CFPB examines carveouts in state data privacy laws for financial institutions
The Consumer Financial Protection Bureau recently released a report examining federal and state-level privacy protections for consumers’ financial data.
The regulator said its report noted that protections under federal regulations for financial data have limits. Yet, officials pointed out many new state data privacy protections exempt financial institutions and consumer financial data covered by federal law, even though states generally have authority to go beyond the federal rules.
As a result in many states, the CFPB asserted that privacy protections for financial information now lag behind safeguards in other sectors of the economy.
The bureau compiled the report to explore whether consumer financial data is sufficiently protected, given new business models from banks and other financial institutions that make money from the use of this data, such as by creating advertising or marketing businesses.
Monday’s report describes how states have recently been active in passing consumer data privacy laws, including 18 states that passed new laws between January 2018 and July of this year. These laws give consumers greater control over and access to their data and take steps to reduce the collection of unneeded data. However, these laws all have exemptions tied to federal regulations for financial data and financial products and services.
As consumers increasingly rely on digital financial tools such as mobile banking and payment apps, the bureau said “unprecedented” opportunities exist for companies to collect large quantities and various types of data concerning Americans’ economic lives and behaviors.
“Consumers should have meaningful choice and an expectation of privacy about how their financial data is used, but large companies are increasingly harvesting and monetizing this sensitive data in mysterious ways,” CFPB director Rohit Chopra said in a news release. “Given the exemptions in state law when it comes to this personal data, consumers lack fundamental protections for their financial privacy.”
The bureau’s analysis included in the reports found:
—Financial institutions are building new business models around consumer data: Firms in the consumer finance space are increasingly focusing on collecting and using large quantities of consumers’ financial data as a source of revenue, including by selling that data to third parties. This data may include details about people’s income, expenses, and account balances.
—Existing protections for financial data have limits: Consumers place a high value on their financial data and their ability to keep it private. There is broad consensus that existing federal privacy protections for financial information have limitations and may not protect consumers from companies’ novel and increasingly pervasive methods of collecting and monetizing data.
—The new state laws provide new consumer privacy rights: 18 states have recently created new protections that give consumers a variety of new rights related to the collection or sharing of their personal data. Under at least some state laws, consumers now have the right to know which data businesses have about them, to correct inaccurate information, to take that data with them to another business, or to request the business delete the information entirely, among other rights.
—State-level data privacy laws exempt companies and data covered by federal rules: All of the major state data privacy laws passed to date exempt financial institutions, financial data, or both if they are already subject to the GLBA or the FCRA. Consumers in those states will not be able to access the state law privacy rights they have in other areas of their economic life to protect the information collected and/or shared by these exempted institutions.
—State policymakers should assess gaps in existing data privacy laws: Absent action at the federal level, exemptions from state data privacy laws can leave consumers at heightened risk with regard to their financial data. States should consider the importance of ensuring that their citizens are protected in instances where federal law currently has gaps or may be ineffective.
Officials explained the current federal framework for financial data privacy protections consists primarily of the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA), along with both laws’ implementing regulations.
The CFPB’s report noted that while states have significant latitude to provide additional data privacy protections, many states exempt the data and financial institutions subject to GLBA or the FCRA from their own data privacy laws.
“This means that such data often is not covered by the new state-law protections, such as the right under state law for consumers to fix or delete incorrect or outdated information, or the requirement that people opt in — instead of having to opt out — of the collection of especially sensitive data,” the bureau said.
In addition to this report, the CFPB said it is taking other steps to address emerging data privacy challenges, including:
—Reviewing how big tech companies adhere to consumer financial protection laws
—Issuing a final rule to give consumers more control over their personal financial data rights
—Developing new rulemaking regarding the application of the FCRA’s privacy protections to data brokers
“The CFPB will also continue our work with Congress and the states to enshrine additional protections of personal financial data into law,” Chopra said.