Request for Information Regarding the Collection, Use, and Monetization of Consumer Payment and Other Personal Financial Data

Issuing agencies

Abstract

The Consumer Financial Protection Bureau (CFPB) is seeking comments from the public to better understand how companies that offer or provide consumer financial products or services collect, use, share, and protect consumers' personal financial data, such as data harvested from consumer payments. The submissions in response to this request for information will serve to assist the CFPB and policymakers in further understanding the current state of the business practices at these companies and the concerns of consumers as the CFPB exercises its enforcement, supervision, regulatory, and other authorities.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 9 (Wednesday, January 15, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 9 (Wednesday, January 15, 2025)]
[Notices]
[Pages 3804-3808]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-00811]



[[Page 3804]]

=======================================================================
-----------------------------------------------------------------------

CONSUMER FINANCIAL PROTECTION BUREAU

[Docket No.: CFPB-2025-0005]


Request for Information Regarding the Collection, Use, and 
Monetization of Consumer Payment and Other Personal Financial Data

AGENCY: Consumer Financial Protection Bureau.

ACTION: Notice and request for information.

-----------------------------------------------------------------------

SUMMARY: The Consumer Financial Protection Bureau (CFPB) is seeking 
comments from the public to better understand how companies that offer 
or provide consumer financial products or services collect, use, share, 
and protect consumers' personal financial data, such as data harvested 
from consumer payments. The submissions in response to this request for 
information will serve to assist the CFPB and policymakers in further 
understanding the current state of the business practices at these 
companies and the concerns of consumers as the CFPB exercises its 
enforcement, supervision, regulatory, and other authorities.

DATES: Comments must be received on or before April 11, 2025.

ADDRESSES: You may submit comments, identified by Docket No. CFPB-2025-
0005, by any of the following methods:
    <bullet> Federal eRulemaking Portal: <a href="https://www.regulations.gov">https://www.regulations.gov</a>. 
Follow the instructions for submitting comments.
    <bullet> Email: <a href="/cdn-cgi/l/email-protection#a6f6d4cfd0c7c5dff4e0efe6c5c0d6c488c1c9d0"><span class="__cf_email__" data-cfemail="2676544f5047455f74606f664540564408414950">[email&#160;protected]</span></a>. Include the document title and 
Docket No. CFPB-2025-0005 in the subject line of the message.
    <bullet> Mail/Hand Delivery/Courier: Comment Intake, Request for 
Information Regarding Financial Company Consumer Data, Consumer 
Financial Protection Bureau, c/o Legal Division Docket Manager, 1700 G 
Street NW, Washington, DC 20552. Because paper mail in the Washington, 
DC area and at the CFPB is subject to delay, commenters are encouraged 
to submit comments electronically.
    Instructions: The CFPB encourages the early submission of comments. 
All submissions should include the agency name and docket number for 
this request for information. Please note the number of the topic on 
which you are commenting at the top of each response (you do not need 
to address all topics). In general, all comments received will be 
posted without change to <a href="https://www.regulations.gov">https://www.regulations.gov</a>. All comments, 
including attachments and other supporting materials, will become part 
of the public record and subject to public disclosure. Proprietary or 
sensitive personal information, such as account numbers or Social 
Security numbers, or the names of other individuals should not be 
included. Comments will not be edited to remove any identifying or 
contact information or other information that you would ordinarily not 
make public.

FOR FURTHER INFORMATION CONTACT: George Karithanom, Regulatory 
Implementation and Guidance Program Analyst, Office of Regulations, at 
202-435-7700 or at: <a href="https://reginquiries.consumerfinance.gov/">https://reginquiries.consumerfinance.gov/</a>. If you 
require this document in an alternative electronic format, please 
contact <a href="/cdn-cgi/l/email-protection#efaca9bfadb0ae8c8c8a9c9c868d8683869b96af8c899f8dc1888099"><span class="__cf_email__" data-cfemail="b8fbfee8fae7f9dbdbddcbcbd1dad1d4d1ccc1f8dbdec8da96dfd7ce">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION:

I. Background

A. Recent CFPB Efforts on Payment Privacy

    Over the last decade, Americans have increasingly adopted new ways 
to make payments, particularly through digital payment services and 
applications operating adjacent to, but outside of, the traditional 
banking system. Since 2021, the CFPB has conducted extensive research 
into the changing landscape of consumer payments, which included 
information obtained through market monitoring orders issued to large 
technology companies offering digital payment apps. For example, in 
2022, the CFPB published a report about the convergence of payments 
with other commercial activities in the United States and abroad.\1\ 
The report noted some of the types of data captured in these ``super 
apps,'' including apps that are ubiquitous in China. As part of its 
development of the Personal Financial Data Rights Rule required by 
section 1033 of the Consumer Financial Protection Act, the CFPB closely 
studied ways in which financial data can be protected in the context of 
data portability and ``open banking.'' \2\
---------------------------------------------------------------------------

