CFPB Report Details Carveouts for Financial Institutions in State Data Privacy Laws

WASHINGTON, D.C. - The Consumer Financial Protection Bureau (CFPB) today released a report examining federal and state-level privacy protections for consumers' financial data. The report notes that protections under federal regulations for financial data have limits. Yet, many new state data privacy protections exempt financial institutions and consumer financial data covered by federal law, even though states generally have authority to go beyond the federal rules. As a result, in many states, privacy protections for financial information now lag behind safeguards in other sectors of the economy. The report explores whether consumer financial data is sufficiently protected, given new business models from banks and other financial institutions that make money from the use of this data, such as by creating advertising or marketing businesses.

"Consumers should have meaningful choice and an expectation of privacy about how their financial data is used, but large companies are increasingly harvesting and monetizing this sensitive data in mysterious ways," said CFPB Director Rohit Chopra. "Given the exemptions in state law when it comes to this personal data, consumers lack fundamental protections for their financial privacy."

Today's report describes how states have recently been active in passing consumer data privacy laws, including eighteen states that passed new laws between January 2018 and July 2024. These laws give consumers greater control over and access to their data and take steps to reduce the collection of unneeded data. However, these laws all have exemptions tied to federal regulations for financial data and financial products and services. As consumers increasingly rely on digital financial tools such as mobile banking and payment apps, unprecedented opportunities exist for companies to collect large quantities and various types of data concerning Americans' economic lives and behaviors.

The current federal framework for financial data privacy protections consists primarily of the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA), along with both laws' implementing regulations. The GLBA's current regulatory framework is built around disclosures and opt-out requirements that may not fully address the challenges posed by modern data surveillance. The CFPB's report explains that while states have significant latitude to provide additional data privacy protections, many states exempt the data and financial institutions subject to GLBA or the FCRA from their own data privacy laws. This means that such data often is not covered by the new state-law protections, such as the right under state law for consumers to fix or delete incorrect or outdated information, or the requirement that people opt in-instead of having to opt out-of the collection of especially sensitive data.

Specifically, the report's analysis finds:

• Financial institutions are building new business models around consumer data: Firms in the consumer finance space are increasingly focusing on collecting and using large quantities of consumers' financial data as a source of revenue, including by selling that data to third parties. This data may include details about people's income, expenses, and account balances.
• Existing protections for financial data have limits: Consumers place a high value on their financial data and their ability to keep it private. There is broad consensusthat existing federal privacy protections for financial information have limitations and may not protect consumers from companies' novel and increasingly pervasive methods of collecting and monetizing data.
• The new state laws provide new consumer privacy rights: Eighteen states have recently created new protections that give consumers a variety of new rights related to the collection or sharing of their personal data. Under at least some state laws, consumers now have the right to know which data businesses have about them, to correct inaccurate information, to take that data with them to another business, or to request the business delete the information entirely, among other rights.
• State-level data privacy laws exempt companies and data covered by federal rules: All of the major state data privacy laws passed to date exempt financial institutions, financial data, or both if they are already subject to the GLBA or the FCRA. Consumers in those states will not be able to access the state law privacy rights they have in other areas of their economic life to protect the information collected and/or shared by these exempted institutions.
• State policymakers should assess gaps in existing data privacy laws: Absent action at the federal level, exemptions from state data privacy laws can leave consumers at heightened risk with regard to their financial data. States should consider the importance of ensuring that their citizens are protected in instances where federal law currently has gaps or may be ineffective.

In addition to today's report, the CFPB is taking other steps to address emerging data privacy challenges. This includes reviewing how big tech companies adhere to consumer financial protection laws, issuing a final rule to give consumers more control over their personal financial data rights, and developing new rulemaking regarding the application of the FCRA's privacy protections to data brokers.

Read the report.

Consumers can submit complaints about financial products or services by visiting the CFPB's website or by calling (855) 411-CFPB (2372).

Employees who they believe their company has violated federal consumer financial protection laws are encouraged to send information about what they know to [email protected].