State privacy laws aren't protecting personal financial data, CFPB says

More than a dozen states have recently passed privacy laws, but the rules have granted exemptions for financial companies and data. Image (c) ConsumerAffairs

Recent laws exempt financial companies or data

New state privacy laws don't do enough to protect personal information used by financial businesses, a federal regulator says.

Eighteen states, including California and Texas, passed privacy laws between Jan. 2018 and July 2024, but all the laws have exemptions for financial companies or data tied to federal legislation, the Consumer Financial Protection Bureau said Tuesday in a report.

"These state laws therefore decline to provide consumers the same rights over their financial data as the states are providing to the consumers who engage with other industries," the CFPB said.

For example, the CFPB said the state laws don't give the right for people to fix or delete incorrect information or require people to agree to having their sensitive data collected and used for reasons such as advertising.

"Exemptions from state data privacy laws can leave consumers at heightened risk with regard to their financial data," the CFPB said.

The exemptions are through 1999's Gramm-Leach-Bliley Act, legislation on financial data that faces criticism for giving only general notice to customers on how financial companies share their information while requiring people to opt-out of having their data exchanged with every financial institution they do business with.

The state laws also exempt activity under 1970's Fair Credit Reporting Act, legislation that faces criticism for creating a long, complicated process for correcting errors made by credit-reporting agencies such as Experian and Equifax.

"As consumers increasingly rely on digital financial tools such as mobile banking and payment apps, unprecedented opportunities exist for companies to collect large quantities and various types of data concerning Americans’ economic lives and behaviors," the CFPB said.

What should states do to strengthen privacy for personal financial data?

States should consider narrowing or removing exemptions for financial institutions and data to better protect sensitive personal information, the CFPB said.

"Providing state data privacy protections only for nonfinancial markets effectively leaves consumers more exposed with respect to their sensitive financial data than they are in other areas of their economic life," the CFPB said.

State laws can offer additional protections of financial data within the confines of the federal law, including rights to delete, correct and choose whether to opt-in before the company processes data for activities such as targeted advertising, the CFPB said.

“Consumers should have meaningful choice and an expectation of privacy about how their financial data is used, but large companies are increasingly harvesting and monetizing this sensitive data in mysterious ways,” said CFPB Director Rohit Chopra. “Given the exemptions in state law when it comes to this personal data, consumers lack fundamental protections for their financial privacy.”