    \1\ CFPB, The Convergence of Payments and Commerce (Aug. 2022), 
<a href="https://files.consumerfinance.gov/f/documents/cfpb_convergence-payments-commerce-implications-consumers_report_2022-08.pdf">https://files.consumerfinance.gov/f/documents/cfpb_convergence-payments-commerce-implications-consumers_report_2022-08.pdf</a>.
    \2\ Required Rulemaking on Personal Financial Data Rights, 89 FR 
90838 (Nov. 18, 2024).
---------------------------------------------------------------------------

    Across these efforts, the CFPB has observed that actual business 
practices show significant deviation from longstanding consumer 
expectations when it comes to the collection, use, and monetization of 
data harvested from payment transactions. Americans may think that 
their financial information is kept private just because it is 
sensitive. However, the CFPB's monitoring of the market suggests that 
companies operating payment systems and apps are able to connect 
payments data with a broad range of other data. The CFPB also notes 
that there have been significant advances in the capabilities of 
physical devices and hardware, giving these companies the technical 
capability to collect biometric information (including certain vital 
signs and the voices of individuals proximate to the primary user), 
geographic location, social networking habits, and more. The 
commingling of this data with personal financial data raises heightened 
concerns about privacy, given the significant value companies derive 
from that data. For example, such information could be used to develop 
dynamic pricing algorithms that tailor prices to a particular 
individual, where the seller is aided by knowledge about the consumer's 
purchase history.

B. The Gramm-Leach-Bliley Act and Regulation P

    In 1999, Congress enacted the Gramm-Leach-Bliley Act (GLBA),\3\ 
which authorized bank holding companies and financial holding companies 
to engage, directly and through their affiliates, in a wide variety of 
``financial activities'' that extended far beyond traditional 
banking.\4\ At the same time, Congress sought to protect consumers by 
imposing restrictions on how financial institutions share the 
information they receive about consumers with nonaffiliated third 
parties. These privacy provisions apply to ``financial 
institution[s],'' which Congress broadly defined to include most 
companies in ``the business of . . . engaging in financial 
activities.'' \5\ For example, banks, credit card issuers, credit 
bureaus, mortgage originators and servicers, student loan servicers, 
debt collectors, and payday lenders generally qualify as financial 
institutions subject to the GLBA.
---------------------------------------------------------------------------

    \3\ Gramm-Leach-Bliley Act, Public Law 106-102, 113 Stat. 1338 
(Nov. 12, 1999).
    \4\ 12 U.S.C. 1843(k).
    \5\ 15 U.S.C. 6809(3).
---------------------------------------------------------------------------

    The privacy provisions of the GLBA protect consumers' ``nonpublic 
personal information''--a term that the GLBA defines broadly.\6\ The 
GLBA limits the extent to which financial institutions can disclose 
nonpublic personal information to nonaffiliated third parties,\7\ and 
also restricts how downstream recipients of such

[[Page 3805]]

consumer data can use or further disclose that data.\8\
---------------------------------------------------------------------------

    \6\ 15 U.S.C. 6802(a)-(b); see also 15 U.S.C. 6809(4) (defining 
``nonpublic personal information''); 12 CFR 1016.3(p)-(q) (defining 
``nonpublic personal information'' and ``personally identifiable 
financial information'').
    \7\ See 15 U.S.C. 6802(b), (e); 12 CFR 1016.13-15.
    \8\ See 15 U.S.C. 6802(c); 12 CFR 1016.11.
---------------------------------------------------------------------------

    Initially, the GLBA gave rulemaking authority to several agencies, 
which then issued regulations to implement the GLBA.\9\ On a few 
occasions, Congress amended the GLBA and the agencies updated their 
regulations in response.\10\ With the passage of the Consumer Financial 
Protection Act (CFPA), Congress amended the GLBA's rulemaking 
provision, granting rulemaking authority for the privacy provisions of 
the GLBA to the CFPB.\11\ The CFPA also gave the CFPB authority to 
enforce the GLBA's privacy provisions, along with other Federal 
regulators.\12\ Additionally, the CFPB has used its authority to 
address unfair or deceptive acts or practices related to the handling 
of consumer data.\13\
---------------------------------------------------------------------------

