This week, the Consumer Financial Protection Bureau warned that exemptions from data privacy laws enjoyed by banks, credit unions and lenders undermine consumer rights and suggested that states take action.

The report is one of the last the CFPB will issue before Rohit Chopra, the Democrat who heads the bureau, is replaced almost inevitably when President-elect Donald Trump takes office in January. But the report could boost some of the 20 or so states that have data privacy laws, notably California, which has an inclination because he let Trump down during his first term in office and has he has already acted to continue the trend.

The CFPB report does not indicate that the bureau will change its application or interpretation of existing law. Even if they were, these changes could be changed by the next director. Rather, the report concludes that states have reason and ability to subject banks to data privacy laws and should consider doing so.

Legislation introduced in the House of Representatives last year would address some of the concerns raised in the CFPB report released this week, in part by preempting state data privacy laws with a federal version.

However, the bill did not receive a vote in the plenary, and Patrick McHenry, the Republican legislator who sponsored bill and was known as a dealmaker, it will not be in Congress next term.

How state exemptions work for banks

States exempt banks from their data privacy laws in two ways. The first is at the entity level. All but one state-exempt entity is regulated by the Gramm-Leach-Bliley Act, according to the CFPB, meaning banks do not have to comply with these laws for any purpose. Many also exempt affiliates of financial institutions, such as third-party vendors that provide data storage services.

The second is at the data level. Instead of exempting all banks and affiliates, one state provides an exemption for “personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act,” according to state law.

That one state is California.

The consequence of California’s data exception is that banks must keep track of consumer data they use for marketing and other non-financial functions, track the purpose of its collection, and respond to user requests to access or delete the data. and perform all other compliance duties under the California Privacy Rights Act (CPRA), according to Identity Reviewa think tank focusing on privacy, identity and security.

Where data privacy falls short today, according to the CFPB

According to the CFPB, the Gramm-Leach-Bliley Act (GLBA) has a number of deficiencies that state privacy law exceptions do not address. In it press release on the report on the subject, the CFPB called these exemptions “carveouts.”

One example the CFPB report focused on is the opt-out approach the GLBA takes to inform consumers about how the bank uses their data.

“An opt-in approach that prohibits companies from sharing information until the consumer affirmatively consents may be more protective of sensitive consumer information,” the report said.

In addition, while the vast majority of consumers (more than 85%, according to a 2021 survey) believe it should be illegal for their bank to give other companies access to their personal data, particularly for marketing purposes, consumer advocates and members of Congress have expressed concern that banks are doing just that.

In its report, the CFPB even went so far as to specifically name PayPal and Chase as two examples of financial services companies that have launched advertising platforms that marketers can use based on data collected by those companies about consumers.

Chase Media Solutions promotes “transaction-based marketing campaigns,” conformable the bank, which one hopes will help the bank develop more credit and debit card loyalty programs. PayPal Leaders they promoted the company’s access to transaction data as a key advantage of the company’s advertising platform.

The financial data collected and sold by banks and fintechs — even when marketers don’t have direct access to see which consumers bought which products — “can be used to structure more effective ‘dark models’ that drive consumers to products they don’t want or can’t afford,” according to the CFPB report.

How California Regulated Banks’ Data Privacy Practices in 2023

The CPRA, California’s most recent data privacy law, is also known as version 2.0 of the California Consumer Privacy Act (CCPA). The CPRA replaced its predecessor in early 2023, bringing with it new compliance burdens for banks, according to Chris Napier, partner at law firm Mitchell Sandler, and Shelby Schwartz, counsel at the same firm.

Before 2023, “fintechs and their partner banks generally had to consider only the limited pool of personal data collected from California residents in pre-purchase marketing and communications.” Napier and Schwartz said in a blog post reviewing the changes brought by the CPRA. “Given the low volume of data and limited consumer interest in these types of data collection, fintechs and partner banks experienced relatively low rates of CCPA requests and were able to rely on manual processes.”

However, another common type of data that banks collect is personal contacts related to business accounts—the names, phone numbers, and sometimes social security numbers of business owners and employees at fintechs or companies with which bank works Under the CPRA, this data is now subject to the same rights as other consumer data – without the GLBA exception.

For fintechs and partner banks, this shift “may require these institutions to reevaluate their technology, data usage, enrollment forms and disclosures, and more,” Napier and Schwartz said.

Potential changes in 2025

California lawmakers have not announced any plans to replace the state’s data privacy laws or eliminate the exemptions that banks make. Additionally, with Republican Rep. McHenry out of office in the next Congress, the proposed bill to put banks under greater data privacy oversight appears likely to die before reaching the House floor.

However, more than 15 states have implemented data privacy laws since California passed the first in 2018, and others may follow suit — perhaps even heeding the CFPB’s advice to regulate the data privacy practices of the banks.