On November 12, the CFPB released a report examining federal and state consumer financial data privacy protections. The report highlighted how several states have recently enacted new data privacy laws, most of which provided entity-level exemptions for financial institutions, as well as any data subject to the privacy provisions of the GLBA.
The CPFB critiqued the limitations of the GLBA and the FCRA, noting that these laws primarily focus on consumer disclosures and provide opt-out opportunities rather than requiring affirmative consent for data sharing, among other rights granted by some state privacy laws. It also addressed the increasing role of financial institutions in monetizing consumer data, and the GAO’s criticisms regarding financial institutions’ use of the model privacy policy form set forth under Regulation P to “mask just how much data they collect on consumers and all the ways they allow that information to be used, including by firms far removed from the products and services the financial institution provides.”
In assessing recently enacted state laws, which included 18 new statutes between January 2018 and July 2024, the Bureau compared the protections provided by each statute and the federal financial privacy laws. It noted how all 18 state laws included three rights modeled after the EU’s General Data Protection Regulation — right of access, right to delete, and right to data portability — while fewer set forth additional rights. It further described how the California Consumer Privacy Act was “the only one of the eighteen state laws to focus its GLBA exemption solely on the data governed by the GLBA.”
The CFPB suggested that state policymakers reassess the tradeoffs associated with exempting GLBA-covered financial institutions from new data privacy laws.
