Numerous states’ deference to federal law regarding consumer personal financial-data protections has left gaps in protections for financial data and financial products and services, according to a report released Tuesday by the Consumer Financial Protection Bureau (CFPB).
The CFPB issued a report that looks at federal and state-level privacy protections for consumers’ financial data. It noted, however, that of the consumer data privacy laws passed in 18 states between January 2018 and July 2024, all have exemptions tied to federal regulations for financial data and financial products and services.
The Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA), along with their implementing regulations, largely make up the federal framework for financial data privacy protections. The bureau noted that the GLBA’s current regulatory framework is built around disclosures and opt-out requirements “that may not fully address the challenges posed by modern data surveillance.”
The bureau said that as consumers increasingly rely on digital financial tools such as mobile banking and payment apps, unprecedented opportunities exist for companies to collect large quantities and various types of data concerning Americans’ economic lives and behaviors.
It also noted that the states’ financial data protections often do not include things like the right under state law for consumers to fix or delete incorrect or outdated information, or the requirement that people opt in – instead of having to opt out – of the collection of especially sensitive data.
In brief, the key points identified by the CFPB analysis include:
- Financial institutions are building new business models around consumer data, increasingly using this data as a source of revenue – including by selling it to third parties. This data may include details about people’s income, expenses, and account balances.
- Existing protections for financial data have limits: There is broad consensus (see second report link below) that existing federal privacy protections for financial information have limitations and may not protect consumers from companies’ novel and increasingly pervasive methods of collecting and monetizing data.
- The new state laws provide new consumer privacy rights: Eighteen states have recently created new protections that give consumers a variety of new rights related to the collection or sharing of their personal data. Under at least some state laws, consumers now have the right to know which data businesses have about them, to correct inaccurate information, to take that data with them to another business, or to request the business delete the information entirely, among other rights.
- State-level data privacy laws exempt companies and data covered by federal rules: All of the major state data privacy laws passed to date exempt financial institutions, financial data, or both if they are already subject to the GLBA or the FCRA.
- State policymakers should assess gaps in existing data privacy laws: Absent action at the federal level, exemptions from state data privacy laws can leave consumers at heightened risk with regard to their financial data.
CFPB Report Details Carveouts for Financial Institutions in State Data Privacy Laws