In the U.S., financial data has long been one of the most well-established categories of sensitive personal information. Before state consumer privacy laws came along, the types of data considered sensitive were determined by data protection norms and precedent reflected through Federal Trade Commission enforcement.
At the FTC, consumer protection attorneys generally deferred to Congress to outline those categories of personal data deserving of special protection. If a type of personal data was given heightened protections in the commercial sector under federal law — almost any federal law — the FTC expected it to be treated with special care across contexts.
Among other enhanced expectations, sensitive data should only be collected after opt-in consent from consumers. This rule was reflected across decades of FTC enforcement as well as guidance like the prescient 2012 report, Protecting Privacy in an Era of Rapid Change.
Financial data has always been on the list of special categories, perhaps because it has been protected the longest. Arguably, the first U.S. privacy law was the original Fair Credit Reporting Act, passed in 1970 to safeguard the handling of financial information by credit reporting agencies.
Despite the longstanding enhanced protections for financial data under U.S. privacy law, state consumer privacy laws do not treat financial data as a form of sensitive personal information.
It is true that California and New Jersey both treat some financial data as sensitive under their comprehensive consumer privacy laws, but the covered data under both laws is most accurately described as financial credentials. The definition in both states requires an account number "in combination with" a password or security code that would allow access to a consumer's financial account.
According to a new staff report from the Consumer Financial Protection Bureau, there are other important gaps in privacy protection for financial data. The gaps in legal limits are particularly troubling to the agency as it sees the rise of data-driven business models among financial institutions, which are increasingly "collecting and using large quantities of consumers' financial data as a source of revenue, including by selling that data to third parties. This data may include details about people's income, expenses, and account balances."
Specifically, the CFPB report zeroes in on state-level exemptions for data and institutions subject to the Gramm-Leach-Bliley Act or the FCRA.
Though federal protections for financial data through the GLBA and FCRA have led to some of the most mature data security and privacy governance programs of any industry, the CFPB report points out some of the ways modern consumer privacy laws go further in providing data rights to consumers than older federal laws comprehended.
The gaps reflected across all state consumer privacy laws include data rights like access, deletion and data portability. This last is particularly relevant to the CFPB, which recently concluded its Personal Financial Data Rights rule in an effort to better safeguard portability in the financial sector.
The CFPB also finds other distinguishing characteristics in most modern state privacy laws notable, including opt-in requirements for sensitive data, opt-out rights, protections from retaliation, prompt response times for consumer requests, data minimization obligations and the strengthening of consent requirements.
The report provides a thorough review of state privacy law requirements that would radically increase data protection requirements for financial institutions, if they were not wholly exempted from all such laws except the California Consumer Privacy Act. Affiliates of GLBA-covered financial institutions are also exempted from the majority of state laws.
One gap in the thoroughness of the review: The CFPB inexplicably counts only 18 comprehensive consumer privacy laws, skipping over Tennessee, but the omission doesn’t change the overall accuracy of the report’s findings.
CPFB staff also correctly address how data-level exceptions under every state consumer privacy law wholly exempt GLBA-regulated data, meaning not only do these states not count financial data as sensitive but they do not require even foundational privacy protections for general personal data when GLBA-covered data is concerned.
The report concludes with an explicit call for state policymakers to reconsider financial exemptions. This paragraph distills the crux of the CFPB’s perspective:
- "The GLBA exemptions in these state laws sharply circumscribe the effect of the state laws, and result in providing new protections with respect to data collected by nonfinancial institutions while leaving data collected by financial institutions behind. These exemptions reach far beyond just exempting banks. Under the GLBA, the term 'financial institution' broadly encompasses a wide variety of businesses engaged in financial activities including lending, transferring money or securities, financial advisory services, asset management, consumer reporting, debt collection, loan servicing, various transactional services, and in many circumstances acting as a service provider for companies engaged in these activities. Given financial institutions’ rapid investment in expanding their own data monetization and absent stronger federal protections, States should consider whether they wish to continue to exempt these activities from the consumer rights and protections their comprehensive state privacy laws provide."
As the incoming presidential administration likely signals a shift in the CFPB's enhanced engagement and oversight of financial privacy matters — including proposed supervision of some tech giants — the staff report shows the agency is willing to engage on policy recommendation when its own regulatory tools fall short.
Whether reported gaps are eventually filled by state or federal lawmakers, creative regulators or evolving standards of practice, one thing is certain: financial data is sensitive and should be treated with care.
Please send feedback, updates and innovative financial ideas to cobun@iapp.org.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director in Washington, D.C., for the IAPP.