WASHINGTON—The Consumer Financial Protection Bureau has released a report examining federal and state-level privacy protections for consumers’ financial data.
The report notes that protections under federal regulations for financial data have limits. Yet, many new state data privacy protections exempt financial institutions and consumer financial data covered by federal law, even though states generally have authority to go beyond the federal rules, the CFPB said.
“As a result, in many states, privacy protections for financial information now lag behind safeguards in other sectors of the economy. The report explores whether consumer financial data is sufficiently protected, given new business models from banks and other financial institutions that make money from the use of this data, such as by creating advertising or marketing businesses,” the agency said.
“Consumers should have meaningful choice and an expectation of privacy about how their financial data is used, but large companies are increasingly harvesting and monetizing this sensitive data in mysterious ways,” said CFPB Director Rohit Chopra. “Given the exemptions in state law when it comes to this personal data, consumers lack fundamental protections for their financial privacy.”
The report describes how states have recently been active in passing consumer data privacy laws, including eighteen states that passed new laws between January 2018 and July 2024.
“These laws give consumers greater control over and access to their data and take steps to reduce the collection of unneeded data. However, these laws all have exemptions tied to federal regulations for financial data and financial products and services. As consumers increasingly rely on digital financial tools such as mobile banking and payment apps, unprecedented opportunities exist for companies to collect large quantities and various types of data concerning Americans’ economic lives and behaviors,” the CFPB said.
The current federal framework for financial data privacy protections consists primarily of the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA), along with both laws’ implementing regulations. The GLBA’s current regulatory framework is built around disclosures and opt-out requirements that may not fully address the challenges posed by modern data surveillance, the CFPB said.
The CFPB’s report explains that while states have significant latitude to provide additional data privacy protections, many states exempt the data and financial institutions subject to GLBA or the FCRA from their own data privacy laws. This means that such data often is not covered by the new state-law protections, such as the right under state law for consumers to fix or delete incorrect or outdated information, or the requirement that people opt in—instead of having to opt out—of the collection of especially sensitive data, the CFPB said.
According to the CFPB, the report finds:
- Financial institutions are building new business models around consumer data: Firms in the consumer finance space are increasingly focusing on collecting and using large quantities of consumers’ financial data as a source of revenue, including by selling that data to third parties. This data may include details about people’s income, expenses, and account balances.
- Existing protections for financial data have limits: Consumers place a high value on their financial data and their ability to keep it private. “There is broad consensus that existing federal privacy protections for financial information have limitations and may not protect consumers from companies’ novel and increasingly pervasive methods of collecting and monetizing data,” the CFPB said.
- The new state laws provide new consumer privacy rights: Eighteen states have recently created new protections that give consumers a variety of new rights related to the collection or sharing of their personal data. Under at least some state laws, consumers now have the right to know which data businesses have about them, to correct inaccurate information, to take that data with them to another business, or to request the business delete the information entirely, among other rights.
- State-level data privacy laws exempt companies and data covered by federal rules: All of the major state data privacy laws passed to date exempt financial institutions, financial data, or both if they are already subject to the GLBA or the FCRA. Consumers in those states will not be able to access the state law privacy rights they have in other areas of their economic life to protect the information collected and/or shared by these exempted institutions, the CFPB said.
- State policymakers should assess gaps in existing data privacy laws: Absent action at the federal level, exemptions from state data privacy laws can leave consumers at heightened risk with regard to their financial data. States should consider the importance of ensuring that their citizens are protected in instances where federal law currently has gaps or may be ineffective, the agency said