Source: site
The Consumer Financial Protection Bureau (CFPB) published a report on November 12, 2024, examining state and federal privacy protections for consumer financial data.
The report analyzes state and federal privacy laws that have been passed in recent years – many of which exempt data and/or institutions that are subject to the federal Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA). Based on this analysis, the CFPB concludes that states should consider removing or narrowing the GLBA and FCRA exemptions in their privacy laws in order to provide more robust privacy protections over consumer financial data.
Privacy over consumer financial data
The report highlights the importance of privacy in regard to consumer financial data, which the CFPB views as particularly sensitive information. Consumers use technology products more and more to manage their financial data – whether online banking services or mobile payment apps. In the report, the CFPB explains that, in its view, this creates “unprecedented opportunities for companies to collect large quantities of various types of data concerning Americans’ economic lives and behaviors,” necessitating robust privacy protections.
The CFPB also states that, in its view, consumer financial data is increasingly important to financial institutions and technology companies, enabling more effective advertising and product improvement and development. The CFPB is concerned that the effect of this demand for consumer financial data “creates new opportunities for scammers and … can enable manipulative business practices.”
US state privacy laws exempt consumer financial data
Against this backdrop, states have increasingly passed privacy laws governing personal data. These laws provide individuals with certain rights over their personal data – such as the right to access, the right to delete and the right to portability of their data (meaning that consumers can easily transfer it) – which the CFPB notes are modeled on the European Union’s General Data Protection Regulation. Some states provide consumers with certain data opt-in and opt-out rights, such as those which require consumers to opt in before a business is allowed to process their sensitive data, or give consumers the right to opt out of the sale of their data or receiving targeted advertising based on their data.
The report includes a chart of the 18 state consumer privacy laws passed between 2018 and today. As reflected in the chart, all of these laws exempt data subject to the GLBA, and all but California’s exempt institutions subject to the GLBA as well as their affiliates. The CFPB also notes that all of the state laws identified exclude communications made in compliance with the FCRA and its implementing regulations.
CFPB critiques and recommendations
In the report, the CFPB echoes comments it has previously made regarding the existing limitations of the privacy protections – in particular, under the GLBA and its implementing regulation, Regulation P. For example, the CFPB highlights that the GLBA requires financial institutions to inform consumers that they may opt out of having their data shared, rather than requiring such financial institutions to obtain affirmative opt-in consent from consumers (which would be more protective). In addition, the CFPB highlights concerns of the Government Accountability Office that “some financial institutions are abusing Regulation P’s model notice option to mask just how much data they collect on consumers and all the ways they allow that information to be used.”
To fill the gaps it believes are left by the GLBA, the CFPB encourages states to reconsider the relevant exemptions within their privacy laws.
Addressing potential legislative concerns about preemption if GLBA – and also FCRA – exemptions in state privacy laws were pared back, the CFPB says that, in its view, state privacy laws would generally fall outside of applicable federal preemption provisions. Specifically, the CFPB takes the position that the FCRA’s and GLBA’s preemption provisions generally allow for state laws that are not inconsistent and are more protective of consumers. The CFPB also argues that it is unlikely that the state privacy laws would “prevent or significantly interfere with the exercise by national banks of their powers” and, thus, be preempted under the National Bank Act.
Impact on financial institutions
The report is ultimately just that – a report of findings, not legislation, rulemaking or enforcement action. While not binding, the report serves as a strong suggestion to states to consider bringing GLBA entities and FCRA-covered data within the scope of their privacy laws. Notably, the decision to do so, however, rests with state legislatures – across multiple states – that may or may not have the same priorities or appetite to make adjustments to their privacy regimes, just to fill perceived gaps that, alternatively, could be addressed at the federal level.
More broadly, the report underscores the CFPB’s continued focus on ensuring that consumers’ financial data is protected. For example, the CFPB recently issued its long-awaited Section 1033 open banking rule, which is intended to give consumers more access to and control over their financial data. The CFPB also has been vocal about using existing law, such as the FCRA, and amendments to the regulations issued thereunder, to better protect against potential misuses of individuals’ consumer financial data (such as practices by data brokers), as reflected by Director Rohit Chopra’s recent remarks.
In addition, we have seen the CFPB take the position that providing “[i]nadequate security for sensitive consumer information collected, processed, maintained or stored by … [a] company can constitute an unfair practice” under the Consumer Financial Protection Act. Although the report does not mention unfair, deceptive, or abusive acts and practices (UDAAP), this past position suggests that, at least, the current CFPB may not be shy about leveraging its UDAAP authority to ensure consumer financial data is adequately protected.