The Consumer Financial Protection Bureau’s (CFPB) recent report highlights a pressing concern: state data privacy laws, while groundbreaking for many industries, often leave financial institutions operating under outdated privacy frameworks.  These gaps result from broad exemptions for entities covered by federal laws such as the Gramm-Leach-Bliley Act (GLBA).  The CFPB contends that these exemptions leave consumers' financial data exposed compared to protections offered in other sectors.

Modern financial institutions hold and monetize vast amounts of consumer data, from transaction histories to web browsing behavior.  While federal laws like the GLBA establish a foundation for privacy protections, they rely heavily on consumer opt-outs and provide significant leeway for institutions to share data with affiliates and third parties.  The CFPB has acknowledged that these protections may no longer suffice in an era dominated by digital interactions and data-driven business models.

State laws have begun addressing consumer privacy through measures like data access, deletion rights, and portability.  However, exemptions for financial institutions subject to the GLBA mean these advancements often do not extend to the financial services sector.  The CFPB suggests that this disparity could heighten risks for consumers whose financial data is left out of newer privacy protections.  The CFPB's report points out that financial institutions increasingly monetize consumer data, often without consumers' full awareness.  These practices expose consumers to risks, including misuse of data and discriminatory outcomes driven by algorithmic targeting.  Yet, because state laws carve out financial institutions, consumers lack the same level of control over their financial data that they might have in other contexts.

The CFPB encourages state legislators to reassess these exemptions.  Federal preemption under the GLBA and Fair Credit Reporting Act (FCRA) is not absolute.  States are free to enact laws providing stronger consumer protections than those offered by federal frameworks, as long as they do not conflict with specific federal provisions.

What Companies Should Know

The CFPB’s report underscores the growing expectation for stronger privacy protections in the consumer financial services arena.  For companies in this sector, including mortgage lenders and servicers, the CFPB’s findings are a call to action, as enhanced state privacy protections could be on the horizon.  In response to this push by the CFPB, states may begin to consider expanding their privacy laws to impose new obligations, from enhanced transparency about data usage to restrictions on data-sharing practices.  Companies in this space should monitor legislative developments and assess their privacy policies to ensure alignment with evolving regulatory landscapes.  Firms that proactively address these potential changes by refining their privacy practices may avoid operational disruptions and gain a competitive advantage.

Read the CFPB’s report here.

For questions about this blog, please contact Troy Garris.