CFPB wants states to hold banks to data privacy laws

This week, the Consumer Financial Protection Bureau warned that exemptions to data privacy laws enjoyed by banks, credit unions and lenders undermine consumer rights and recommended that states take action.

Report This is one of the last reports the CFPB will release before Democrat Rohit Chopra heads the bureau. almost inevitably changed When President-elect Donald Trump takes office in January. But the report could spur action from some of the roughly 20 states with data privacy laws, particularly California. a passion For opposing Trump during his first term in office. has already taken action to continue the trend.

The CFPB report does not indicate that the bureau will change the application or interpretation of existing law. Even so, these changes can be changed by the next director. Rather, the report concludes that states have reasonable grounds and ability to subject banks to data privacy laws and should consider doing so.

Legislation This new regulation, introduced in the House of Representatives last year, would address some of the concerns addressed in this week’s CFPB report, in part by preempting state data privacy laws with a federal version.

But the bill failed to receive a full House vote, and Republican legislator Patrick McHenry sponsored He was known as the drafter of the bill and the deal maker, will not be at the congress next period.

How do government exemptions work for banks?

States exempt banks from data privacy laws in two ways. The first is at the level of being. According to the CFPB, all but one entity regulated by the Gramm-Leach-Bliley Act is exempt; This means that banks do not have to comply with these laws for any purpose. Many also exempt affiliates of financial institutions, such as third-party vendors that provide data warehouse services.

The second is at the data level. Rather than exempting all banks and affiliates, one state provides an exemption under state law for “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act.”

One of these states is California.

The consequence of the data level exception in California is that banks must track what consumer data they use for marketing activities and other non-financial functions, track the purpose for which that data was collected, and respond to user requests to access or delete data. and perform all other compliance duties as determined by the California Privacy Rights Act (CPRA). According to Identity Reviewis a think tank focused on privacy, identity and security.

Data privacy is inadequate today, according to CFPB

According to the CFPB, the Gramm-Leach-Bliley Act (GLBA) has a number of deficiencies that data privacy law exceptions cannot address. in it Press release In reporting on the issue, the CFPB described these exemptions as “cuts.”

One of the examples the CFPB report focuses on is the opt-out approach GLBA takes when informing consumers about how the bank uses their data.

“An opt-in approach that prohibits businesses from sharing information until the consumer affirmatively agrees may be more protective of consumers’ sensitive information,” the report states.

Additionally, the vast majority of consumers (more than 85% according to research) 2021 surveyConsumer advocates and members of Congress who believe it should be illegal for banks to give other companies access to their personal data, especially for marketing purposes, have raised concerns that banks are doing just that.

In its report, the CFPB went so far as to cite PayPal and Chase as examples of two financial services companies that have launched advertising platforms that marketers can use based on data these companies collect about consumers.

Chase Media Solutions powers “transaction-based marketing campaigns” accordingly which bank hopes It will help the bank develop more credit and debit card loyalty programs. PayPal leaders he screamed access to the company’s transaction data as a key advantage of the company’s advertising platform.

Financial data collected and sold by banks and fintechs — even if marketers don’t have direct access to see which consumers are buying which products — “can be used to structure more effective ‘dark patterns’ that direct consumers to products they don’t want or can’t afford,” according to the CFPB report.

How will California regulate banks’ data privacy practices in 2023?

California’s latest data privacy law, CPRA, is also known as version 2.0 of the California Consumer Privacy Act (CCPA). The CPRA replaces its predecessor at the beginning of 2023, imposing new compliance burdens for banks, according to Chris Napier, a partner at law firm Mitchell Sandler, and Shelby Schwartz, counsel at the same firm.

Before 2023, “fintechs and their partner banks were required to consider the limited pool of personal data typically collected from California residents in pre-purchase marketing and communications.” Napier and Schwartz said: In a blog post examining the changes brought about by the CPRA. “Given the low volume of data and limited consumer interest in such data collection, fintechs and partner banks have seen relatively low rates of CCPA requests and may rely on manual processes.”

But another common type of data banks collect is personal contacts associated with business accounts (the name, phone number, and sometimes Social Security number of business owners and employees at fintechs or companies the bank works with). Under the CPRA, this data is now subject to the same rights as other consumer data; There are no GLBA exceptions.

For fintechs and partner banks, this change “may require these institutions to re-evaluate their technology, data use, opt-in forms and disclosures, and more,” Napier and Schwartz said.

Possible changes in 2025

California lawmakers have not announced any plans to change the state’s data privacy laws or remove bank exemptions. Additionally, with Republican lawmaker McHenry impeached in the next Congress, the bill that would subject banks to greater data privacy scrutiny appears likely to die before reaching the House.

However, more than 15 other states have implemented data privacy laws since California passed the first law in 2018, and others may follow suit — perhaps even heeding the CFPB’s recommendations to regulate banks’ data privacy practices.