPLICATIONS: Co-branded financial product agreements should specify the permissible uses of shared customer data by the financial institution partner and whether the partner is operating as a service provider (restricting data use) or an independent controller. These characterizations have direct CPRA compliance implications. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should map all financial partner data flows and determine whether each transfer is characterized as a service provider relationship or a third-party transfer under CPRA. If classified as third-party transfers, opt-out mechanisms must be available to California residents for these flows specifically.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Data Sale and Sharing via Walmart Connect high
• Biometric Identifier Collection high
• Sensitive Personal Information Handling high
• Consumer Privacy Rights (State-Specific) medium
• Data Retention medium
• Children's Privacy (Minors Under 16) medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.