CFPB Says Exemptions in State Privacy Laws Leave Financial Data Unprotected

The CFPB warned that recently enacted state data privacy laws, that exempt financial institutions from coverage under federal consumer protection law, may leave consumers' information vulnerable.

In its latest Report, the CFPB highlighted how the financial services industry is increasingly developing models that rely on monetizing consumer data. The agency said that financial institutions, including banks and payment processors, are engaging in data-driven advertising and sales, in some cases selling information collected from customers.

In the report, the CFPB focused attention on state data privacy laws intended "to buttress[] existing federal data privacy protections so that consumers are adequately informed and have a meaningful say in how their nonpublic personal information is shared and used." The CFPB raised concerns that these laws often contain broad exemptions for financial institutions from data otherwise regulated under the federal Gramm-Leach-Bliley Act ("GLBA") and the Fair Credit Reporting Act ("FCRA"). 

The CFPB recommended that states consider adjusting their exemptions to better safeguard consumer financial data, in light of the limitations in current federal protections.

In a related statement, CFPB Director Rohit Chopra said the agency: (i) is working to update the regulatory framework on privacy; (ii) is updating the rules implementing the Fair Credit Reporting Act, particularly with respect to data brokers; and (iii) recently finalized the Personal Financial Data Rights Rule, "which gives consumers the right to access and permission their personal financial data." (See related coverage.)