The CFPB wants states to subject banks to data privacy laws

This week, the Consumer Financial Protection Bureau warned that the exceptions to data privacy laws that banks, credit unions and lenders enjoy undermine consumer rights and suggested states take action.

The report is one of the last the CFPB will release before Rohit Chopra, the Democrat who heads the agency, is almost inevitably replaced when President-elect Donald Trump takes office in January. But the report could galvanize some of the 20 or so states that have data privacy laws, especially California, which a preference for criticizing Trump during his first term and he has done so already acted to continue the trend.

The CFPB report does not indicate that the agency will change its enforcement or interpretation of existing law. Even if it did, these changes could be changed by the next director. Instead, the report concludes that states have reason and ability to subject banks to data privacy laws and should consider doing so.

Legislation introduced in the House of Representatives last year would address some of the concerns raised in the CFPB report released this week, in part by undermining state data privacy law with a federal version.

However, the bill has not received a vote in the full chamber, and Republican lawmaker Patrick McHenry has sponsored the bill and was known as a dealmaker, won’t be in Congress next term.

How state exemptions for banks work

States exempt banks from their data privacy laws in two ways. The first is at the entity level. All but one of the entities covered by the Gramm-Leach-Bliley Act are state exempt, the CFPB said, meaning banks do not have to comply with these laws for any purpose. Many also exempt subsidiaries of financial institutions, such as third-party vendors that provide data warehousing services.

The second is at the data level. Instead of exempting all banks and branches, one state provides an exemption for “personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act,” according to state law.

That one state is California.

The effect of California’s data-level exception is that banks must keep track of what consumer data they use for marketing activities and other non-financial functions, track the purpose of its collection, and respond to user requests to access or delete the data. , and meet all other compliance duties set forth in the California Privacy Rights Act (CPRA), according to Identity Assessmenta think tank that focuses on privacy, identity and security.

Where data privacy is falling short today, according to the CFPB

According to the CFPB, the Gramm-Leach-Bliley Act (GLBA) has a number of shortcomings that the data privacy law exceptions cannot address. In his press release On its report on this matter, the CFPB called these exemptions “carveouts.”

One example the CFPB report focused on is the opt-out approach the GLBA takes in informing consumers about how the bank uses their data.

“An opt-in approach that prohibits companies from sharing information until consumers consent could better protect consumers’ sensitive information,” the report said.

Furthermore, while a large majority of consumers (more than 85%, according to a 2021 study) believe it should be illegal for their bank to give other companies access to their personal information, especially for marketing purposes, consumer advocates and members of Congress have expressed concern that banks are doing just that.

In its report, the CFPB went so far as to specifically mention PayPal and Chase as two examples of financial services companies that have launched advertising platforms that marketers can use based on the data these companies collect about consumers.

Chase Media Solutions enables “transaction-based marketing campaigns.” according to the bank, that one it hopes will help the bank develop more loyalty programs for credit and debit cards. PayPal Leaders have recommended the company’s access to transaction data as a key benefit of the company’s advertising platform.

Financial data collected and sold by banks and fintechs — even if marketers don’t get direct access to see which consumers bought which products — “can be used to structure more effective ‘dark patterns’ that steer consumers toward products they don’t want or cannot afford. ,” the CFPB report said.

How California regulated banks’ data privacy practices in 2023

The CPRA, California’s latest data privacy law, is also known as version 2.0 of the California Consumer Privacy Act (CCPA). The CPRA replaced its predecessor in early 2023, creating new compliance burdens for banks, according to Chris Napier, a partner at law firm Mitchell Sandler, and Shelby Schwartz, a consultant at the same firm.

Before 2023, fintechs and their partner banks were generally only required to consider the limited amount of personal data collected from California residents in pre-acquisition marketing and communications. Napier and Schwartz said in a blog post discussing the changes made by the CPRA. “Given low data volumes and limited consumer interest in this type of data collection, fintechs and partner banks saw relatively few CCPA requests and had to rely on manual processes.”

Another common type of data that banks collect is personal contacts related to commercial accounts: the name, phone number and sometimes Social Security number of business owners and employees at fintechs or companies the bank works with. Under CPRA, this data is now subject to the same rights as other consumer data – with no GLBA exception.

For fintechs and their partner banks, this change “may require these institutions to reevaluate their technology, use of data, onboarding forms and disclosures, and more,” Napier and Schwartz said.

Potential changes in 2025

California lawmakers have announced no plans to replace state data privacy laws or eliminate the exceptions banks get from them. Moreover, with Republican lawmaker McHenry out of office in the next Congress, his bill to place banks under greater data privacy scrutiny appears likely to die before it reaches the House floor.

Nevertheless, more than fifteen other states have passed data privacy laws since California passed its first law in 2018, and others could follow suit—perhaps even heeding the CFPB’s advice to regulate banks’ data privacy practices.