News

CFPB Asserts That State Consumer Privacy Laws Do Not Sufficiently Protect Consumer Financial Data

Cooley alert

November 19, 2024

The Consumer Financial Protection Bureau (CFPB) published a report on November 12, 2024, examining state and federal privacy protections for consumer financial data.

The report analyzes state and federal privacy laws that have been passed in recent years – many of which exempt data and/or institutions that are subject to the federal Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA). Based on this analysis, the CFPB concludes that states should consider removing or narrowing the GLBA and FCRA exemptions in their privacy laws in order to provide more robust privacy protections over consumer financial data.

Privacy over consumer financial data

The report highlights the importance of privacy in regard to consumer financial data, which the CFPB views as particularly sensitive information. Consumers use technology products more and more to manage their financial data – whether online banking services or mobile payment apps. In the report, the CFPB explains that, in its view, this creates “unprecedented opportunities for companies to collect large quantities of various types of data concerning Americans’ economic lives and behaviors,” necessitating robust privacy protections.

The CFPB also states that, in its view, consumer financial data is increasingly important to financial institutions and technology companies, enabling more effective advertising and product improvement and development. The CFPB is concerned that the effect of this demand for consumer financial data “creates new opportunities for scammers and … can enable manipulative business practices.”

US state privacy laws exempt consumer financial data

Against this backdrop, states have increasingly passed privacy laws governing personal data. These laws provide individuals with certain rights over their personal data – such as the right to access, the right to delete and the right to portability of their data (meaning that consumers can easily transfer it) – which the CFPB notes are modeled on the European Union’s General Data Protection Regulation. Some states provide consumers with certain data opt-in and opt-out rights, such as those which require consumers to opt in before a business is allowed to process their sensitive data, or give consumers the right to opt out of the sale of their data or receiving targeted advertising based on their data.

The report includes a chart of the 18 state consumer privacy laws passed between 2018 and today. As reflected in the chart, all of these laws exempt data subject to the GLBA, and all but California’s exempt institutions subject to the GLBA as well as their affiliates. The CFPB also notes that all of the state laws identified exclude communications made in compliance with the FCRA and its implementing regulations.

CFPB critiques and recommendations

In the report, the CFPB echoes comments it has previously made regarding the existing limitations of the privacy protections – in particular, under the GLBA and its implementing regulation, Regulation P. For example, the CFPB highlights that the GLBA requires financial institutions to inform consumers that they may opt out of having their data shared, rather than requiring such financial institutions to obtain affirmative opt-in consent from consumers (which would be more protective). In addition, the CFPB highlights concerns of the Government Accountability Office that “some financial institutions are abusing Regulation P’s model notice option to mask just how much data they collect on consumers and all the ways they allow that information to be used.”

To fill the gaps it believes are left by the GLBA, the CFPB encourages states to reconsider the relevant exemptions within their privacy laws.

Addressing potential legislative concerns about preemption if GLBA – and also FCRA – exemptions in state privacy laws were pared back, the CFPB says that, in its view, state privacy laws would generally fall outside of applicable federal preemption provisions. Specifically, the CFPB takes the position that the FCRA’s and GLBA’s preemption provisions generally allow for state laws that are not inconsistent and are more protective of consumers. The CFPB also argues that it is unlikely that the state privacy laws would “prevent or significantly interfere with the exercise by national banks of their powers” and, thus, be preempted under the National Bank Act.

Impact on financial institutions

The report is ultimately just that – a report of findings, not legislation, rulemaking or enforcement action. While not binding, the report serves as a strong suggestion to states to consider bringing GLBA entities and FCRA-covered data within the scope of their privacy laws. Notably, the decision to do so, however, rests with state legislatures – across multiple states – that may or may not have the same priorities or appetite to make adjustments to their privacy regimes, just to fill perceived gaps that, alternatively, could be addressed at the federal level.

More broadly, the report underscores the CFPB’s continued focus on ensuring that consumers’ financial data is protected. For example, the CFPB recently issued its long-awaited Section 1033 open banking rule, which is intended to give consumers more access to and control over their financial data. The CFPB also has been vocal about using existing law, such as the FCRA, and amendments to the regulations issued thereunder, to better protect against potential misuses of individuals’ consumer financial data (such as practices by data brokers), as reflected by Director Rohit Chopra’s recent remarks.

In addition, we have seen the CFPB take the position that providing “[i]nadequate security for sensitive consumer information collected, processed, maintained or stored by … [a] company can constitute an unfair practice” under the Consumer Financial Protection Act. Although the report does not mention unfair, deceptive, or abusive acts and practices (UDAAP), this past position suggests that, at least, the current CFPB may not be shy about leveraging its UDAAP authority to ensure consumer financial data is adequately protected.

Related contacts

Special Counsel
Jessica Pollet
Special Counsel

Santa Monica
Partner
Michael Egan
Partner

Washington, DC
Partner
H Joshua Kotin
Partner

Chicago
Partner
Michelle L. Rogers
Partner

Washington, DC
Associate
Mari Dugas
Associate

Washington, DC

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.