On November 12, 2024, the Consumer Financial Protection Bureau (CFPB) published a report on State Consumer Privacy Laws and the Monetization of Consumer Financial Data.

The report highlights that state privacy laws provide new rights and protections on top of existing federal privacy laws. However such laws provide exemptions for financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA) and activity to which the Fair Credit Reporting Act (FCRA) applies, creating unintended effects. Accordingly, the CFPB stated that the exemptions pull numerous businesses outside the coverage of state privacy laws, including banks, consumer reporting agencies, payday lenders, and debt collectors, among others.

Specifically, the CFPB provided that state privacy laws' exemptions do not provide consumers the same rights over their financial data as they have with other industries. The CFPB stipulated that state policymakers should assess the trade-offs associated with exempting financial institutions and financial data from new legislation. Notably, the CFPB alleged that providing state data privacy protection only for non-financial markets effectively leaves consumers more exposed with respect to their sensitive financial data than in other areas.

Therefore, the CFPB noted that states should consider whether removing or narrowing exemptions through legislation including the GLBA or FCRA is appropriate in ensuring consumer financial data is protected.

The CFPB outlined which state privacy laws provide exemptions for:

• data subject to the GLBA;
• GLBA financial institutions; and
• affiliates of GLBA financial institutions.

The CFPB noted that the California Consumer Privacy Act (CCPA) is the only state privacy law to provide a GLBA exemption solely for data governed by the GLBA. According to the CFPB, only California, Connecticut, New Hampshire, Texas, and Virginia do not extend GLBA exemptions to affiliates of GLBA financial institutions.

You can read the press release here and the report here.