EPIC Praises CFPB’s Personal Financial Data Rights Rule, Suggests Improvements

In comments to the Consumer Financial Protection Bureau, EPIC expressed support for the CFPB’s proposed Personal Financial Data Rights Rule and recommended ways to strengthen the rule’s privacy and data security requirements. The proposed rule would ensure that consumers can more readily access their data held by financial institutions while limiting the extent to which authorized third parties can collect, use, retain, and share that same data.

“EPIC urges the CFPB to promulgate rules that will empower consumers in their interactions with the financial services industry,” EPIC wrote. “The final rule should facilitate frictionless access by consumers to their financial information, enable consumers to understand and control who has access to their personal information and for what purposes they may use it, and prohibit third parties from collecting, using, or retaining personal information beyond what is reasonably necessary to provide the product or service requested by the consumer.”

EPIC highlighted ways the proposed rule could be strengthened with respect to data minimization, consumer rights, account verification, data security, and industry standards. In particular, EPIC urged the CFPB to “limit third parties’ collection, use, and retention of sensitive personal information to what is strictly necessary to provide the product or service the consumer requests, and only consistent with the reasonable expectations of the consumer.”

EPIC routinely calls on the CFPB to strengthen privacy protections for consumers. EPIC filed comments at a previous stage of the CFPB’s Personal Financial Data Rights Rulemaking. EPIC also filed comments supporting the CFPB’s proposed revisions to Fair Credit Reporting Act rules, which among other changes would clarify that data brokers must comply with FCRA.