Alerts

CFPB Issues Request for Information Regarding the Collection, Use and Monetization of Consumer Payment and Personal Financial Data

January 16, 2025

On Jan. 10, 2025, the Consumer Financial Protection Bureau (“CFPB”) issued a notice and request for information (“RFI”) regarding the collection, use, sharing and protection of consumer financial data by companies offering or providing consumer financial products or services, such as data obtained from payments.[1] The CFPB is requesting public input on the nature and impact of these data collection practices in relation to existing privacy laws, specifically the Gramm-Leach-Bliley Act (“GLBA”) and its implementing Regulation P.[2]

Background

Enacted in 1999, the GLBA includes several privacy provisions designed to protect consumers’ nonpublic personal information, including provisions that restrict the disclosure of such information to nonaffiliated third parties and limit its further use and disclosure by downstream recipients of such data.[3] These privacy provisions apply to “financial institutions”, which is broadly defined to include most companies engaged in financial activities including banks, credit card issuers, credit bureaus, money transmitters, mortgage originators and servicers, student loan servicers, debt collectors, and payday lenders.[4] In 2010, rulemaking authority for the privacy provisions of the GLBA (which was originally with other federal agencies) was granted to the CFPB, and since restating the prior agencies’ regulations as Regulation P in 2011, the CFPB has only modified Regulation P twice and has not revised the model privacy form developed in 2009.[5]

Recently, the CFPB conducted research into the changing consumer payments landscape and found that companies’ actual business practices may be a significant deviation from consumers’ expectations with respect to the collection, use and monetization of their data obtained from payment transactions.[6] For example, in 2021 and 2023, the CFPB conducted an inquiry to seek information on the business practices of six technology firms that offer consumer payment products, including the type of data such firms collected and how such data was maintained and used.[7] As part of such inquiry, the CFPB preliminarily identified potential risks to consumers, including the collection and use of data in excess of what is needed for a payment transaction.[8] Further, a 2020 Government Accountability Office study identified consumers’ concerns over the privacy of their data, and the potential need for reassessment of Regulation P, including updating the model privacy form.[9]

Information Requested

Given the recent changes in the consumer data landscape, the CFPB issued its RFI with an aim to collect comments on companies’ practices in collecting, using, processing, sharing and managing consumer financial data and to gather proposals for amending Regulation P.[10] The CFPB’s primary focus includes understanding:

  • Incentives Behind Excessive Data Collection. The RFI seeks evidence regarding incentives for companies to collect more consumer data than is necessary for providing a consumer financial product or service.[11]
  • Effectiveness of and Reforms for Regulation P. The RFI seeks evidence concerning the effectiveness of Regulation P, including the effectiveness of the model privacy form and opt-out notices.[12]
  • Consumer Engagement and Barriers to Opt-Out Options. The RFI seeks evidence concerning the proportion of consumers exercising their opt-out rights, factors influencing their decisions and recommendations for simplifying the opt-out process.[13] The RFI also seeks insights identifying obstacles impeding this right, including acts or practices that discourage opting out.[14]
  • Opportunities for Enhanced Data Protections. The RFI seeks insights on strengthening protections around consumer data, including protecting data subject to secondary use or held by downstream recipients, and achieving consistent protections across different types of consumer financial service providers.[15]
  • Market Entry Barriers Due to Existing Data Practices. The RFI seeks evidence on whether data collections by large entities create barriers for new entrants in the consumer financial products and services space.[16]
  • Harms and Benefits to Consumers under Existing Data Practices. The RFI seeks information on the harms and benefits to consumers as a result of current business practices that leverage consumer data.[17]

Implications and Next Steps

The RFI indicates the CFPB’s interest in potentially expanding existing privacy protections to encompass new payment technologies. By seeking public input on these data collection activities and their implications, the CFPB demonstrates its willingness to either amend current regulations or use its existing authority to address consumer harm caused by such practices. Whether such initiatives will carry over to the Trump administration, however, is to be seen.

The CFPB is accepting public comments through April 11, 2025.[18] While the RFI includes a list of 15 specific questions, the CFPB also indicated that they are interested in receiving any comments relating to the consumer data financial institutions collect.[19] Industry stakeholders at all levels, including companies subject to the GLBA and Regulation P, are encouraged to submit comments, data and information about how companies that offer or provide consumer financial products or services collect, use and share consumer data.[20]

Schulte Roth & Zabel’s lawyers are available to assist you in addressing any questions you may have regarding these developments. Please contact the Schulte Roth & Zabel lawyer with whom you usually work, or any of the following attorneys:

Donald J. Mosher – New York (+1 212.756.2187)

Kara A. Kuchar – New York (+1 212.756.2734)

Betty Santangelo – New York (+1 212.756.2587)

Melissa G.R. Goldstein – Washington, DC (+1 202.729.7471)

Adam J. Barazani – New York (+1 212.756.2519)

Jessica Romano – New York (+1 212.756.2205)

Jesse Weissman – New York (+1 212.756.2460)

Julianna R. Pasquarello – New York (+1 212.756.2055)

Jonice Q. Jackson – Washington, DC (+1 202.729.7479)

[1] The RFI is available here.

[2] See RFI at 12.

[3] 15 U.S.C. §§ 6801-6809; 12 C.F.R. Part 1016.

[4] 15 U.S.C. § 6809(3).

[5] RFI at 5.

[6] See RFI at 3.

[7] RFI at 9.

[8] RFI at 9.

[9] RFI at 6-7.

[10] RFI at 12.

[11] RFI at 12.

[12] RFI at 12-13.

[13] RFI at 13-14.

[14] RFI at 14.

[15] RFI at 15-16.

[16] RFI at 16.

[17] RFI at 16.

[18] RFI at 1.

[19] RFI at 12.

[20] RFI at 12.

This communication is issued by Schulte Roth & Zabel LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising. © 2025 Schulte Roth & Zabel LLP. All rights reserved. SCHULTE ROTH & ZABEL is the registered trademark of Schulte Roth & Zabel LLP.

Related People

DonaldMosher

Partner

New York

KaraKuchar

Partner

New York

BettySantangelo

New York

Melissa Goldstein

Partner

Washington, DC

AdamBarazani

Special Counsel

New York

JessicaRomano

Special Counsel

New York

JesseWeissman

Associate

New York

JuliannaPasquarello

Associate

New York

JoniceJackson

Associate

Washington, DC

Practices

Attachments

Related Insights

Stay up to date

Get the latest news and updates from Schulte.

New York

919 Third Avenue

New YorkNY 10022

P+1 212.756.2000

F+1 212.593.5955

Washington, DC

555 13th Street, NW, Suite 6W

WashingtonDC 20004

P+1 202.729.7470

F+1 202.730.4520

London

One Eagle Place

London SW1Y 6AF

P+44 (0) 20 7081 8000

F+44 (0) 20 7081 8010

Back to top