CFPB Invites State Regulators To Dance

Following the Consumer Financial Protection Bureau (CFPB)’s late October finalization of a rule handing control of personal financial data back to consumers, the regulator released a report Tuesday underscoring the complexity of state consumer privacy laws that help or hinder their efforts, given a lack of strong federal consumer financial data protections.

Now that the U.S. presidential election is decided, markets anticipate a second Trump administration to support regulatory roll-backs across swaths of the U.S. economy, particularly in financial services. It’s difficult not to see the CFPB’s report as an invitation to state regulators — should an advocate for consumer financial protection disappear at the federal level.

As the market for collecting, mining, and selling consumers’ personal financial data matures, the October rule seeks to strengthen consumers’ ability to shop around for financial services by requiring financial institutions, credit card issuers, and other providers to unlock an individual’s financial data and transfer it to another provider at the consumer’s request, for free.

That rule activates Section 1033 of the Consumer Financial Protection Act, a portion of the law that the CFPB has been slow to implement since Congress enacted the CFPA in 2010. At the time October’s rule was finalized, more rules were expected to follow.

Tuesday’s report from the CFPB underscores how financial institutions’ business models “are increasingly focusing on collecting and using large quantities of consumers’ financial data as a source of revenue, including by selling that data to third parties.” Ostensibly, aggregating personal data helps companies retain customers and target new customers more effectively, while tailoring delivery of services and cost structures accordingly.

However, a July 2024 report published by the House Committee on Financial Services found broad consensus that “existing federal privacy protections for financial information have limitations and may not protect consumers from companies’ novel and increasingly pervasive methods of collecting and monetizing data,” the CFPB cited, highlighting gaps in federal privacy laws and newly adopted state laws.

The Gramm-Leach-Bliley Act (GLBA), enacted in 1999 and updated in 2023, for example, “focuses on informing consumers so they can opt out, but an opt-in approach that prohibits businesses from sharing information until the consumer affirmatively agrees could be more protective of consumers’ sensitive information,” the report noted. “When consumers were given notice and a reasonable opportunity to opt out but did not do so, the financial institution and its affiliates can broadly use and share the consumers’ nonpublic personal information without violating the GLBA, so long as they do so consistent with what the financial institution’s privacy policy disclosed.”

Modeled after the European Union’s General Data Protection Regulation, 18 states have passed data privacy laws since Jan. 2018 that incorporate three, first-of-their-kind data rights for U.S. consumers: the right of access, the right to delete, and the right of portability.

These laws generally govern the “controller” of nonpublic personal information, or “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data,” according to the CFPB. The laws also impose certain obligations on processors, who handle and/or store data, but do not control it.

While these state laws offer a generally higher standard of consumer financial protections, they carry a fatal flaw, according to the consumer watchdog — “every one” of the new state laws includes exemptions for data governed by the federal GLBA, in addition to financial institutions subject to the GLBA. Fifteen states even exempt the affiliates of those financial institutions, as in, those financial institutions’ third-party service providers.

“The GLBA exemptions in these state laws sharply circumscribe the effect of the state laws, and result in providing new protections with respect to data collected by nonfinancial institutions while leaving data collected by financial institutions behind,” the CFPB says, pointing out that exemptions in state laws reach far “beyond just exempting banks” because the term “financial institution” under the GLBA encompasses a wide variety of businesses engaged in lending, transferring money or securities, financial advising, asset management, consumer reporting, debt collection, loan servicing, and transaction services.

With the specter of regulatory roll-backs looming, “financial institutions’ rapid investment in expanding their own data monetization and absent stronger federal protections,” the CFPB warned, “states should consider whether they wish to continue to exempt these activities from the consumer rights and protections their comprehensive state privacy laws provide.”