CFPB Report Highlights Gaps in Privacy Protections for Financial Services Consumers; Suggests State Action

The Consumer Financial Protection Bureau (CFPB) recently released a report identifying limits in federal privacy protections afforded by the Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley Act (GLBA). The report strongly encourages state policymakers to consider how consumers are impacted by the FCRA and GLBA exemptions contained in all of the 19¹ broad state consumer privacy laws enacted over the past six years. The report observes that by exempting financial institutions and financial data regulated by the FCRA and GLBA, these state laws fail to provide consumers with the same protections for and rights over their financial data as are provided to most other types of personal data.

Importance of Safeguarding Consumer Financial Privacy in the Digital Age

According to the CFPB report, many consumers may not be aware of the risks posed to them by the rapid increase in business models relying on the monetization of their financial data. The CFPB asserts in the report that digital financial tools have created “unprecedented opportunities” for companies to amass significant quantities of various types of personal financial data. That data includes, among other things, insights into a consumer’s financial transactions, such as details about what they are buying and how much they are spending. The report acknowledges that while access to such data can improve companies’ offerings and assist consumers in finding products and services suited to their needs, it also creates new opportunities for scammers and predatory actors to identify consumers vulnerable to fraud schemes. The report also warns that large-scale data aggregation and certain kinds of algorithmic targeting can result in discriminatory outcomes.

Critiques of Federal Privacy Protections

In the report, the CFPB highlights several specific limitations in federal privacy protections afforded to customers of financial institutions, particularly under the GLBA. The GLBA regulates “financial institutions,” which includes banks and a wide variety of nonbank companies engaging in financial activities, with respect to the privacy of consumers’ “nonpublic personal information” (NPI) (non-publicly available, individually identifiable information about a consumer received by a financial institution in the course of offering or providing a financial product or service to the consumer). As the CFPB report explains, the GLBA’s protections for NPI are less extensive than the protections afforded for other types of sensitive personal information under the majority of broadly applicable state consumer privacy laws. For example:

• The GLBA requires that financial institutions inform consumers about how NPI is used and shared and offer them an opportunity to opt out of certain disclosures of that information. The majority of broadly applicable state privacy laws, however, only permit collection of a consumer’s sensitive personal information if the consumer opts in to such collection.
• Customers of GLBA-regulated financial institutions who do not want their NPI shared with a nonaffiliated third party must “separately inform each financial institution of their desire to opt out, because there is not yet a single reliable mechanism for broadly opting out across all financial institutions.” In contrast, several state privacy laws mandate that companies recognize certain universal opt-out mechanisms, such as browser settings that enable users to signal to websites that they want to opt out of, e.g., having their personal data sold or shared for targeted advertising purposes.
• According to the Government Accountability Office, some financial institutions that have used the model GLBA consumer notice developed by the federal banking agencies and subsequently approved by the CFPB have been able to obscure how much data they collect on consumers and the specific ways they allow that information to be used. The model notice is a customizable template that, when properly completed by a financial institution and distributed to consumers, satisfies the GLBA’s notice requirements. The model notice is very concise and could even be viewed as cryptic in its required descriptions. In contrast, most of the state privacy laws require regulated businesses to provide notices to consumers with very detailed descriptions of how personal information is collected, used, and shared, making it more difficult for companies subject to those laws to obscure their personal data collection, use, and sharing practices.

Notably, as the report highlights, the California Consumer Privacy Act (CCPA) is the only broadly applicable state privacy law that focuses its GLBA exemption solely on the data protected by the GLBA.² The other state laws expressly exempt not only activities involving that data but also financial institutions³ regulated by the GLBA. This results, the CFPB report emphasizes, in a lack of robust privacy requirements (such as affording consumers the right to opt-out of targeted advertising, sales of personal data, and certain forms of profiling) for GLBA-regulated institutions (including those engaged in financial activities such as lending, transferring money or securities, financial advisory services, asset management, consumer reporting, debt collection, loan servicing, and various transactional services) as compared to other types of businesses.

The state law exemptions for FCRA-regulated entities extend to all “consumer reporting agencies,” which are entities that, for compensation, regularly compile information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living” that is intended to be furnished to third parties and used for credit, employment, insurance, or certain other purposes, as well as to furnishers and users of such “consumer report” information. The CFBP report notes that these exemptions may leave conduct involving personal financial information unregulated because FCRA’s requirements and restrictions provide protection for the privacy of that information only in limited contexts.

Impact

The CFPB report concludes by prompting states with privacy laws exempting FCRA- and GLBA-regulated institutions to consider “whether they would like to provide the same protections to the financial sector that they are providing consumers in other parts of their economic lives,” by narrowing or eliminating those FCRA and/or GLBA exemptions. In the CFPB’s view, neither FCRA nor GLBA would preempt any state law amendment to this effect, as both of these federal laws expressly preserve from preemption most state laws that are consistent with and more privacy protective than the federal laws’ requirements. Although the CFPB report has no binding effect, it may well have a persuasive impact on state legislatures. Financial institutions would do well to consider the CFPB report a potential trigger for state legislative action to seek to fill the regulatory gaps highlighted in the report.

The CFPB has continued to focus on curbing the monetization of consumer data through a variety of initiatives, including its recent final rule on personal financial data rights (the so-called “open banking” rule) as well as its recent proposed rule amending Regulation V and implementing new interpretations of FCRA. Although the upcoming change in the U.S. presidential administration will result in a turnover in leadership at the CFPB, the popular appeal of these efforts to limit the monetization of consumer data could suggest that the CFPB might not dramatically shift its approach. However, if the CFPB does reverse course, state legislatures and regulators may be eager to fill the resulting regulatory void, and the CFPB report establishes a foundation for those potential efforts.

For more information about the CFPB report, the regulation of consumer financial data, or state or federal privacy laws more generally, please contact any of the authors of this Advisory or your usual Arnold & Porter contact. The firm’s Financial Services and Privacy, Cybersecurity & Data Strategy teams would be pleased to assist with any questions about the agency’s Personal Financial Data Rights rule, or financial regulation more broadly.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.