    \9\ See section 504, Public Law 106-102, 113 Stat. 1439-40; 
e.g., 65 FR 35162 (June 1, 2000) (codified at 12 CFR parts 40, 216, 
332, 573) (final rule implemented by the Office of the Comptroller 
of the Currency, the Federal Reserve System, the Federal Deposit 
Insurance Corporation, and the Office of Thrift Supervision); 65 FR 
33646 (May 24, 2000) (codified at 12 CFR part 313) (final rule 
implemented by the Federal Trade Commission).
    \10\ E.g., section 75001, Public Law 114-94, 129 Stat. 1312, 
1787 (2015); section 728, Public Law 109-351, 120 Stat. 1966, 2003-
04 (2006).
    \11\ See section 1093, Public Law 111-203, 124 Stat. 1376, 2095 
(July 21, 2010). The CFPB does not have rulemaking authority with 
respect to the GLBA's data security standards. See 15 U.S.C. 
6804(a). The Securities and Exchange Commission, Commodity Futures 
Trading Commission, and Federal Trade Commission also have 
rulemaking authority within their respective jurisdictions. See id.
    \12\ See 15 U.S.C. 6805.
    \13\ See, e.g., Consumer Financial Protection Circular 2022-04, 
Insufficient data protection or security for sensitive consumer 
information, <a href="https://www.consumerfinance.gov/compliance/circulars/circular-2022-04-insufficient-data-protection-or-security-for-sensitive-consumer-information/">https://www.consumerfinance.gov/compliance/circulars/circular-2022-04-insufficient-data-protection-or-security-for-sensitive-consumer-information/</a>; Compl., Bureau of Consumer Fin. 
Prot. v. Equifax Inc., No. 1:19-cv-03300-TWT (N.D. Ga. July 22, 
2019), <a href="https://files.consumerfinance.gov/f/documents/cfpb_equifax-inc_complaint_2019-07.pdf">https://files.consumerfinance.gov/f/documents/cfpb_equifax-inc_complaint_2019-07.pdf</a>.
---------------------------------------------------------------------------

    In 2011, the CFPB restated the prior agencies' regulations as 
Regulation P with certain ministerial changes to reflect the CFPB's 
role under the GLBA.\14\ Since then, the CFPB has only modified 
Regulation P twice. As part of a streamlining initiative to reduce the 
burden of regulations it inherited from other agencies, the CFPB 
approved simplifications in the process for providing certain annual 
privacy notices.\15\ Subsequently, in parallel with other agencies, the 
CFPB implemented congressional amendments to the GLBA that adjusted the 
annual notice requirement where certain conditions are met.\16\ In most 
other respects, Regulation P continues to align with the regulations 
the predecessor agencies first issued to implement the GLBA following 
its enactment. For example, the CFPB has not revised the model form the 
predecessor agencies developed in 2009.\17\ Given recent changes in the 
consumer data landscape, the CFPB has determined that it is appropriate 
to gather available evidence to inform how the CFPB uses its 
authorities to address privacy concerns with respect to companies that 
offer or provide consumer financial products or services, including (if 
warranted) any potential updates to Regulation P. The CFPB has 
previously sought information from the public on the consumer data 
practices of data brokers,\18\ and in December 2024 published a 
proposed rule under the Fair Credit Reporting Act that would subject 
many data brokers that sell consumers' sensitive personal and financial 
information to the statute.\19\ This request for information is another 
step in a series of efforts to examine data collection, use, and 
monetization, and to gather information from the public to determine 
whether additional actions are warranted to protect consumer privacy.
---------------------------------------------------------------------------

    \14\ 12 CFR pt. 1016; 76 FR 79025 (Dec. 21, 2011).
    \15\ 79 FR 64057 (Oct. 28, 2014).
    \16\ 83 FR 40945 (Aug. 17, 2018).
    \17\ Model Privacy Form, appendix to part 1016, 12 CFR pt. 1016; 
Final Model Privacy Form Under the Gramm-Leach-Bliley Act, 74 FR 
62890 (Dec. 1, 2009).
    \18\ Request for Information Regarding Data Brokers and Other 
Business Practices Involving the Collection and Sale of Consumer 
Information, 88 FR 16951 (Mar. 21, 2023).
    \19\ Protecting Americans From Harmful Data Broker Practices 
(Regulation V), 89 FR 101402 (Dec. 13, 2024).
---------------------------------------------------------------------------

