By Michael Gordan, defi SOLUTIONS VP, Compliance
Subtlety is not the regulator’s friend. Nuance and attention to the particular details of an individual business are antithetical to the black and white rules that regulators try to deploy and enforce. The same is true when regulators try to encourage behavior in the absence of rules.
Take, for example, the recently released November 2024 Report titled State Consumer Privacy Laws and the Monetization of Consumer Financial Data. The subtitle might be, “A Large Elbow in The Ribs of State Lawmakers and Regulators”. It’s unusual to see a federal regulator appeal to state actors to plug a hole in the law, but that is exactly what the Report seeks to do. What is the argument?
A Brief History
The Report notes that the federal financial privacy regime was established in 1970 with the Fair Credit Reporting Act and then furthered in 1999 with the Gramm-Leach-Bliley Act (GLBA), along with their subsequent amendments. Kudos to the federal government, says the CFPB, but technology and privacy concerns have evolved, and the limitations of the existing legal structure are becoming increasingly obvious. Like many privacy advocates, the CFPB latches on to the opt-out structure of these federal laws — that consumers must actively signal the intent that their data not be shared — as a key flaw.
As we all know, the federal government has been unable to develop a new privacy law that would cut across all 50 states. The CFPB sees a ray of hope in this unfortunate situation —the fact that since 2018 eighteen states have passed consumer data privacy laws, all of which include a (1) right of access; (2) right to delete; and (3) right to data portability. Furthermore, many of them include other provisions the CFPB thinks are praiseworthy, including an opt-in structure for many rights and a codification of the data minimization concept we’ve discussed in an earlier post.
Understanding the Issue
If the states are riding to the rescue, what is the issue? The CFPB, a federal regulator, thinks that the states are being too deferential to the federal government. Why? Because all of the laws enacted at the state level (other than California’s law) include exemptions for financial institutions governed by GLBA, and many include exemptions for the affiliates of those institutions. And all of the state laws without exception include an exemption for the financial information that is covered by GLBA. The CFPB helpfully provides a list of the type of activities/businesses that these exemptions might cover. Beyond the banks and credit unions that immediately spring to mind, the CFPB lists “lending, transferring money or securities, financial advisory services, asset management, consumer reporting, debt collection, loan servicing,” and many more activities as exempt.
To correct this oversight, Section 6 of the Report is devoted to an explanation of how states can draft laws that would enforce their data privacy laws against institutions that might be covered by GLBA without running afoul of federal law. In footnote 87 of the Report, the CFPB offers itself as a resource for states seeking to expand the scope of their privacy laws without encroaching on ground covered by the federal legal system. The CFPB notes that it is by statue the authority on questions of preemption, the catchall term for when federal law overrides (preempts) state law. “States should consider whether they would like to provide the same protections to the financial sector that they are providing consumers in other parts of their economic lives.” Nudge. Nudge. Nudge.
Looking to the Future
For those businesses who have benefited from the state-law exemptions, the CFPB Report should serve as a reminder and an alarm that such exemptions can by no means be certain to survive in the future. State governments have already shown themselves willing to legislate on this topic, and data privacy is a universally popular subject of legislation. Similarly, at the federal level, these concerns tend to cut across administrations. For example, it was the Government Accountability Office in 2020 that issued a report titled “CONSUMER PRIVACY: Better Disclosures Needed on Information Sharing by Banks and Credit Unions”.
The CFPB Report once again highlights the lack of a national privacy regime, and the thought of trying to comply with eighteen (or more) states’ individual privacy statutes should be enough to induce concern in any compliance-minded company. Though we may see no action at the federal level for years to come, states may at the same time try to expand the reach of their data privacy laws, leading to a patchwork regime that makes compliance an ongoing challenge.
This blog is not meant to be a comprehensive listing of compliance challenges the industry faces, nor a source of legal advice. Instead, we address trends in vehicle loan and lease compliance and illuminate some of the issues on the minds – or in our view, should be on the minds – of industry players.