On November 12, 2024, the Consumer Financial Protection Bureau (CFPB) released a report examining the carve outs and limitations contained in comprehensive state privacy laws relating to financial institutions.  In an accompanying press release, the CFPB stated that in its assessment, “privacy protections for financial information now lag behind safeguards in other sectors of the economy.”

As the CFPB’s report notes, eighteen states had passed comprehensive privacy laws (nineteen, counting Florida, which has particular thresholds).  However, all of these state privacy laws have some level of carve outs or limitations for financial institutions.  Some state laws have a full entity-level exemption, where financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA) are entirely exempt from the scope of the law.  Under other laws, non-public personal information (NPI) regulated by the GLBA is exempted from scope of the state privacy law.  Additionally, state privacy laws also contain exemptions for information regulated by the Fair Credit Reporting Act (FCRA).  Accordingly, financial information processed by financial institutions is, in large part, exempted from state privacy laws.

The CFPB report goes on to describe that the federal laws regulating financial information do not contain the same consumer privacy rights that are contained in state privacy laws—rights such as the right to know what data businesses have about them, to correct inaccurate information, or to request the business delete the information about them. 

Importantly, the report’s conclusion is that state policymakers should assess gaps in existing state privacy laws, and that they should consider whether their consumers are adequately protected under their state laws.  Seen in the context of the recent election, this advice is not surprising.  Indeed, recent CFPB initiatives like the Open Banking Rule—which would afford consumers with rights similar to those offered under state privacy laws—could be halted by the new administration through the Congressional Review Act or enjoined by ongoing litigation.  It is therefore expected that the current CFPB leadership would look for ways to secure its achievements through other avenues.

What is notable, however, is how this change would reshape the scope of state privacy laws.  To date, the discussion on financial institution exemptions has been on entity-level versus data-level.  No states have adopted comprehensive privacy laws that fully cover NPI that is already regulated by the GLBA.  But, with the report, the CFPB now argues that the GBLA’s general preemption provision would not prohibit such application.  If a state takes the CFPB up on its request, it would mark a radical shift in privacy law—and operational changes—in the financial world.