    A study by the Government Accountability Office (GAO) also 
identified consumers' concerns over the privacy of their data, and the 
potential need for a reassessment of Regulation P and its model 
form.\20\ The GAO observed that ``[f]inancial institutions collect 
extensive amounts of personal information about consumers,'' including 
but not limited to ``the consumer's Social Security number, annual 
income, . . . outstanding debt, . . . account balance, payment history, 
and credit card transactions.'' \21\ Notably, according to the GAO, 
financial institutions may also collect a consumer's social media 
activity and browsing activity ``to compile a customer profile that can 
later be used for marketing purposes.'' \22\ Although there has been an 
``increase in awareness and concern among consumers about their 
privacy,'' ``the consumer opt-out rate is generally low.'' \23\ In 
particular, the GAO indicated that ``[c]onsumers may be largely unaware 
of how fintech apps use their personal information and the privacy 
risks that such usage poses.'' \24\ Although ``the model privacy form 
is voluntary,'' the GAO noted that ``it has been widely adopted within 
the industry.'' \25\ The GAO stated that ``the model form provides 
consumers with limited insight into the specific information that 
[financial institutions] collect and with whom they share it.'' \26\ 
The GAO indicated that ``the continued proliferation of consumer data 
sharing suggests the form may be out of date and may not accurately 
represent the increased and varied ways financial institutions share 
information compared to when the form was implemented over 10 years 
ago.'' \27\ The GAO ultimately concluded its report with a 
recommendation that the CFPB consider updating the model privacy 
forms.\28\ This Request for Information is issued, in part, in response 
to that GAO recommendation.
---------------------------------------------------------------------------

    \20\ U.S. Gov't Accountability Office, Consumer Privacy: Better 
Disclosures Needed on Information Sharing by Banks and Credit Unions 
(Oct. 2020), <a href="https://www.gao.gov/assets/d2136.pdf">https://www.gao.gov/assets/d2136.pdf</a>.
    \21\ Id. at 1, 5.
    \22\ Id. at 11, 13.
    \23\ Id. at 25, 29.
    \24\ Id. at 18.
    \25\ Id. at 23.
    \26\ Id. at 21.
    \27\ Id. at 23.
    \28\ Id. at 37.
---------------------------------------------------------------------------

II. Overview

A. General Expectations From Consumers Regarding Privacy and Data 
Protection

    Consumers place a high value on their financial data and are 
particularly concerned about maintaining the privacy of that data.\29\ 
For example, in a 2021 survey, 89 percent of respondents expressed the 
belief that it should be illegal ``for [their] current bank or credit 
union to give other companies access to personal data about [them] 
unless [consumers tell the bank to provide it],'' and 94 percent of 
respondents stated that they would not like their ``current bank or 
credit union to give other companies access to

[[Page 3806]]

personal data'' so those other companies could ``market products and 
services to [those consumers].'' \30\ Similarly, a 2016 survey 
suggested that Americans are more concerned about the security of their 
financial data than even their medical records.\31\
---------------------------------------------------------------------------

    \29\ See, e.g., Consumer Reports, American Experiences Survey, 
December 2023 Omnibus Results, at 18-19 (Jan. 2024), <a href="https://article.images.consumerreports.org/image/upload/v1704482298/prod/content/dam/surveys/Consumer_Reports_AES_December-2023.pdf">https://article.images.consumerreports.org/image/upload/v1704482298/prod/content/dam/surveys/Consumer_Reports_AES_December-2023.pdf</a> (more 
than 75 percent of respondents said it was ``very important'' to 
them that they know ``exactly which companies can access [their] 
banking data'' and that their permission be required before banking 
data can be shared with another company; while 69 percent felt it 
was ``very important'' to ``limit[ ] the purposes for which banks 
can share [their] banking data, for example, for financial services 
but not for advertising'').
    \30\ Dan Murphy et al., Financial Data: The Consumer 
Perspective, at 10 (June 30, 2021), <a href="https://finhealthnetwork.org/wp-content/uploads/2021/04/Consumer-Data-Rights-Report_FINAL.pdf">https://finhealthnetwork.org/wp-content/uploads/2021/04/Consumer-Data-Rights-Report_FINAL.pdf</a>.
    \31\ Centrify, Consumer Trust Survey, The Corporate Cost of 
Compromised Credentials (2016), <a href="https://web.archive.org/web/20170430003505/https:/www.centrify.com/resources/centrify-2016-thought-leadership-survey/">https://web.archive.org/web/20170430003505/https:/www.centrify.com/resources/centrify-2016-thought-leadership-survey/</a> (while 78 percent of Americans ranked 
``credit card or bank statements'' as their top fear of being 
compromised by hacking or a data breach, only 46 percent ranked 
``health and medical records'' so highly).
---------------------------------------------------------------------------

