CFPB Issues Report on State Consumer Privacy Laws

The CFPB recently issued a report that purports to summarize the efforts of eighteen states (between 2018 and 2024) to provide increased consumer privacy protections, including with regard to consumer financial privacy.  The report describes various protective aspects that some or all of these states have adopted, such as the right for a consumer to demand that a business delete nonpublic personal information that it maintains about that consumer, or the requirement that a consumer must opt in (as opposed to opt out) for a business to collect or use certain data about that consumer. 

However, the CFPB goes further in the report as well.  The report indicates that in the CFPB’s view, such state laws do not go far enough in enhancing consumer protections, because these state laws typically exempt financial institutions that are subject to the Gramm-Leach-Bliley Act (GLBA) (as well as FCRA in some instances).  The report critiques some aspects of these federal laws.  For example, the report appears to take the position that an opt-in structure for sharing sensitive consumer information, as opposed to the GLBA’s opt-out structure, would be more protective.

The report further argues that states should be able to adopt more protective measures in these areas without being preempted by GLBA or FCRA, although it is unclear whether courts would agree with this interpretation.