In the closing months of the Consumer Financial Protection Bureau (CFPB) under Director Rohit Chopra, the CFPB has continued its efforts to influence how states regulate financial services providers. On November 12, the CFPB published a report that applauded consumer protection rights in new state privacy laws, but also critiqued exemptions in those state laws for financial institutions or data subject to the federal Gramm-Leach-Bliley Act (GLBA) or the federal Fair Credit Reporting Act (FCRA). In the report, the CFPB boldly recommends that “[s]tates should consider whether removing or narrowing these exemptions is appropriate to ensure that consumer financial data is protected.”
The state law privacy report is the latest effort by the CFPB under Director Chopra to influence how states craft their laws or use their authorities to regulate financial services providers.
CFPB report on state consumer privacy laws and the monetization of consumer financial data
In the state privacy law report, the CFPB notes that 18 states have passed new consumer data privacy laws between January 2018 and July 2024. The CFPB describes these state privacy laws as providing several important consumer rights on top of existing federal privacy laws, including, but not limited to, (i) the right of consumers to access the data that a company collects, (ii) the right to ask a company to delete the consumer’s data subject to certain limitations, and (iii) the right to request that a company provide the consumer’s data in a way that a consumer could share the data with other companies.
While the report celebrates these new consumer protections, the CFPB observes that all of the new state privacy laws exempt financial institutions or data under the GLBA or FCRA. The CFPB writes that “perhaps an unintended effect” of these exemptions are that numerous financial services providers fall outside of the coverage of the new protective state privacy laws. The CFPB goes on to critique consumers’ financial data protections under the federal GLBA. For example, the CFPB took aim at the GLBA’s opt out to sharing nonpublic personal information, noting that requiring a consumer to opt in to sharing data would be more protective.
Overall, the CFPB’s report messages that state privacy laws are more protective of consumers data outside of the financial services space because of exemptions excluding financial institutions and data under the GLBA and FCRA from the state laws. The reports ends by calling on state policymakers to assess gaps in their state privacy laws, particularly the GLBA and FCRA exemptions.
Other efforts to influence states’ financial services regulation
Under Director Chopra, the CFPB has published two interpretive rules that aim to clarify states’ abilities to regulate financial services. These interpretive rules focus on state fair credit reporting statutes and states’ federal enforcement authority under the federal Consumer Financial Protection Act (CFPA). By providing more guidance on the scope of states’ authorities, the CFPB appears to be encouraging states to use their authority to act in these areas.
- Interpretive rule on fair credit reporting statutes
In June 2022, the CFPB published an interpretive rule, which focuses on the categories of state laws that the federal FCRA expressly exempts. The CFPB emphasized that the federal FCRA does not preempt all state laws relating to the content or information contained in consumer reports. In fact, the CFPB reads the plain language of the FCRA’s express preemption provisions as narrow and targeted in scope. If the FCRA’s express preemption provisions are narrow, as the CFPB proffers, then states have flexibility to regulate more aspects of credit reporting because federal law would not preempt the state laws.
The CFPB identified some credit reporting areas where the CFPB believes that the federal FCRA should generally not preempt state laws. According to the CFPB, the federal FCRA would not generally preempt state laws prohibiting a consumer reporting agency from including information about a consumer’s eviction, rental arrears, or arrests on a consumer report. According to the CFPB, the FCRA would also not preempt state laws that address the furnishing and reporting of medical debt. We have seen some states, including California, recently pass laws that prohibit consumer reporting agencies from including medical debt in consumer credit reports. The CFPB’s interpretive rule, along with the CFPB’s overall focus on medical debt, may have influenced these recent state law developments.
- Interpretive rule on states’ federal enforcement authority
A month before the fair credit reporting interpretive rule, the CFPB published another interpretive rule that clarifies the scope of states’ authority under Section 1042 of the CFPA. Section 1042 permits states to enforce the federal prohibition on unfair, deceptive, or abusive acts or practices (UDAAP) and certain federal consumer financial laws against financial services providers that are “covered persons” or “service providers.”
In addition to reminding states of this federal enforcement authority, the interpretive rule indicates that states’ federal enforcement authority under Section 1042 is not limited in the same manner as the CFPB’s enforcement authority. The CFPA limits the CFPB’s enforcement authority with respect to certain types of persons such as merchants, retailers, and certain motor vehicle dealers. However, the CFPB reads the CFPA to permit states to use their federal enforcement authority against these persons. The CFPB also reads the CFPA to permit states to bring concurrent enforcement actions with the CFPB against a company. The CFPB’s interpretation of Section 1042 could encourage some state attorneys general and state bank regulators to use this federal authority (in addition to their state law authority) against financial services providers.
What this means to you
The change in presidential administration could bring a change in the director position and a change in priorities at the CFPB. If the CFPB becomes less active under a new administration, states could step in to fill the regulatory or enforcement gap. The recent state privacy law report, the fair credit reporting interpretive rule, and the states’ federal enforcement authority interpretive rule appear to be efforts by the CFPB under Director Chopra to influence how states regulate financial services providers in the future.
Contact us
We routinely advise bank and nonbank clients on strategies to manage the patchwork and burdens of multi-state law compliance, including federal preemption of state laws. We have also helped many clients respond to state enforcement actions by state attorneys general or bank regulators. Please contact Susan Seaman or your Husch Blackwell attorney if you have questions about state law compliance.