    At the same time, consumers are also increasingly gravitating 
toward the use of digital tools across their financial lives, from 
accessing banking services via mobile apps to making payments through 
products offered by tech companies.\32\ Mobile banking became much more 
widely adopted as a result of the pandemic, reaching 95percent of 
consumers age 18-25, 90 percent of consumers under 40, 85 percent of 
consumers in their 40s, and 60 percent of consumers age 56-75.\33\ 
Similarly, the Federal Reserve Bank of Atlanta found that, in 2023, 70 
percent of consumers had made at least one payment via mobile phone or 
tablet, and 72 percent had adopted online or mobile payment services 
such as PayPal, Venmo, or Cash App.\34\ Another survey found that more 
than two-thirds of consumers have linked a financial application to 
their checking account.\35\
---------------------------------------------------------------------------

    \32\ See, e.g., id. at 12; Ron Shevlin, Mobile Banking Adoption 
in the United States Has Skyrocketed (But So Have Fraud Concerns), 
Forbes (July 29, 2021), <a href="https://www.forbes.com/sites/ronshevlin/2021/07/29/mobile-banking-adoption-has-skyrocketed-but-so-have-fraud-concerns-what-can-banks-do/">https://www.forbes.com/sites/ronshevlin/2021/07/29/mobile-banking-adoption-has-skyrocketed-but-so-have-fraud-concerns-what-can-banks-do/</a>.
    \33\ Shevlin, supra.
    \34\ Fed. Res. Bank of Atlanta, Research Data Report, 2023 
Survey and Diary of Consumer Payment Choice, at 4, 7, 16 (June 3, 
2024), <a href="https://www.atlantafed.org/-/media/documents/banking/consumer-payments/survey-diary-consumer-payment-choice/2023/sdcpc_2023_report.pdf">https://www.atlantafed.org/-/media/documents/banking/consumer-payments/survey-diary-consumer-payment-choice/2023/sdcpc_2023_report.pdf</a>.
    \35\ Murphy, supra at 12.
---------------------------------------------------------------------------

    A variety of stakeholders, including consumer advocates and Members 
of Congress, have raised concerns about how information collected by 
companies that offer or provide consumer financial products or services 
is used. These companies are increasingly sharing purportedly 
deidentified individual information with advertisers, and seeking to 
hire from companies experienced in leveraging data.\36\
---------------------------------------------------------------------------

    \36\ See, e.g., Iain Withers & Lawrence White, Dollars in the 
detail; banks pan for gold in `data lakes', Reuters (June 21, 2019), 
<a href="https://www.reuters.com/article/us-banks-data/dollars-in-the-detail-banks-pan-for-gold-in-data-lakes-idUSKCN1TM0JG/">https://www.reuters.com/article/us-banks-data/dollars-in-the-detail-banks-pan-for-gold-in-data-lakes-idUSKCN1TM0JG/</a>.
---------------------------------------------------------------------------

    It is not clear if consumers realize how many financial companies 
are currently undertaking these practices. Consumers may not be aware 
of all the ways that financial companies are collecting their data, or 
that it can be sold. For example, just 20 percent of respondents to a 
2021 survey reported being aware that fintech apps use third-party 
providers to gather consumers' financial data, and only 24 percent knew 
that fintech apps could sell consumers' personal financial data.\37\
---------------------------------------------------------------------------

    \37\ Clearinghouse, 2021 Consumer Survey: Data Privacy and 
Financial App Usage, at 6 (Dec. 2021), <a href="https://www.theclearinghouse.org/-/media/New/TCH/Documents/Data-Privacy/2021-TCH-ConsumerSurveyReport_Final">https://www.theclearinghouse.org/-/media/New/TCH/Documents/Data-Privacy/2021-TCH-ConsumerSurveyReport_Final</a>.
---------------------------------------------------------------------------

B. Observations From the CFPB's Inquiry Into Payment Platforms Operated 
by Big Tech and Other Large Technology Firms

    The CFPB launched an inquiry into payment platforms, issuing orders 
in 2021 and 2023 that sought to collect information on the business 
practices of six technology firms that offer consumer payment products. 
These orders were issued to two financial technology firms (Block and 
PayPal), and four large technology ``Big Tech'' firms whose initial 
product offerings did not involve payments, but eventually entered the 
payments market (Alphabet, Amazon, Apple, and Meta). The CFPB's 
questions related to the firms' respective payment products, and 
included requests for basic information about each data field \38\ each 
firm collected and maintained as a result of consumers' use of these 
products, and how the data is used.
---------------------------------------------------------------------------

