November 12, 2024

CFPB: Report Details Carveouts for Financial Institutions in State Data Privacy Laws

Gaps in consumer protections pose risks as companies increasingly build business models to make money from personal financial data

The Consumer Financial Protection Bureau (CFPB) today released a report examining federal and state-level privacy protections for consumers’ financial data. The report notes that protections under federal regulations for financial data have limits. Yet, many new state data privacy protections exempt financial institutions and consumer financial data covered by federal law, even though states generally have authority to go beyond the federal rules. As a result, in many states, privacy protections for financial information now lag behind safeguards in other sectors of the economy. The report explores whether consumer financial data is sufficiently protected, given new business models from banks and other financial institutions that make money from the use of this data, such as by creating advertising or marketing businesses.

“Consumers should have meaningful choice and an expectation of privacy about how their financial data is used, but large companies are increasingly harvesting and monetizing this sensitive data in mysterious ways,” said CFPB Director Rohit Chopra. “Given the exemptions in state law when it comes to this personal data, consumers lack fundamental protections for their financial privacy.”

Today’s report describes how states have recently been active in passing consumer data privacy laws, including eighteen states that passed new laws between January 2018 and July 2024. These laws give consumers greater control over and access to their data and take steps to reduce the collection of unneeded data. However, these laws all have exemptions tied to federal regulations for financial data and financial products and services. As consumers increasingly rely on digital financial tools such as mobile banking and payment apps, unprecedented opportunities exist for companies to collect large quantities and various types of data concerning Americans’ economic lives and behaviors.

The current federal framework for financial data privacy protections consists primarily of the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA), along with both laws’ implementing regulations. The GLBA’s current regulatory framework is built around disclosures and opt-out requirements that may not fully address the challenges posed by modern data surveillance. The CFPB’s report explains that while states have significant latitude to provide additional data privacy protections, many states exempt the data and financial institutions subject to GLBA or the FCRA from their own data privacy laws. This means that such data often is not covered by the new state-law protections, such as the right under state law for consumers to fix or delete incorrect or outdated information, or the requirement that people opt in—instead of having to opt out—of the collection of especially sensitive data.

Specifically, the report’s analysis finds:

In addition to today’s report, the CFPB is taking other steps to address emerging data privacy challenges. This includes reviewing how big tech companies adhere to consumer financial protection laws, issuing a final rule to give consumers more control over their personal financial data rights, and developing new rulemaking regarding the application of the FCRA’s privacy protections to data brokers.

Read the report.

Read Director Chopra’s statement on the report.

Consumers can submit complaints about financial products or services by visiting the CFPB’s website or by calling (855) 411-CFPB (2372).

Employees who they believe their company has violated federal consumer financial protection laws are encouraged to send information about what they know to whistleblower@cfpb.gov.

This post was originally published here.