In a recent article at law360.com (paywall), David Stein, a partner at Covington, makes a troubling observation: The CFPB is “is poised to leverage UDAAP to create substantive new financial privacy standards, particularly if the Congress remains deadlocked on privacy legislation.” Stein points out to readers that the Bureau “appear[s] to be laying the groundwork for UDAAP-based privacy regulation.” For example, “during the fall of 2021, the CFPB began using terms like ‘data harvesting,’ ‘data monetization,’ and ‘data surveillance’ in public documents.”
Stein shows how
[t]he CFPB has taken preliminary steps toward the adoption of substantive UDAAP-based privacy protections. Under the outline of proposals under consideration for Section 1033 of the Dodd-Frank Act data access rule, the bureau is considering proposals to:
-
- Prohibit some or all secondary uses of consumer data by data aggregators; and
- Require data aggregators to delete consumer data when no longer necessary or when the consumer revokes authorization for access.
At the Money 20/20 conference in October 2022, Chopra said that the “longstanding Gamm-Leach-Bliley Act privacy rules don’t give consumers meaningful control over how their data is being used” and that he had asked his staff to “look at alternatives to the so-called notice-and-opt out regime that has been the standard for financial data privacy.”
Stein observes that shortly before the CFPB announced “options to strengthen consumers’ access to, and control over, their financial data as a first step before issuing a proposed data rights rule that would implement section 1033 of the Dodd-Frank Act,” Chopra “telegraphed the bureau’s focus on secondary use restrictions” when he said that the Bureau is “exploring ways to ensure that when consumers share their data for a specific use, that is the only use it will be used for.” Chopra added that “[w]hen a consumer permits their private data to be used by a company for a specific purpose, it is not a free pass for a firm to exploit the data for other uses, no matter what the legal mouse-print may say.” Stein points out that “the director did not limit his statements to data aggregators.”
So, how could the Bureau advance privacy short of a rule under Sec. 1033, which is not likely before 2024? Stein points to the Bureau’s suggested possible FCRA rulemaking in its fall 2022 regulatory agenda. Also, the Bureau can regulate by “nonbinding release[s], such as an advisory opinion, circular or bulletin, that deems certain data sharing and data use practices presumptively unfair.” And, of course, “…the CFPB could take a regulation-by-enforcement approach and launch one or more UDAAP enforcement actions against financial institutions related to data collection, use, sharing, or retention in an effort to impose new data restrictions by consent order.”
CFPB statements on “data harvesting,” “data monetization,” and “data surveillance”:
- Press Release, CFPB Orders Tech Giants to Turn Over Information on their Payment System Plans (Oct. 21, 2021) * +
- Press Release, Consumer Financial Protection Bureau Opens Inquiry into “Buy Now, Pay Later” Credit (Dec. 16, 2021) * ^
- Blog, Cracking down on discrimination in the financial sector (March 26, 2022) *
- Blog post by Rohit Chopra, “Reining in Repeat Offenders”: 2022 Distinguished Lecture on Regulation, University of Pennsylvania Law School (March 28 2022) *
- Press Release, CFPB Acts to Protect the Public from Black-Box Credit Models Using Complex Algorithms (May 26, 2022) *
- Press Release, Buy Now, Pay Later: Market trends and consumer impacts (Sept. 15, 2022) *
- Prepared remarks by Rohit Chopra, Director Chopra’s Prepared Remarks on the Release of the CFPB’s Buy Now, Pay Later Report (Sept. 15, 2022) +
- Press Release, CFPB Study Details the Rapid Growth of “Buy Now, Pay Later” Lending (Sept. 15, 2022) +
- Prepared statement of Rohit Chopra, Prepared Statement of Director Rohit Chopra before the Senate Committee on Banking, Housing, and Urban Affairs (Dec. 14, 2022) *
- Prepared statement of Rohit Chopra, Prepared Statement of Director Rohit Chopra before the House Committee on Financial Services (Dec. 14, 2022) *
Key:
- * “Data harvesting”
- ^ “Data monitization”
- + “Data surveillance”
Eric J. Ellman is Senior Vice President for Public Policy and Legal Affairs at the Consumer Data Industry Association (CDIA) in Washington, DC. He also served for eight months as Interim President and CEO of the Association. More