    \38\ A data field or data element, at a high level, is the name 
of the data type being collected, similar to the name of a column in 
a spreadsheet. More formally, a data field or data element can be 
defined as, ``[a] basic unit of information that has a unique 
meaning and subcategories (data items) of distinct value. Examples 
of data elements include gender, race, and geographic location.'' 
Data Element, NIST Computer Security Resource Center (last visited 
Jan. 7, 2025), <a href="https://csrc.nist.gov/glossary/term/data_element">https://csrc.nist.gov/glossary/term/data_element</a>.
---------------------------------------------------------------------------

    Preliminary findings from these inquiries identified potential 
risks to consumers. First, these firms collect an immense amount of 
data through their payment products, including data that goes far 
beyond what is necessary to facilitate a transaction. Specifically, it 
is common for these payment products to collect and maintain over one 
thousand data fields, and one of the products collects tens of 
thousands of data fields. This data and the predictions derived from it 
can be quite invasive. For example, the companies' data fields include 
items that appear to:
    (1) Predict a consumer's income, wealth, and propensity to spend 
money or engage in a transaction;
    (2) Estimate a consumer's likelihood of contacting customer 
service, and apparently use that prediction to prioritize access to a 
live customer service agent;
    (3) ``Fingerprint'' a consumer's device (e.g., using details like 
phone carrier and model number to identify a specific phone) and what 
the consumer does on their device (e.g., identifying the name of a 
consumer's primary social media platform and screen recording a 
consumer's interaction on the company's app or website);
    (4) Use access to a consumer's contacts to collect not just the 
name and phone number or email address of each contact, but also 
potentially capture all details contained in the contact such as their 
birthday, and even the exchangeable image file format, or EXIF, 
metadata associated with a contact's picture thumbnail, which can 
include geolocation data; and
    (5) Collect not just the vendor and transaction amount, but the 
stock keeping unit, or SKU, of what was purchased--i.e., the actual 
item purchased.
    Regardless of the stated purpose for such immense data collection, 
the firms' access to this data may lead them to use this information 
for other purposes in the future as the incentives or opportunities to 
monetize it evolve.
    Even to the extent that privacy policies make commitments about 
data collection and use, the policies may still present challenges for 
consumers. First, many companies frequently update their privacy 
policies, and consumers may find it burdensome to stay abreast of and 
understand the implications of such changes. Second, consumers may have 
grown reliant on or feel ``locked into'' a product or service. Such 
consumers may therefore feel compelled to accept changes that they 
would not have agreed to when they initially began using the product or 
service. Third, some companies cross-reference ``general'' and other 
privacy policies within their product-specific policies, requiring 
consumers to stitch together a network of documents that makes it more 
difficult for consumers to form a complete understanding of how their 
data is being collected and used.
    Finally, several of the firms' data governance practices appear to 
be so deficient that they were unable or unwilling to provide basic 
information about much of the sensitive consumer data they collect and 
maintain, such as the name of the data fields and a description of what 
data they capture.

[[Page 3807]]

These companies, for example, generally lack systemic documentation of 
the immense consumer data they collect and maintain, and how they use 
this data. These data governance deficiencies raise substantial 
questions regarding the firms' ability to meaningfully protect 
consumers' sensitive data.

C. Critiques of Regulation P

    Meanwhile, scholars and others have noted that Regulation P has 
limits. Since Regulation P envisions that financial institutions might 
combine required disclosures with other information, there may be an 
``incentive for sellers to bury the disclosures in other consumer 
correspondence,'' \39\ even though the regulation requires privacy 
notices to be clear and conspicuous.\40\ Research suggests consumers 
often do not understand how companies will use their behavioral or 
transactional data, even when consumers have purportedly consented to 
such use.\41\ Some scholars propose placing affirmative duties on the 
companies that consumers trust with their data.\42\ Others even propose 
moving away from the ``notice and choice'' approach of the GLBA 
altogether.\43\
---------------------------------------------------------------------------

