This post originally appeared in our sister publication, Password Protected.
On October 18, 2017, the Consumer Financial Protection Bureau (CFPB) issued a set of Consumer Protection Principles regarding the sharing and aggregation of consumers’ financial data. The timing of the announcement in light of last month’s disclosure of the Equifax breach of approximately 140 million consumers’ financial data seems noteworthy, as all companies whose businesses rely on the consumer-authorized financial data market are scrambling to regain consumer trust.
Noting the “growing market” for consumer-authorized financial data aggregation services, the CFPB has promulgated nine principles which, in the words of CFPB Director Richard Cordray “express [the Bureau’s] vision for realizing an innovative market that gives consumers protection and value.” (See CFPB press release).
Many of the principles themselves will be familiar to anyone who has paid attention to consumer privacy discourse over the last 30+ years. They are in many ways a restatement of the OECD Guidelines, published in 1980 by the Organisation for Economic Co-operation and Development, but with a few useful additions. The “new” CFPB principles include time-tested privacy principles of:
- informed consent & control over data sharing
- notice and transparency regarding the third parties’ access to and use of consumer data
- data quality & accuracy and the right of consumers to dispute inaccuracies
- an expectation of security and safeguards to protect consumer data
- a right of access by consumers to their own data; and
- accountability to the consumer for complying with the foregoing principles.
In addition, however, the CFPB principles contain some fairly specific guidance that is particularly useful in the context of financial data and may have a significant impact on the way financial data is gathered, marketed and retained. For example, the CFPB Principles contain a specific principle (#4) regarding payment authorization:
- Authorizing Payments. Authorized data access, in and of itself, is not payment authorization. Product or service providers that access information and initiate payments obtain separate and distinct consumer authorizations for these separate activities. Providers that access information and initiate payments may reasonably require consumers to supply both forms of authorization to obtain services.
The above principle is one of several that illustrate the CFPB’s disapproval of broad, open-ended consents from consumers, favoring instead tailored, purpose-specific access. Principle #2 (Data Scope and Usability) is another example of this theme. It reads in part, “Third parties with authorized access only access the data necessary to provide the product(s) or service(s) selected by the consumer and only maintain such data as long as necessary.”
It remains to be seen how these principles might be applied to data collectors like credit bureaus, who typically hold consumer data for as long as a consumer’s lifetime in many cases. The CFPB’s press release emphasized that the principles are not intended to supercede or interpret any existing consumer protection statutes or regulations and that they are not binding. Still, they do provide a window into the CFPB’s mindset and the likely trend for future regulation.