Updates

CFPB Publishes Report Warning States of Risks of Exempting Financial Institutions from Privacy Laws 

November 12, 2024

The Consumer Financial Protection Bureau (CFPB) published a report today outlining the risks to consumers’ sensitive financial information when states include broad exemptions for financial institutions in their privacy laws.  

The report found that all of the state privacy laws exempt either the financial institutions or the data covered by the federal Gramm-Leach-Bliley Act and the communications covered by the federal Fair Credit Reporting Act.  

“Exemptions from state data privacy laws can leave consumers at heightened risk with regard to their financial data,” the report found.  

By exempting banks, credit unions, and other similar entities, state are leaving some of consumers’ most sensitive information—their financial data—unprotected.  

Both GLBA and FCRA were passed decades ago, before the rise of digital banking and other financial services and before the online advertising ecosystem grew into the commercial surveillance machine it is today. The CFPB report also notes the relative weakness of either GLBA or FCRA as privacy laws.  

The report cited research finding that consumers are increasingly concerned about the privacy and security of their financial information, citing a 2021 study that found that 89% of respondents agreed that it should be illegal for their bank or credit union to give other companies access to personal data about them. However, this practice is already widespread.  

“States that have enacted new data privacy laws have created important protections, and—given the limitations in the current federal protections for financial data—States should consider whether removing or narrowing these exemptions is appropriate to ensure that consumer financial data is protected,” the report concluded. 

EPIC has long advocated that any exemptions in state privacy laws should be as narrow as possible and that GLBA institutions should not be exempted wholesale. EPIC’s model State Data Privacy Act includes only narrow, data-level exemptions.  

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.

Donate