New regulations in the banking industry will make it easier for consumers to find out. Most banks, however, have yet to update their privacy policies to comply with provisions in the Gramm-Leach-Bliley Act, signed into law last November and set to become mandatory in July 2001.

PriceWaterhouseCoopers, the large accounting and consulting firm, studied the Web sites of the top 50 US banks and thrift holding companies with a significant consumer presence in online banking. Its research showed that two-thirds of the banks' online privacy notices aren't yet compliant with the Act.

Ms Maryann Murphy, a partner with PriceWaterhouseCoopers, says the bank survey was intended as a measure of how well financial services institutions were preparing to comply with the new act. While it is encouraging that nearly all of the banks studied have an easily located privacy policy on their Web sites, "There's a lot of work to be done," she says.

For example, more than two-thirds of banks' Web sites studied didn't state what information they disclosed to third parties, and only 9 per cent of Web sites gave examples of the parties with whom non-public personal information is shared. None of the sites in the study revealed their practices with respect to non-public personal information.

"[Privacy is] an issue that's near and dear to the hearts of customers, so from a strategic perspective, you want to be responsive to your customers," Ms. Murphy says.

The issue was in the spotlight earlier this month, when the US Bancorp, a large bank in Minneapolis, said it reached a preliminary settlement in a class-action lawsuit relating to consumer privacy. The bank in Minneapolis was sued for providing customer-account information to a marketing partner selling non-financial services. It acknowledged no wrongdoing but said it was setting aside $3 million to pay potential claims.

"[Privacy] is a key thing in the banking industry, where trust is such a part of the relationship," agrees Trish Jaffarian, online banking analyst with the Yankee Group in Boston. "It has been one of the factors determining how fast online banking gets adopted."

And online banking has been slow to catch on. While 21.5 million Americans are expected to shop online in 2000, only about half as many will bank online, says a recent study by New York e-commerce research firm Jupiter Communications. The Gramm-Leach-Bliley Act, which peels away barriers dating back to the Depression, aims to allow one-stop financial shops that offer a range of products by permitting insurers, banks and brokerages to merge.

One of the act's provisions, called Title V, addresses financial institutions' privacy policies and protection of sensitive consumer data. It applies both in the offline and online world, but it receives heightened attention on the Web, where consumers are skittish about their privacy.

Under the new laws, banks must post a clear and conspicuous privacy policy that discloses the categories of non-public personal data that might be shared with a third party, such as age, gender or transaction history. The policy must also disclose to whom information is disseminated, and it must include specific details about how consumers can opt out of having their information disclosed.

The Office of Thrift Supervision and the Office of the Comptroller of the Currency, both divisions of the Treasury Department, have issued guidelines for banks with suggestions about how to comply. For example, when a privacy policy is addressing the categories of information collected, the two agencies suggest this sample language:

"We collect non-public personal information about you from the following sources: Information we receive from you on applications or other forms; information about your transactions with us, our affiliates or others; and information we receive from a customer reporting agency."

The government agencies recommend that banks provide as many examples and details as possible to explain what kind of information is being gathered and shared.

Robin Warren, a privacy executive for Bank of America, says the policy on its site has been altered periodically since it was originally posted in 1998. The policy doesn't yet meet the Gramm-Leach-Bliley rules, but a few small changes will bring the bank into compliance by early 2001, she says. "It's been important to us all along that if we were going to post a privacy policy, that it would be meaningful to customers and answer the questions ," Ms. Warren says.