U.S. Privacy Regulation: What’s Next for Financial Institutions?

5 minute read | July.11.2023

The privacy legal and regulatory landscape is changing quickly in the United States – particularly for financial institutions, which hold significant volumes of consumer data and are already subject to a complicated universe of federal and state privacy laws.

More states than ever are passing or considering laws to protect personal information. Federal agencies are crafting regulations. And Congress is once again weighing a U.S. privacy law.

Here’s a look at what’s next in U.S. privacy laws and regulations for financial institutions, fintechs and financial services companies:

1. More States Are Passing Privacy Laws

Momentum has reached an all-time high for state privacy laws, with nearly a third of Americans living in a state that has passed a comprehensive privacy law.

As of July 2023, 10 states have enacted comprehensive privacy laws: California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia. These laws generally require businesses to extend personal data rights to consumers. As a result, individuals in these states will gain more control of how companies access and share their information, and in some states consumers will be able to opt out of selling or sharing their information for targeted advertising. And the pace of change is accelerating, with legislators proposing privacy bills in more than a dozen other states.

Companies should review their own data and operations in light of the new laws to determine if they impose any new obligations. In particular, financial institutions should evaluate whether these laws apply to them, as many state statutes have broad carve-outs for companies and/or data governed by the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act, and other state and federal privacy laws. Companies that are subject to these state privacy laws should look internally to identify potential enhancements to ensure they comply with these laws.

2. U.S. Regulators Are Drafting Additional Regulations

Privacy regulations are expected from several federal agencies, though in most cases precise timelines have not yet been announced. Below are a few expected regulatory actions of particular interest to financial institutions, fintechs and financial services companies.

  • Financial Institutions May Have to Share More Data With Consumers
    • The Consumer Financial Protection Bureau (CFPB) is in the process of issuing a rule for the long-awaited implementation of Section 1033 of the Dodd-Frank Act.
    • Section 1033 requires financial institutions to give consumers access to transaction data and other information upon request, but does not take effect until the CFPB issues its regulations.
    • The CFPB has taken a number of steps related to Section 1033 implementation, including releasing a request for information, issuing market-monitoring orders, hosting a symposium and publishing a blog post on this topic.
    • In October 2022, the CFPB convened a panel to analyze how new Section 1033 regulations could affect small businesses. As part of this process, the CFPB indicated that its 1033 rule may require covered entities to:
      • Provide “authorization disclosures” to consumers.
      • Make available a wide variety of account creation and transaction data to consumers.
      • Maintain “portals” for consumers and authorized third parties to obtain data.
      • Limit collection of consumer information to what is ”reasonably necessary to provide the product or service the consumer has requested.”
  • Data Brokers May Face New Regulations
    • In March 2023, the CFPB launched an inquiry into companies that track and collect information on people’s personal lives.
    • The agency requested information from data brokers as part of potential rulemaking under the Fair Credit Reporting Act.
    • According to the CFPB, “People often have little choice about whether to enter into business relationships with these companies or whether they will be tracked, yet the data these companies collect may nevertheless play a decisive role in significant life decisions, like buying a home or finding a job.”
    • The CFPB said it “wants to understand the full scope and breadth of data brokers and their business practices, their impact on the daily lives of consumers, and whether they are all playing by the same rules.”
    • “Modern data surveillance practices have allowed companies to hover over our digital lives and monetize our most sensitive data,” CFPB Director Rohit Chopra said. “Our inquiry will inform whether rules under the Fair Credit Reporting Act reflect these market realities.”
  • Commercial Surveillance Is Getting New Scrutiny From the Federal Trade Commission (FTC)
    • The FTC defines “commercial surveillance” as collecting, analyzing and profiting from information about people.
    • The term encompasses the collection, aggregation, analysis, retention, transfer or monetization of consumer data.
    • In an August 2022 advanced notice of proposed rulemaking, the FTC posed 95 questions to companies engaged in commercial surveillance about consumer harm, data security and related topics.
    • The FTC also signaled its concern about how businesses use technology to track consumers online, raising the risk of deception, manipulation and fraud. In particular, the agency is focused on lax data practices and surveillance related to children.

3. Congress Is Considering Revising U.S. Financial Privacy Law

Rep. Patrick McHenry, chair of the House Committee on Financial Services, has introduced the Data Privacy Act of 2023. Although still early in the legislative process, if passed in its current form, the Act would:

  • Revise the GLBA in a way that would have significant impacts on financial institutions, fintechs, service providers and others handling data covered by GLBA.
  • Broaden GLBA’s protections for “consumers” to more closely parallel those currently available to a financial institution’s customers.
  • Expand the definition of a “financial institution” to include data aggregators.

Financial institutions, and anyone handling consumer financial data, should keep a close eye on these developing areas of law. As state and federal laws increasingly affect how companies can leverage consumer data and do business, staying ahead of these developments is going to become a taxing – but essential – requirement to succeed in the market.