Skip to main content

CFPB Urges States to Fill Gaps in Federal Financial Privacy Statutes

On Nov. 12, 2024, the Consumer Financial Protection Bureau (CFPB) released a report examining federal and state privacy protections for consumers’ financial data. In the report, the CFPB “critiques” the privacy protections available under the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA), asserting that the federal framework has “limitations.” The CFPB then urges states to fill in the gaps in the federal framework by, for instance, reconsidering whether their privacy statutes should include exemptions tied to the GLBA or FCRA.

“Consumers should have meaningful choice and an expectation of privacy about how their financial data is used, but large companies are increasingly harvesting and monetizing this sensitive data in mysterious ways,” CFPB Director Rohit Chopra said in a press release the CFPB issued with its report. “Given the exemptions in state law when it comes to this personal data, consumers lack fundamental protections for their financial privacy.”

Director Chopra also issued a separate statement on the report in which he urged states to protect consumers’ financial data. “There is broad consensus that [the GLBA] is inadequate for the modern age, especially as personalized pricing and other surveillance practices spread in our economy,” Chopra said. “Absent action to beef up federal privacy protections, states will need to take further action to guard against intrusive surveillance and improper monetization of our most sensitive personal financial data.”

The CFPB’s Report

As the CFPB explains in its report, Congress acted to protect consumers’ financial data when it passed the FCRA in 1970 and the GLBA in 1999, and each time it subsequently amended those statutes. But according to the CFPB, the FCRA and GLBA have “limitations.” For instance:

  • Opt-out v. Opt-in: While the GLBA provides consumers with the right to opt out of certain types of data sharing, the CFPB asserts that “an opt-in approach that prohibits businesses from sharing information until the consumer affirmatively agrees” would be more protective of consumers’ financial data.
  • Universal Mechanism: While the GLBA provides consumers with the option to “separately inform each financial institution of their desire to opt out,” the CFPB asserts that “a single reliable mechanism for broadly opting out across all financial institutions” would be more protective of consumers’ financial data.
  • Not Sufficiently Restrictive: While the GLBA provides consumers with the right to opt out of certain types of data sharing, it permits a financial institution and its affiliates to “broadly use and share” a consumer’s financial data if a consumer has not exercised that opt-out right.

With those “critiques” stated, the CFPB asserts there is a “broad consensus that existing federal privacy protections for financial information have limitations and may not protect consumers from companies’ novel and increasingly pervasive methods of collecting and monetizing data.”

To address this, rather than urging Congress to act, the CFPB instead urges states to fill in the gaps in the federal framework. The CFPB notes that a significant number of states have recently passed comprehensive privacy statutes, but that the state statutes generally “exempt financial institutions, financial data, or both if they are already subject to the GLBA or the FCRA.”

According to the CFPB, however, the states that have recently passed comprehensive privacy statutes, and the states that may in the future, should “consider the importance of ensuring that their citizens are protected in instances where federal law currently has gaps or may be ineffective.”

Takeaways

The CFPB’s critiques of the GLBA and the FCRA are only one side of the story. Under Director Chopra, the CFPB wants Congress—and, if not Congress, the states—to regulate the use of consumers’ financial data more aggressively. But the CFPB’s report does not raise—or answer—arguments in favor of the framework Congress created via the GLBA and the FCRA.

Even so, financial institutions should see the CFPB’s report for what it is: an appeal for the states to step in as the Biden administration steps aside. While we do not yet know who will replace Director Chopra under the new administration, the CFPB’s next director will be more business friendly and, accordingly, less inclined to impose onerous regulations on financial institutions. If states heed the guidance from the CFPB’s latest report, they may attempt to fill asserted gaps in the federal privacy statutes by amending existing statutes, enacting new statutes, or—perhaps more likely—pushing the boundaries of existing law to impose new obligations on financial institutions. Indeed, several state governors already have said they are preparing for exactly that sort of effort.