On November 12, 2024, the CFPB published a report ‘State Consumer Privacy Laws and the Monetization of Consumer Financial Data” which summarizes the state laws that give consumers more control over their data, how these rights complement the protections under federal law, and the gaps in protection that result from state law exemptions for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) or the Fair Credit Reporting Act (FCRA). 

According to the report, companies across industries, including financial institutions, are increasingly monetizing consumer data, raising concerns about consumer consent, understanding, and data protection. In response, several states have implemented new consumer privacy laws, providing greater control over personal information beyond existing federal protections. However, these state laws often exempt financial institutions and certain data practices under the Gramm-Leach-Bliley Act and Fair Credit Reporting Act, potentially leaving many businesses—such as banks and debt collectors—outside the scope of these protections.

The CFPB’s analysis found that:

• States have recently passed new data privacy laws, but they have all included exemptions for financial institutions and financial data;

• State policymakers should assess the tradeoffs associated with exempting financial institutions and financial data from new data privacy laws; and

• These protections are important because financial institutions are collecting large quantities of consumer data and building new business models around data monetization, and current federal protections have limits.

The Report can be found here.