CFPB Report – Carveouts for Financial Institutions in State Data Privacy Laws
By Terry Walpole
December 31, 2024
Recently, the Consumer Financial Protection Bureau (CFPB) released the report, “State Consumer Privacy Laws and the Monetization of Consumer Financial Data,” which examines the interplay between federal privacy laws like the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) and state-level privacy protections for consumers.
The CFPB’s report explains that while states can provide additional data privacy protections, many states exempt the data and financial institutions subject to GLBA or the FCRA from their own data privacy laws. Such an exemption of the subject data is not often covered by the new state-law protections, for example the right under state law for consumers to fix or delete incorrect or outdated information or the requirement that consumers opt-in instead of having to opt-out of the collection of especially sensitive data. Of this, CFPB Director Rohit Chopra commented “[g]iven the exemptions in state law when it comes to this personal data, consumers lack fundamental protections for their financial privacy.”
Moreover, the report examines what might be the unintended outcome of the exemptions as it can result in pulling many businesses outside of the coverage of these state laws, including banks, credit unions, debt collectors, payment processors, credit card issuers, mortgage originators and servicers, and payday lenders, many of which may be the report states are capturing and monetizing consumer data.
Conclusions of the report include:
- Financial institutions are building new business models around consumer data: Firms in the consumer finance space are increasingly focusing on collecting and using large quantities of consumers’ financial data as a source of revenue, including by selling that data to third parties. This data may include details about people’s income, expenses, and account balances.
- Existing protections for financial data have limits: Consumers place a high value on their financial data and their ability to keep it private. There is broad consensus that existing federal privacy protections for financial information have limitations and may not protect consumers from companies’ novel and increasingly pervasive methods of collecting and monetizing data.
- The new state laws provide new consumer privacy rights: Eighteen states have recently created new protections that give consumers a variety of new rights related to the collection or sharing of their personal data (see table below) . Under at least some state laws, consumers now have the right to know which data businesses have about them, to correct inaccurate information, to take that data with them to another business, or to request the business delete the information entirely, among other rights.
- State-level data privacy laws exempt companies and data covered by federal rules: All of the major state data privacy laws passed to date exempt financial institutions, financial data, or both if they are already subject to the GLBA or the FCRA. Consumers in those states will not be able to access the state law privacy rights they have in other areas of their economic life to protect the information collected and/or shared by these exempted institutions.
Absent action to enhance federal privacy protections, the report goes on to encourage state policymakers to consider the importance of ensuring that their citizens are protected in instances where federal law currently has gaps, or may be ineffective, and that they may need to amend privacy laws to adequately protect consumers’ personal financial data.
The CFPB also states that they are taking other steps to address emerging data privacy challenges, including the review of how big tech companies adhere to consumer financial protection laws, issuing a final rule to give consumers more control over their personal financial data rights, and developing new rulemaking regarding the application of the FCRA’s privacy protections to data brokers.
State Privacy Statutes
The report notes eighteen (18) passed new privacy statutes between January 2018 and July 2024. Generally, these laws govern the “controller” of nonpublic personal information, which is “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.” And the state laws also impose certain obligations on “processors,” who do not control the data but who handle or store it.
As illustrated in the table below, The California Consumer Privacy Act is the only one of the eighteen (18) state laws to focus its GLBA exemption solely on the data governed by the GLBA, with the remaining state laws expressly exempt both the data governed by the GLBA as well as financial institutions subject to the GLBA. Also, only five (5) states (CA, CT, NH, TX, and VA) do not extend GLBA exemptions to affiliates of GLBA financial institutions.
State Data Privacy Law Exemptions for GLBA Financial Institutions and Data
| State | Citation | GLBA Exemptions | ||
| Date Subject to the GLBA | GLBA Financial Institutions | Affiliates of GLBA Financial Institutions | ||
| CA | Cal. Civ. Code
§ 1798.145(e) |
X | ||
| CO | Colo. Rev. Stat.
§ 6-1-1304(2)(j)(II), (2)(q) |
X | X | X |
| CT | Conn. Gen. Stat.
§ 42-517(a)(6) |
X | X | |
| DE | 6 Del. Code
§ 12D-103(b)(2), (c)(14) |
X | X | X |
| IN | Ind. Code
§ 24-15-1-1(b)(2) |
X | X | X |
| IA | Iowa Code
§ 715D.2(2) |
X | X | X |
| KY | Ky. Rev. Stat.
§ 367.3613(2)(b) |
X | X | X |
| MD | Md. Code, Com. Law
§ 14-4603(a)(3) |
X | X | X |
| MN* | Minn. Stat.
§ 325O.03(2)(a)(9), (2)(a)(16) |
X |
X |
X |
| MT | Mont. Code
§ 30-14-2804(1)(e) |
X |
X |
X |
| NE | Neb. Rev. Stat.
§ 87-1103(2)(b) |
X | X | X |
| NH | N.H. Rev. Stat.
§ 507-H:3(I)(e) |
X | X | |
| NJ | N.J. Stat.
§ 56:8-166.13(b) |
X | X | X |
| OR** | Or. Rev. Stat.
§ 646A.572(2)(k)(A), (2)(l) |
X | X | X |
| RI | R.I. Gen. Laws
§ 6-48.1-10(a) |
X | X | X |
| TX | Tex. Bus. & Com. Code
§ 541.002(b)(2) |
X | X | |
| UT | Utah Code
§ 13-61-102(2)(k) |
X | X | X |
| VA | Va. Code
§ 59.1-576(B) |
X | X | |
*Minnesota limits its definition of financial institution to “a state or federally chartered bank or credit union, or an affiliate or subsidiary that is principally engaged in financial activities.” Minn. Stat. § 325O.03(2)(a)(16).
**Oregon limits its definition of financial institution to those defined by the Oregon Bank Act, and limits affiliates to those who are “only and directly engaged in financial activities.” Or. Rev. Stat. § 646A.572(2)(l).
About the Author
Terry Walpole
Terry Walpole is a veteran Paralegal at SW&M with over 25 years of experience in financial institution law. The firm relies on his keen research skills, wide knowledge base, and continuing education to remain up to date with all laws […]
Learn More