In a recent article at (paywall), David Stein, a partner at Covington, makes a troubling observation: The CFPB is “is poised to leverage UDAAP to create substantive new financial privacy standards, particularly if the Congress remains deadlocked on privacy legislation.” Stein points out to readers that the Bureau “appear[s] to be laying the groundwork for UDAAP-based privacy regulation.” For example, “during the fall of 2021, the CFPB began using terms like ‘data harvesting,’ ‘data monetization,’ and ‘data surveillance’ in public documents.”

Stein shows how

[t]he CFPB has taken preliminary steps toward the adoption of substantive UDAAP-based privacy protections. Under the outline of proposals under consideration for Section 1033 of the Dodd-Frank Act data access rule, the bureau is considering proposals to:

    • Prohibit some or all secondary uses of consumer data by data aggregators; and
    • Require data aggregators to delete consumer data when no longer necessary or when the consumer revokes authorization for access.

At the Money 20/20 conference in October 2022, Chopra said that the “longstanding Gamm-Leach-Bliley Act privacy rules don’t give consumers meaningful control over how their data is being used” and that he had asked his staff to “look at alternatives to the so-called notice-and-opt out regime that has been the standard for financial data privacy.”

Stein observes that shortly before the CFPB announced “options to strengthen consumers’ access to, and control over, their financial data as a first step before issuing a proposed data rights rule that would implement section 1033 of the Dodd-Frank Act,” Chopra “telegraphed the bureau’s focus on secondary use restrictions” when he said that the Bureau is “exploring ways to ensure that when consumers share their data for a specific use, that is the only use it will be used for.” Chopra added that “[w]hen a consumer permits their private data to be used by a company for a specific purpose, it is not a free pass for a firm to exploit the data for other uses, no matter what the legal mouse-print may say.” Stein points out that “the director did not limit his statements to data aggregators.”

So, how could the Bureau advance privacy short of a rule under Sec. 1033, which is not likely before 2024? Stein points to the Bureau’s suggested possible FCRA rulemaking in its fall 2022 regulatory agenda. Also, the Bureau can regulate by “nonbinding release[s], such as an advisory opinion, circular or bulletin, that deems certain data sharing and data use practices presumptively unfair.” And, of course, “…the CFPB could take a regulation-by-enforcement approach and launch one or more UDAAP enforcement actions against financial institutions related to data collection, use, sharing, or retention in an effort to impose new data restrictions by consent order.”

CFPB statements on “data harvesting,” “data monetization,” and “data surveillance”:



  • * “Data harvesting”
  • ^ “Data monitization”
  • + “Data surveillance”