This week, the Consumer Financial Protection Bureau warned that exemptions to data privacy laws enjoyed by banks, credit unions and lenders infringe on consumers’ rights and suggested that states take action.

The report is one of the last that the CFPB will release before Rohit Chopra, the Democrat who heads the bureau, is almost inevitably replaced when President-elect Donald Trump takes office in January. But the report could prompt some of the roughly 20 states with data privacy laws, including California, which has adopted data privacy laws. a penchant for resisting Trump during his first term and already acted to continue the trend.

The CFPB report does not indicate that the bureau will change its application or interpretation of existing law. Even if it did, these changes would be subject to change by the next director. Instead, the report concludes that states have reason and the ability to subject banks to data privacy laws, and that they should consider doing so.

Legislation introduced in the House of Representatives last year would address some of the concerns raised in the CFPB report released this week, in part by preempting state data privacy laws with a federal version.

However, the bill did not receive a vote in the full chamber, and Patrick McHenry, the Republican lawmaker who sponsored the bill and was known as a negotiator, will not be in Congress next term.

How State Exemptions Work for Banks

States exempt banks from their data privacy laws in two ways. The first is at the entity level. According to the CFPB, all but one entity is exempt from the Gramm-Leach-Bliley Act, meaning that banks are not required to comply with these laws for any purpose. Many also exempt subsidiaries of financial institutions, such as third-party vendors that provide data warehousing services.

The second is at the data level. Rather than exempting all banks and their affiliates, one state provides an exemption for “personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act,” according to state law .

That state is California.

The consequence of the California data exception is that banks must keep track of the consumer data they use for marketing activities and other non-financial functions, track the purpose of its collection, respond to user requests to access or delete data. , and complete all other compliance tasks defined by the California Privacy Rights Act (CPRA), according to the identity reviewa think tank focused on privacy, identity and security.

Where Data Privacy Is Lacking Today, CFPB Says

According to the CFPB, the Gramm-Leach-Bliley Act (GLBA) has a number of loopholes that state data privacy law exceptions fail to address. In his press release In the report on the subject, the CFPB called these exemptions “carveouts”.

One example that the CFPB report focused on is the opt-out approach GLBA takes to inform consumers about how the bank uses their data.

“A voluntary approach prohibiting companies from sharing information until the consumer agrees could be more protective of sensitive consumer information,” the report reads.

Furthermore, even if the vast majority of consumers (more than 85%, according to a 2021 survey) believe it should be illegal for their bank to give other companies access to their personal data, including for marketing purposes, consumer advocates and members of Congress have raised concerns about the makes banks do exactly that.

In its report, the CFPB even went so far as to specifically cite PayPal and Chase as two examples of financial services companies that have launched advertising platforms that marketers can use based on data these companies collect about consumers .

Chase Media Solutions manages “transaction-based marketing campaigns” according to the bank, which he hopes will help the bank develop more credit and debit card loyalty programs. PayPal Executives having praised the company’s access to transaction data as a key benefit of the company’s advertising platform.

Financial data collected and sold by banks and fintechs — even when marketers don’t have direct access to see which consumers bought which products — “can be used to structure more effective ‘dark models’ that direct consumers towards products they do not want or cannot afford. “, according to the CFPB report.

How California Regulated Banks’ Data Privacy Practices in 2023

The CPRA, California’s latest data privacy law, is also known as version 2.0 of the California Consumer Privacy Act (CCPA). The CPRA replaced its predecessor in early 2023, bringing new compliance burdens for banks, according to Chris Napier, a partner at the Mitchell Sandler law firm, and Shelby Schwartz, an attorney at the same firm.

Before 2023, “fintechs and their partner banks were generally required to consider only the limited amount of personal data collected from California residents in pre-acquisition marketing and communications.” Napier and Schwartz said in a blog post reviewing the CPRA’s changes. “Given low data volumes and limited consumer interest in these types of data collection, fintechs and partner banks have seen relatively low CCPA request rates and have been able to rely on manual processes. “

However, another type of data commonly collected by banks is personal contacts related to business accounts: the name, phone number, and sometimes social security number of business owners and employees of fintechs or companies with whom the bank is working. Pursuant to the CPRA, this data is now subject to the same rights as other consumer data – without GLBA exceptions.

For fintechs and their partner banks, this change “could force these institutions to re-evaluate their technology, their use of data, their onboarding forms and disclosures, and much more,” Napier and Schwartz said.

Potential changes in 2025

California lawmakers have not announced any plans to replace the state’s data privacy laws or remove exceptions for banks. Additionally, with Republican lawmaker McHenry leaving office in the next Congress, his bill to subject banks to greater data privacy scrutiny appears likely to die before reaching the House floor.

Nonetheless, more than 15 other states have implemented data privacy laws since California passed the first in 2018, and more may follow suit — perhaps even heeding the CFPB’s guidance for regulate banks’ data privacy practices.