Companies are collecting and monetizing larger quantities and various types of data concerning consumers’ economic lives and behaviors, the Consumer Financial Protection Bureau (CFPB) has noted. And this is being done in ways that consumers may not have not consented to, without meaningful choice in how the information is used, and often when they don’t know if their data is being adequately protected.

The findings come in a CFPB report analyzing federal and state-level privacy protections for consumer financial data. The report explores whether current safeguards at the federal – and more specifically, at the state level – are adequate, especially as banks and payment apps (and other financial institutions) increasingly profit from consumer data through their advertising and marketing.

While access to this consumer information can improve companies’ offerings and help consumers find the products and services most suited to their needs, it also creates new opportunities for scammers and predatory actors to take advantage of consumers, especially those who are particularly vulnerable, such as by steering them into products they do not want or cannot afford.

Even worse, data may empower companies to generate dark patterns that mislead consumers into approving greater access to even more sensitive information, the report notes.

Current legal framework

The current federal framework for financial data privacy revolves around the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA).

The CFPB’s report contends that the GLBA primarily focuses on disclosures and opt-out options, which may be insufficient for current data surveillance challenges. 

It says that, while states can enact stronger data privacy measures, data and institutions regulated by GLBA or FCRA are often exempt from state laws, which means that financial data often lacks newer (more modern) state-level protections, such as consumers’ rights to correct or delete outdated information or the requirement for opt-in consent for collecting sensitive data – important new rights and protections.

The CFPB’s recent data privacy push includes the issuance of a final rule aimed at giving consumers more control over their personal financial data in October.

And such exemptions pull numerous businesses outside of the coverage of these new protections, including banks, consumer reporting agencies, debt collectors, payment processors, credit card issuers, mortgage originators and servicers, and payday lenders – a huge array of institutions, many of which may be capturing and monetizing consumer data.

The report recommends that states assess and address gaps in data privacy protections, particularly for financial data, to ensure comprehensive consumer protection.

Newer state laws

All 18 of the state laws enacted to date include the following rights, the report notes, and they are modeled after the European Union’s General Data Protection Regulation. They include such rights as:

• Right of access: Consumers have the right to ask whether a business has collected their nonpublic personal information, and the consumer can generally obtain from the business a description of the categories of the collected information.
• Right to delete: Consumers can delete the personal information, with some limitations.
• Right to use (and move) the data: The laws offer data use in a way that enables the consumer to easily hand over the information to another service provider.
• Right to correct the data: Sixteen of the 18 states, in addition to access and deletion rights, enable consumers to request that a business fix inaccurate information it holds about the consumer.
• Right to opt in before the business processes sensitive data: Fifteen states require that the consumer opt in before the business is allowed to collect or use “sensitive” data about the consumer.
• Right to opt out: The right to decline targeted advertising and the online selling of one’s nonpublic personal information.
• Protection from retaliation when the consumer chooses to exercise the rights listed above.

In addition, most states’ laws encourage businesses to collect only the nonpublic personal information they really need in order to provide the products and services they are offering the consumer.