On November 12, the CFPB released a report analyzing federal and state-level privacy protections for consumer financial data.

The current federal framework for financial data privacy relies on the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA), along with their respective implementing regulations. The report contends that the GLBA primarily focuses on disclosures and opt-out options, which may be insufficient for current data surveillance challenges. The report notes that, while states can enact stronger data privacy measures, data and institutions regulated by GLBA or FCRA are often exempt from state laws. As a result, financial data often lacks new state-level protections, such as consumers’ rights to correct or delete outdated information or the requirement for opt-in consent for collecting sensitive data.

The report explores whether current safeguards are adequate, especially as banks and other financial institutions increasingly profit from consumer data through advertising and marketing. As consumers rely increasingly on digital financial tools such as mobile banking and payment apps, opportunities arise for companies to collect and monetize large quantities and various types of data concerning Americans’ economic lives and behaviors.

Notable points from the report’s analysis include:

  • New Business Models Built Around Consumer Data. Financial institutions are increasingly profiting from consumer data, using details about income, expenses, and account balances as revenue sources, often through selling this data to third parties.
  • Limitations of Existing Financial Data Protections. Current federal protections are limited and may not keep pace with evolving data collection and monetization practices, leaving many consumers’ financial data vulnerable.
  • State Privacy Laws Introduce New Consumer Rights. Eighteen states have recently passed laws that give consumers new privacy rights, including the right to: access data, know which data businesses have about them, correction of inaccuracies, data portability, and deletion.
  • Exemptions for Financial Data in State Laws. Major state data privacy laws exempt financial institutions and data that are already within the scope of federal laws, such as GLBA and FCRA, limiting consumers’ ability to use their state law privacy rights in connection with their financial data.
  • State-level Policy Considerations for Data Privacy Gaps. With limited federal action, states should assess and address gaps in data privacy protections, particularly for financial data, to ensure comprehensive consumer protection.

Putting It Into Practice: The report underscores the CFPB’s commitment to addressing emerging data privacy challenges. The Bureau’s recent data privacy push includes the issuance of a final rule aimed at giving consumers more control over their personal financial data (previously discussed here), and CFPB Director Rohit Chopra addressing the potential expansion of FCRA to apply to data brokers at a White House data privacy event (previously discussed here). Companies handling consumer financial data should continue to monitor this trend, as the data privacy compliance landscape may soon shift.