    \39\ E.g., Kent H. Barnett, Some Kind of Hearing Officer, 94 
Wash. L. Rev. 515, 570 n.237 (2019) (citing 12 CFR 
1016.3(b)(2)(ii)(E)).
    \40\ See 12 CFR 1016.4(a), 1016.5(a)(1), 1016.8(a)(1).
    \41\ See Ramy El-Dardiry et al., Brave New Data: Policy Pathways 
for the Data Economy in an Imperfect World, CPB Netherlands Bureau 
for Econ. Policy Analysis, at 10 (July 2021), <a href="https://www.cpb.nl/sites/default/files/omnidownload/CPB-uk-Policy-Brief-Brave-new-data.pdf">https://www.cpb.nl/sites/default/files/omnidownload/CPB-uk-Policy-Brief-Brave-new-data.pdf</a> (``Consumers cannot see what companies are doing with their 
data, nor can they read all of the data terms of use or oversee the 
consequences.'').
    \42\ E.g., Bryce Clayton Newell et al., Regulating the Data 
Market: The Material Scope of American Consumer Data Privacy Law, 45 
U. Pa. J. Int'l L. 1055, 1140 & n.493 (2024) (collecting 
publications discussing possible fiduciary duties); Neil Richards & 
Woodrow Hartzog, A Duty of Loyalty for Privacy Law, 99 Wash. Univ. 
L. Rev. 961 (2021) (describing a potential duty of loyalty).
    \43\ E.g., John A. Rothchild, Against Notice and Choice: The 
Manifest Failure of the Proceduralist Paradigm to Protect Privacy 
Online (or Anywhere Else), 66 Cleveland State L. Rev. 559 (2018); 
Daniel J. Solove & Woodrow Hartzog, Kafka in the Age of AI and the 
Futility of Privacy as Control, 104 Boston Univ. L. Rev. 1021 
(2024).
---------------------------------------------------------------------------

    While observers have documented the increasing role of financial 
companies in amassing, processing, and selling consumer data, there is 
still relatively limited public understanding of the data-related 
operations of companies that offer or provide consumer financial 
products and services, and the costs and benefits and larger societal 
impact of those operations. Further, additional, more recent, or 
broader studies, surveys, and research beyond those summarized above 
could help to ensure the CFPB is fully informed about companies' 
current practices and consumers' preferences as the CFPB exercises its 
authorities.

III. Request for Information

    This request for information seeks comments from the public on how 
companies that offer or provide consumer financial products or services 
collect, use, process, transmit, share, store, aggregate, sell, or 
otherwise generate insights from or act upon consumer data, as well as 
potential proposals to revise or reform Regulation P. The CFPB is 
particularly interested in hearing from individuals, social services 
organizations, consumer rights and advocacy organizations, legal aid 
attorneys, academics and researchers, small businesses, financial 
institutions, and State and local government officials.
    The CFPB welcomes stakeholders to submit data and information about 
the ways companies that offer or provide consumer financial products or 
services collect, use, and share consumer data, including those 
companies subject to the GLBA and Regulation P. To assist commenters in 
developing responses, the CFPB has crafted the below questions that 
commenters may answer. However, the CFPB is interested in receiving any 
comments relating to the consumer data that financial companies 
collect.
Public Inquiries
    1. Are there studies, surveys, research, or other evidence about 
the incentives for companies to collect more data than is necessary to 
provide the consumer financial product or service, including to 
complete a transaction or payment?
    2. Are there studies, surveys, research, or other evidence about 
the effectiveness of Regulation P?
    3. Are there studies, surveys, research, or other evidence about 
the effectiveness of the privacy policy notices and opt-out notices 
that financial companies provide consumers?
    a. How effective is the Regulation P model form \44\ in informing 
consumers about privacy policies, and enabling easy comparisons among 
different financial institutions? Are there any shortcomings of the 
model form in this regard?
---------------------------------------------------------------------------

    \44\ See Model Privacy Form, appendix to part 1016, 12 CFR pt. 
1016.
---------------------------------------------------------------------------

    b. How effective are the Regulation P opt-out notices \45\ in 
describing how consumers can limit the sharing of their information, 
and explaining how consumers can exercise any opt-out rights they have 
at a particular company?
---------------------------------------------------------------------------

