This week, the Consumer Financial Protection Bureau warned that the exemptions to data privacy laws that banks, credit unions and lenders enjoy undermine consumer rights and suggested that states act.
The report is one of the last the CFPB will issue before Rohit Chopra, the Democrat at the head of the bureau, is nearly inevitably replaced when President-Elect Donald Trump takes office in January. But, the report might spur on some of the roughly 20 states that have data privacy laws, especially California, which had a penchant for bucking Trump during his first term in office and has already acted to continue the trend.
The CFPB report does not indicate the bureau will change its enforcement or interpretation of existing law. Even if it had, these changes would be subject to change by the next director. Rather, the report concludes that states have reason and ability to subject banks to data privacy laws, and that they should consider doing so.
Legislation introduced in the House of Representatives last year would address some of the concerns addressed in the CFPB report released this week, in part by preempting state data privacy laws with a federal version.
However, the bill has not received a full-chamber vote, and Patrick McHenry, the Republican legislator who sponsored the bill and was known as a dealmaker, will not be in Congress next term.
How state exemptions for banks work
States exempt banks from their data privacy laws in two ways. The first is at the entity level. All but one state exempt entities regulated by the Gramm-Leach-Bliley Act, according to the CFPB, meaning banks do not have to comply with these laws for any purpose. Many also exempt affiliates of financial institutions, such as third-party vendors that provide data warehousing services.
The second is at the data level. Rather than exempt all banks and affiliates, one state provides an exemption for “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act,” according to the state’s law.
That one state is California.
The consequence of the data-level exception in California is that banks must keep track of which consumer data they use for marketing activities and other non-financial functions, track the purpose for its collection, respond to user requests for access or deletion of the data, and meet all the other compliance tasks laid out by the California Privacy Rights Act (CPRA), according to Identity Review, a think tank that focuses on privacy, identity and security.
Where data privacy falls short today, according to the CFPB
According to the CFPB, the Gramm-Leach-Bliley Act (GLBA) has a number of shortcomings that state data privacy law exceptions fail to address. In its press release about the report on the matter, the CFPB called these exemptions “carveouts.”
One example the CFPB report focused on is the opt-out approach that the GLBA takes with informing consumers about how the bank uses their data.
“An opt-in approach that prohibits businesses from sharing information until the consumer affirmatively agrees could be more protective of consumers’ sensitive information,” reads the report.
Additionally, while vast majorities of consumers (more than 85%, according to a 2021 survey) believe it should be illegal for their bank to give other companies access to their personal data, particularly for marketing purposes, consumer advocates and members of Congress have raised concerns that banks are doing just that.
In its report, the CFPB even went so far as to specifically name PayPal and Chase as two examples of financial services companies that have launched advertising platforms that marketers can use based on the data those companies collect about consumers.
Chase Media Solutions powers “transaction-based marketing campaigns,” according to the bank, which it hopes will help the bank develop more credit and debit card loyalty programs. PayPal leaders have touted the company’s access to transaction data as a key advantage of the company’s advertising platform.
Financial data collected and sold by banks and fintechs — even when marketers do not get direct access to see which consumers bought which products — “can be used to structure more effective ‘dark patterns’ that steer consumers into products they do not want or cannot afford,” according to the CFPB report.
How California regulated banks’ data privacy practices in 2023
The CPRA, California’s latest data privacy law, is also known as version 2.0 of the California Consumer Privacy Act (CCPA). The CPRA replaced its predecessor at the start of 2023, bringing with it new compliance burdens for banks, according to Chris Napier, a partner at law firm Mitchell Sandler, and Shelby Schwartz, counsel at the same firm.
Prior to 2023, “fintechs and their partner banks generally needed to consider only the limited pool of personal data collected from California residents in pre-acquisition marketing and communications,” Napier and Schwartz said in a blog post reviewing the changes brought by the CPRA. “Given the low volumes of data and limited consumer interest in these types of data collection, fintechs and partner banks saw relatively low rates of CCPA requests and could rely on manual processes.”
However, another common type of data that banks collect is personal contacts related to commercial accounts — the name, phone number, and sometimes Social Security number of business owners and employees at fintechs or companies with which the bank works. Per the CPRA, this data is now subject to the same rights other consumer data has — no GLBA exception.
For fintechs and their partner banks, this change “may require these institutions to reevaluate their technology, use of data, onboarding forms and disclosures, and more,” Napier and Schwartz said.
Potential changes in 2025
California lawmakers have not announced any plans to replace the state’s data privacy laws, nor to remove the exceptions banks get to it. Additionally, with Republican lawmaker McHenry out of office in the next Congress, his proposed bill to put banks under greater data privacy scrutiny appears likely to die before reaching the House floor.
Nonetheless, more than 15 other states have implemented data privacy laws since California passed the first one in 2018, and others could follow suit — perhaps even heeding the advice of the CFPB to regulate banks’ data privacy practices.