US states should assess gaps in their data privacy laws to ensure Americans are protected in an era when financial institutions are increasingly bidding to monetise their customers' data, according to the CFPB.
Over the last six years, 18 states have passed data privacy laws, giving people greater control over and access to their data and moving to reduce the collection of unneeded data.
But, these laws all have exemptions tied to federal regulations for financial data and products and services.
Meanwhile notes the CFPB in a report, Americans are increasingly relying on digital financial tools such as mobile banking and payment apps, which give unprecedented opportunities for companies to collect large quantities and various types of data concerning their economic lives and behaviours.
Financial firms are using details about people’s income, expenses, and account balances to build new sources of revenue, including by selling it on to third parties, says the report.
This year, JPMorgan Chase and PayPal have both unveiled plans to build businesses that use customer data to help firms better target their advertising.
Current federal rules for financial data privacy "may not fully address the challenges posed by modern data surveillance," says the CFPB.
Yet, while states have significant latitude to provide additional data privacy protections, many exempt the data and financial institutions subject to federal rules.
States, concludes the rereport should instead consider taking action to protect people where federal law currently has gaps or may be ineffective.
“Consumers should have meaningful choice and an expectation of privacy about how their financial data is used, but large companies are increasingly harvesting and monetizing this sensitive data in mysterious ways,” says CFPB director Rohit Chopra.
“Given the exemptions in state law when it comes to this personal data, consumers lack fundamental protections for their financial privacy.”