CFPB Explores Options for Bringing Digital Payments Providers Under Privacy and Payments Laws

On January 10, 2025, the Consumer Financial Protection Bureau (CFPB) initiated rulemaking processes to examine and create a framework regarding data privacy and consumer protections in the digital payments industry. In a proposed interpretive rule, the CFPB outlined a framework regarding when the Electronic Fund Transfer Act (EFTA) and its implementing Regulation E apply to emerging digital payments systems, such as those offered by large technology companies and video game platforms, including platforms that utilize virtual currencies. The CFPB also requested information from the public to understand the manner in which digital payments companies collect, use, share and protect consumer personal financial data.

Proposed interpretive rule

The CFPB released a proposed interpretive rule that outlines how the EFTA and Regulation E, which provide consumer protections like the right to dispute erroneous or fraudulent transactions and limit consumer liability for unauthorized transfers, would apply to new types of digital payments systems. The proposed framework is intended to address the CFPB’s concern that inconsistent application of the EFTA and Regulation E to different payments mechanisms may make it difficult for consumers to understand their rights related to unauthorized transfers and other errors, along with putting providers, like banks and credit unions that are subject to the EFTA, at a competitive disadvantage. 

The proposed rule interprets the definition of “funds” to include “assets that act or are used like money, in the sense that they are accepted as a medium of exchange, a measure of value, or a means of payment,” which would include “stablecoins, as well as any other similarly-situated fungible assets that either operate as a medium of exchange or as a means of paying for goods or services.” Noting that courts have held that the definition of “funds” is not limited to fiat currency and encompasses other types of assets like bitcoin, the proposal would provide that assets that fluctuate in value are not exempted under Regulation E.

Since the term “funds” as used in Regulation E and the EFTA is quite broad, the CFPB notes that whether the EFTA and Regulation E apply often will depend on whether there is an “account.” Regulation E defines “account” to include “other consumer asset accounts,” and the CFPB proposes a clarification that “accounts” should include “prepaid accounts, and other asset accounts established primarily for a consumer’s individual, family, or household use, that are not checking accounts or savings accounts, but into which funds can be deposited by the consumer or on their behalf and which have features of deposit or savings accounts.” These features would include the ability to pay for goods or services, withdraw funds or obtain cash, or conduct person-to-person (P2P) transfers.

Accordingly, and significantly, the CFPB notes that, depending on the specifics of the arrangement, accounts on video game platforms used to purchase virtual items, virtual currency wallets that can be used to buy goods and services or make P2P transfers, and credit card rewards points accounts that can be used for future purchases could all be considered “accounts” subject to the EFTA and Regulation E.

The CFPB requests comments to the proposed rule by March 31, 2025.

Request for information

The CFPB also issued a request for information on how companies that offer consumer financial products or services collect, use and share financial data – including data from consumer payment transactions. The request for information echoes a prior CFPB report published in November 2024, which we previously covered in this client alert, wherein the CFPB asserted that state consumer privacy laws have impermissibly exempted consumer financial data – namely, data subject to the federal Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act. These exemptions, the CFPB argues, result in weaker privacy protections for consumer financial data, and specifically, consumer payment data, as compared against general consumer personal data that is covered by more stringent state privacy laws. The CFPB indicated it is seeking information based on concerns that digital payments systems often collect, use and share more data than is needed to initiate and complete a transaction, and that such data can be combined with other data sources to create consumer profiles and facilitate personalized pricing. Consumers, the CFPB noted further, often lack information about their rights, including to opt out of these practices.

Among other things, the CFPB is requesting information regarding obstacles to consumers opting out of information sharing and areas to strengthen consumer choice about which of their data is collected and shared. The CFPB also seeks input on the effectiveness of the GLBA’s Regulation P in protecting and promoting consumers’ financial data privacy, specifically with respect to suggested changes to the model privacy notice and opt-out mechanisms.

The CFPB requests comments on or before April 11, 2025.

Looking ahead

These two issuances reflect a continuation of the CFPB’s efforts to address data privacy and consumer protection challenges in the digital payments industry, and to oversee “Big Tech” players. The CFPB recently issued a final rule to ensure large technology companies and digital wallet providers adhere to consumer financial protection laws. As we reported last year, the CFPB also issued its long-awaited implementation of section 1033 of the Dodd-Frank Act, which aims to give consumers more control over their personal financial data. In December 2024, we wrote that the CFPB released a proposed rule that extended federal data privacy protections to data brokers.

While the CFPB has remained active in the final weeks of the Biden administration, it remains to be seen whether the CFPB under the Trump administration will finalize the CFPB-proposed EFTA framework or take further action based on the information received in response to the request for information on consumer privacy.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.