Rules Navigator

Privacy, digital payments, and the CFPB ain’t dead yet

Image of Financial Protection Bureau director Rohit Chopra.
CPPB director Rohit Chopra. Photo: Kent Nishimura/Getty Images

Julie DiMauro

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Agency invites public to comment on financial surveillance concerns and how to apply existing laws to emerging consumer payment mechanisms.

Before a new presidential administration and Congress alter the Consumer Financial Protection Bureau’s (CFPB’s) leadership and stop the agency’s current agenda in its tracks – or at least change its expansive policy agenda and energetic approach – the consumer watchdog has boldly issued a new rule. And it is asking the public for new comments on the rule, and on research it has conducted in the areas of privacy and unchecked surveillance by emerging technology firms.

The spotlight on privacy right now is interesting.

The CFPB said in its requests for public input that it wants consumers to be able to invoke their rights under federal law, regardless of what payments mechanisms they are using, while also assisting market participants developing these new payment mechanisms to better appreciate how to collect, use, share, and protect consumers’ personal financial data.

Public input sought

First, the consumer watchdog announced it is seeking public input on strengthening privacy protections and preventing harmful surveillance in digital payments, particularly those offered through large technology platforms. The agency is requesting comment on implementing existing financial privacy law and how to address intrusive data collection and personalized pricing.

And, second, the CFPB requested comment on its proposed interpretive rule outlining how the Electronic Fund Transfer Act (EFTA), which provides consumers with protections against errors and fraud, applies to new types of digital payment mechanisms, such as those currently offered through large technology companies and video gaming platforms, as well as stablecoins and other digital currencies that are not widely used today in consumer transactions.

Digital payments

The CFPB pointed out that while most consumer payments are transacted using accounts connected to banks and credit unions, new payment mechanisms have emerged for consumer use, such as digital payments used in video gaming platforms.

Some video game platforms have proprietary currencies that players can use to purchase and sell items and services. And digital payment offerings from Big Tech companies and popular person-to-person payment apps are still new – and are harvesting lots of data from consumers.

In addition, the CFPB said it and the US Treasury Department have undertaken a multi-year effort to determine how existing law applies to stablecoins. Unlike certain crypto assets that are designed to fluctuate in value, stablecoins are typically marketed as being pegged to the value of a sovereign currency, like the US dollar.

Since stablecoins are heavily used today for the purposes of trading and investment, and market participants have suggested consumer use of stablecoins will likely increase in the coming years, regulators have grown increasingly concerned about consumer protections around their use, especially by means the new payment mechanisms noted above.

Request for comment

The CFPB said it seeks public comment to better understand how companies that offer or provide consumer financial products or services collect, use, share, and protect consumers’ personal financial data, including data harvested from consumer payments.

The Request for Information outlines some of the agency’s prior research and monitoring of payment platforms, in which it found that these payment mechanisms collect and use data in excess of what is needed to initiate and complete a transaction.

The report notes that many new state data privacy protections exempt financial institutions and consumer financial data covered by federal law.

The data can be matched with a wide range of other data about a consumer, including their location, social networking, and browsing history and could enable payments companies to facilitate personalized pricing, where a price is based on factors specific to an individual consumer, the CFPB said.

One concerning finding from a Government Accountability Office (GAO) study noted “the consumer opt-out rate is generally low,” and that consumers “may be largely unaware of how fintech apps use their personal information and the privacy risks that such usage poses.” And the GAO noted that the model privacy form widely adopted by the financial industry “may be out of date and may not well-represent the increased and varied ways financial institutions share information compared to when the form was implemented over a decade ago.

The Request for Information seeks comments from companies that offer or provide consumer financial products about the effectiveness (or lack thereof) of existing regulations, including the existing model form, privacy notices, and opt-out mechanisms. The request solicits input on ways to strengthen the existing framework, as well as the types of data the public believes that the CFPB should monitor on a routine basis.

Comments from these types of businesses offering digital payment options must be received by April 11, 2025.

Interpretive Rule on Electronic Fund Transfer Act

In addition, the CFPB has proposed an interpretive rule on how the EFTA and Regulation E could apply to new and emerging digital payment mechanisms.

Among other protections, EFTA gives consumers the right to dispute erroneous or fraudulent transactions. While courts have issued rulings on specific fact patterns, the proposed interpretive rule provides a framework for determining when EFTA’s protections apply to emerging digital payment mechanisms.

The CFPB’s proposed interpretive rule would ensure that consumers can consistently invoke their rights under federal law, while also assisting market participants developing these payment mechanisms.

Comments on the proposed interpretive rule must be received by March 31, 2025.

Other efforts targeting data privacy

The CFPB recently issued a final rule to ensure Big Tech companies and others offering digital funds transfer and payment wallet apps adhere to consumer financial protection laws, including restrictions related to consumer data.

The agency also issued a final rule to give consumers more control over their personal financial data.

Additionally, in December the CFPB released a proposed rule to confirm that federal privacy protections apply to data brokers, reining in the sale of Americans’ sensitive personal and financial information.

A need for more federal protections

In addition to the GAO reports noted above, the CFPB mentions in its announcement that it published a report in November highlighting some state data privacy laws. The agency does so in a rather sobering way to suggest there indeed is a need for more federal protections in the privacy arena.

Specifically, the report notes that many new state data privacy protections exempt financial institutions and consumer financial data covered by federal law, even though states generally have the authority to provide greater protection than federal law.

And a blog post the agency published just days ago directly asks video gamers and parents to comment on the interpretive rule mentioned above and share their experiences in using gaming assets and conducting transactions.

, , , , ,

You may also like