Consumer, Industry Groups Weigh Dodd-Frank Privacy Framework
The Consumer Financial Protection Bureau should retain consumer privacy protections in Section 1033 of the Dodd-Frank Act and continue guarding against third-party financial data abuse, consumer groups told the CFPB in comments due Tuesday (see 2508210038).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Industry groups asked the CFPB to not interfere with existing financial data regulations, but several agreed with consumer advocates about the need to ban screen-scraping, a practice of some data brokers. The bureau posted nearly 14,000 comments.
The CFPB is seeking to understand the “threat picture for data privacy” associated with the implementation of Section 1033 of the Dodd-Frank Act. Section 1033 directs the agency to issue rules for consumer disclosures of transaction data and other information concerning consumer financial products.
Consumer groups told the CFPB the data privacy protections in Section 1033 are “best-in-class,” including prohibitions on “secondary use, requirements for data minimization, a one-year limit for authorizations, clear segregated disclosures for authorization, and a requirement to delete data once there is no longer authorization.”
“These protections not only safeguard consumers, they benefit data providers by limiting the amount, usage, and retention of the data,” the groups said. “If the Rule does not cover third parties when they access consumer-authorized data, including when screen scraping, both consumers and data providers will be left vulnerable.”
More than 50 groups signed the joint comments, including the National Consumer Law Center, Consumer Federation of America, Consumer Reports, Electronic Privacy Information Center, Public Citizen and U.S. PIRG.
Colorado Rep. Brianna Titone (D) submitted comments asking the bureau to ban screen-scraping. “This process allows aggregators to collect additional personal information and data that is used in ways consumers did not consent to,” she said. “It essentially leaves data vulnerable and is an inherently deceptive practice that must be forbidden.”
Similarly, the American Bankers Association asked the bureau to designate screen-scraping as an “unfair, deceptive or abusive” practice. It also asked the bureau to suspend all effective dates for a rule proposed by the Biden administration, including an April 2026 compliance date for banks holding at least $250 billion in total assets. “As the CFPB has already clearly stated its intention to rewrite the Section 1033 rule and undertaking the rule writing process, the Bureau must end this unnecessary compliance risk by indefinitely postponing all compliance dates until a new PFDR rule is finalized in the Federal Register,” said ABA.
Privacy for America, which represents advertising associations and other industries, raised concerns about proposed provisions that “unreasonably limit the ability of authorized third parties to use covered financial data for certain purposes, such as targeted advertising and cross-selling, and require the consumer to annually reauthorize disclosures of data to the very third parties they authorized to receive data previously.” The group warned the CFPB against finalizing a regulation that creates “artificial and unreasonable barriers to that access are counter to a market where data can drive growth and competition.”
The Consumer Data Industry Association asked the bureau not to interfere with consumer reporting regulations under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act. “These laws and regulations strike the proper balance between protecting consumer privacy on the one hand, and facilitating the use of consumer-specific data in making credit, insurance, and employment decisions (among other things) on the other,” said CDIA. “Both individual consumers and the broader economy would suffer if the Bureau’s Section 1033 rulemaking made it more difficult for those decisions to be made on the best data possible.”
The Computer & Communications Industry Association suggested CFPB mitigate the risk of unauthorized consumer representation by assigning liability to the “authorized representative for any harm resulting from inadequate privacy and cybersecurity practices while the consumer data is in the authorized representative’s possession. To provide greater certainty, the rule should advance an expanded liability framework under which each participant in the data-sharing chain bears responsibility for breaches or misuse of data that occurs during the period it controls the data.”