This week, the Consumer Financial Protection Bureau warned that exemptions from data protection laws enjoyed by banks, credit unions and lenders are undermining consumers’ rights and suggested that states take action.

The report is one of the last the CFPB will issue before Rohit Chopra, the Democrat who heads the agency, is almost inevitably replaced when President-elect Donald Trump takes office in January. But the report may spur some of the 20 or so states that have data protection laws, notably California, which had a predilection for supporting Trump in his first term and has already acted to continue the trend.

The CFPB report does not indicate that the agency will change its application or interpretation of existing law. Even if it had, those changes could be reversed by the next director. Rather, the report concludes that states have reason and ability to subject banks to data protection laws, and should consider doing so.

Legislation introduced in the House of Representatives last year would address some of the concerns raised in the CFPB report released this week, in part by preempting state data protection laws with a federal version.

However, the bill has not received a vote in the full House, and Patrick McHenry, the Republican lawmaker who sponsored the bill and was known as a dealmaker, will not be in Congress next term.

How government exemptions for banks work

States exempt banks from their data protection laws in two ways. The first is at the unit level. All but one state exempt entity regulated by the Gramm-Leach-Bliley Act, according to the CFPB, meaning banks do not have to comply with those laws for any purpose. Many also exempt subsidiaries of financial institutions, such as third-party vendors that provide data storage services.

The second is at the data level. Instead of exempting all banks and subsidiaries, one state provides an exemption for “personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act,” according to state law.

That one state is California.

The implication of the data-level exception in California is that banks must keep track of what consumer data they use for marketing activities and other non-financial functions, track the purpose of collection, respond to user requests for access or deletion of data. , and meet all other compliance duties under the California Privacy Rights Act (CPRA), according to Identity Reviewa think tank that focuses on privacy, identity and security.

Where data integrity is lacking today, according to the CFPB

According to the CFPB, the Gramm-Leach-Bliley Act (GLBA) has a number of flaws that state data protection laws do not address. In his press release regarding the report on the matter, the CFPB called these exemptions “carveouts.”

One example the CFPB report focused on is the opt-out method GLBA uses to inform consumers about how the bank uses their data.

“An opt-in approach that prohibits companies from sharing information until the consumer confirms may be more protective of consumers’ sensitive information,” the report said.

In addition, while a large majority of consumers (more than 85%, according to a survey in 2021) believe it should be illegal for their bank to give other companies access to their personal information, especially for marketing purposes, consumer advocates and members of Congress have raised concerns that banks are doing just that.

In its report, the CFPB even went so far as to specifically name PayPal and Chase as two examples of financial services companies that have launched advertising platforms that marketers can use based on the data the companies collect about consumers.

Chase Media Solutions operates “transactional marketing campaigns”, according to the bank, which hope so will help the bank develop more credit and debit card loyalty programs. PayPal Leader has invited the company’s access to transactional data as a key benefit of the company’s ad platform.

Financial data collected and sold by banks and fintechs — even when marketers don’t get direct access to see which consumers bought which products — “can be used to structure more effective ‘dark patterns'” that steer consumers to products they don’t want have or cannot afford,” according to the CFPB report.

How California Regulated Banks’ Data Privacy Practices in 2023

The CPRA, California’s newest data privacy law, is also known as version 2.0 of the California Consumer Privacy Act (CCPA). The CPRA replaced its predecessor in early 2023, bringing with it new compliance burdens for banks, according to Chris Napier, a partner at the law firm Mitchell Sandler, and Shelby Schwartz, counsel at the same firm.

Prior to 2023, fintechs and their partner banks generally only needed to consider the limited amount of personal data collected from California residents in pre-acquisition marketing and communications. Napier and Schwartz said in a blog post reviewing the changes introduced by the CPRA. “Given the low data volumes and limited consumer interest in these types of data collection, fintechs and partner banks saw relatively low CCPA requests and were able to rely on manual processes.”

However, another common type of data that banks collect is personal contacts related to commercial accounts – names, phone numbers and sometimes social security numbers of entrepreneurs and employees of fintechs or companies with which the bank collaborates. Under the CPRA, this data is now subject to the same rights as other consumer data – no GLBA exception.

For fintechs and their partner banks, this shift “may require these institutions to reevaluate their technology, use of data, onboarding forms and disclosures and more,” Napier and Schwartz said.

Potential changes in 2025

California lawmakers have not announced any plans to replace the state’s data privacy law, or to remove the exemptions banks get from it. Also, with Republican lawmaker McHenry out of office in the next Congress, his proposed bill to put banks under greater data privacy scrutiny appears likely to die before reaching the House floor.

Nonetheless, more than 15 other states have implemented data privacy laws since California passed the first in 2018, and others could follow suit—perhaps even following the advice of the CFPB to regulate banks’ data privacy practices.