    \45\ See 12 CFR 1016.7.
---------------------------------------------------------------------------

    c. Considering the privacy and opt-out notices required under 
Regulation P, how could companies more clearly explain what information 
they share with whom, and the choices consumers have to limit that 
sharing?
    d. What tools do regulators need or what actions can regulators 
take to ensure that financial companies are transparent in how they 
process, protect, and disclose data about consumers?
    e. How prevalent are retroactive changes to privacy policies that 
implicate previously collected data, i.e., changes that purport to 
apply to previously collected data?
    f. How could companies more clearly explain changes in the scope of 
the data they collect, how it will be used, and what (if any) 
limitations are placed on future use of that data?
    4. Would it be beneficial to separate the privacy notice required 
by Regulation P from the opt-out notice required by Regulation P?
    5. With respect to providing consumers the opportunity to limit 
sharing, what proportion of consumers in fact opt out?
    a. What statistical analyses, surveys, studies, or other reports 
have sought to quantify the proportion of consumers who opt out?
    b. What analyses, surveys, studies, or other reports have examined 
why consumers opt out?
    c. What studies, research, or other sources of recommendations have 
proposed ways to make the opt-out process easier to use?
    6. Are there circumstances in which companies share nonpublic 
personal information with nonaffiliated third parties before consumers 
have a reasonable opportunity to opt out of the disclosure?
    7. What restrictions, conditions, obstacles, website/app designs, 
or dark patterns do companies place in the way of consumers who wish to 
opt out of information sharing?
    a. Are there acts or practices that unreasonably impede consumers 
from exercising the opt-out right the GLBA and Regulation P provide?
    b. What barriers, if any, impede consumers who wish to opt out from 
directing a company not to disclose the consumers' nonpublic personal 
information?
    c. If a company is unable to determine how it uses or shares data, 
how would the company be able to accurately describe the categories of 
consumer data it shares with which categories of

[[Page 3808]]

nonaffiliated third parties in an opt-out disclosure?
    8. What are the current shortcomings, if any, of Regulation P in 
protecting consumers' personally identifiable financial information?
    9. What questions do financial companies' data collection and use 
practices raise regarding compliance with the prohibition against 
unfair, deceptive, and abusive \46\ acts and practices under the 
Consumer Financial Protection Act?
---------------------------------------------------------------------------

    \46\ An abusive act or practice: (1) materially interferes with 
the ability of a consumer to understand a term or condition of a 
consumer financial product or service; or (2) takes unreasonable 
advantage of:
    --a lack of understanding on the part of the consumer of the 
material risks, costs, or conditions of the product or service;
    --the inability of the consumer to protect the interests of the 
consumer in selecting or using a consumer financial product or 
service; or
    --the reasonable reliance by the consumer on a covered person to 
act in the interests of the consumer.
    12 U.S.C. 5531(d).
---------------------------------------------------------------------------

    10. Are any revisions to Regulation P warranted to address the 
exceptions financial institutions use to share nonpublic personal 
information with nonaffiliated third parties? \47\ Would any of the 
exceptions benefit from clarification or adjustment?
---------------------------------------------------------------------------

    \47\ See 12 CFR 1016.13-15
---------------------------------------------------------------------------

    11. What are the opportunities:
    a. To strengthen protections for consumers regarding data about 
them, including to give consumers more choice about what data is 
collected and how it is used?
    b. To protect data subject to secondary use, such as to ensure that 
secondary uses comply with the direction given by the consumer?
    c. To track, control, and protect data in the hands of downstream 
recipients, such as to require downstream recipients to disclose the 
use, sale, or sharing of consumer nonpublic personal information to the 
consumers whose data they possess?
    d. To address the aggregation of data that includes data about 
consumers that originated with financial companies or was collected 
digitally, to ensure that the data consumers entrusted to companies 
that offer or provide consumer financial products or services remains 
protected even in large databases?
    e. To improve the opt-out process under the GLBA and Regulation P?
    f. To ensure that consumers and financial data enjoy consistent 
protections, whether they use financial or payment products produced by 
big tech firms or traditional consumer finance firms?
    g. To ensure that all companies are ``playing by the same rules'' 
with respect to consumer data when engaging in the same markets?
    12. What types of information should the CFPB regularly collect and 
publish about how financial companies, especially big tech firms, treat 
data in payment and financial products? Should the CFPB publish more 
information about the activities of the nonaffiliated third parties 
that are part of this ecosystem?
    13. Are there studies, surveys, research, or other evidence about 
how the previous collection of consumer data by financial companies, 
especially large financial institutions and big tech firms, presents a 
barrier to entry against others wishing to offer competing consumer 
financial products or services?
    14. What harms, if any, result from current business practices that 
leverage consumer data originating with financial companies or 
collected digitally through a financial company? What benefits, if any, 
do consumers currently enjoy because companies share consumers' 
nonpublic personal information?
    15. What additional tools should regulators use to support 
potential whistleblowers to report corporate conduct that violates 
consumers' data protection rights?

Rohit Chopra,
Director, Consumer Financial Protection Bureau.
[FR Doc. 2025-00811 Filed 1-14-25; 8:45 am]
BILLING CODE 4810-AM-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>