Carlin McCrory and Kim Phan discuss the Consumer Financial Protection Bureau's recent inquiries into enhancing privacy protections.
In the latest episode of Payments Pros, host Carlin McCrory welcomes Kim Phan to discuss the Consumer Financial Protection Bureau's (CFPB) recent inquiries into enhancing privacy protections.
On January 10, the CFPB sought public input on improving privacy safeguards and curbing harmful surveillance and digital payments, particularly those offered by large technology platforms. The CFPB is particularly interested in comments on existing financial privacy laws and issues related to intrusive data collection and personalized pricing.
Carlin and Kim highlight the CFPB's ongoing efforts to regulate big tech firms, which they view as operating outside traditional banking controls. The discussion also covers the CFPB's approach to the Gramm-Leach-Bliley Act (GLBA) and its effectiveness in addressing modern data surveillance.
They wrap up their conversation by examining potential shifts in the CFPB's regulatory focus under new administration leadership.
NOTE: At the time of recording, this podcast may not have captured the most recent events relating to the change in CFPB leadership and resulting instructions to CFPB staff regarding CFPB rulemakings. Stay tuned for future podcast episodes addressing these important developments.
Payments Pros – The Payments Law Podcast — CFPB’s Inquiry Into Payments Privacy
Host: Carlin McCrory
Guest: Kim Phan
Aired: March 5, 2025
Carlin McCrory:
Welcome to another episode of Payments Pros, a Troutman Pepper Locke Podcast, focusing on the highly regulated and ever-evolving payment processing industry. This podcast features insights from members of our FinTech and payments practice, as well as guest commentary from business leaders and regulatory experts in the payments industry. I’m Carlin McCrory, one of the hosts of the podcast.
Before we jump into today's episode, let me remind you to visit and subscribe to our blog, TroutmanFinancialServices.com. And don't forget to check out our other podcasts on troutman.com/podcasts. We have episodes that focus on trends that drive enforcement activity, digital assets, consumer financial services, and more. Make sure to subscribe to hear the latest episodes.
Today, I'm joined by my colleague, Kim Phan, to discuss the motivations behind the CFPB's recent inquiries into strengthening privacy protections. On January 10th of this year, the Bureau announced that they were seeking public input on enhancing privacy protections and preventing harmful surveillance and digital payments, particularly those offered through large technology platforms. The Bureau is requesting comments on existing financial privacy laws and addressing intrusive data collection and personalized pricing.
Kim, thanks so much for joining us today. Really looking forward to hearing your thoughts.
Kim Phan:
Well, thanks for having me, Carlin. Always a pleasure to be a guest on your Payments Pros podcast. This is certainly the perfect intersection of the financial services and privacy. I would say timely, the CFPB is looking into this, and I would say that because this isn't a proposed rule yet or a final rule or anything of that nature, pretty sure that some of the Trump administration's new freezes on some of the proposed rules that were enacted between the end of the election and his inauguration, we’ll going to unpack this. So, maybe a new CFPB director decides to take a different direction with this. But in the short term, I think this will move forward.
Carlin McCrory:
Oh, that's great intel, Kim. To dive right in a little bit more, what's the genesis of this request and the driving force behind the CFPB's questions?
Kim Phan:
Well, I think we all know that in the past few years, the CFPB has very much done everything they could to demonstrate some level of jurisdiction or a hook for which they could pursue big tech. The large technology firms that in their minds are dabbling in the world of consumer financial services and we see very clearly, Apple, Google, Facebook. These are our big targets for the CFPB. It's interesting to me that whenever the CFPB talks about traditional banking, it's horrible. It's terrible. They're abusing consumers. But when they talk about FinTechs, well, these guys are the Wild West. They're not complying with the controls that we put in place for the traditional banks. So, they love the traditional banks until they don't. This is one of those scenarios where the pay pals the world, the Zelles, the Apple Pays, all of this outside the traditional banking payments process is something that the CFPB has been wanting to get their hands on for some time.
Another reason, I think, that we see this form of request with the type of language the CFPB is using, they're going after some of the same buzzwords and targets that they've always gone after, right? There's questions about whether or not there's dark patterns at play here and whether or not they're always trying to throw in a miscellaneous competition-like question, similar to the way the FTC has both its Consumer Protection Bureau and its Competition Bureau, the CFPB is very fond in the last couple of years of throwing in some sort of antitrust type spin on a consumer protection issue. And they ask specifically here whether data collection by some of these large FinTech players creates a barrier to entry for some smaller entities.
To be clear, I mean, I think the CFPB is timely in their request here. They have done some market monitoring. I know you had a podcast before about some of the requests they've made to some of the large players in the industry, but they've never actually done consumer research themselves, right? Surveys, studies of actual consumer expectations, and what consumers might actually be thinking. They rely on a bunch of third-party articles and studies that they point to from entities like NCLC and others, but they haven't done their own research.
So, to the extent that that's what their approach is here, that they're trying to get data, CFPB-originated data, I'm all for it. I think the industry would benefit from that type of data. If they're going to pursue that research in a very slanted way, which, Carlin, even in your opening, the CFPB characterizes this as a look into the invasive data collection of these entities. I'm like, “Well, if you're going to call it that, you're sort of biased already, your questions here.” Again, if the CFPB is going to do a neutral study into what's actually going on in the world of financial privacy, I'm all for it. But if they are planning to pursue a very slanted viewpoint to support actions they've already decided they want to take, that's a little bit different. But again, I think the world of the CFPB changes once we have a new director.
Carlin McCrory:
Right. That completely makes sense, Kim. Then what can we glean about the CFPB's plans towards the GLBA?
Kim Phan:
Yes, the GLBA, the Gramm-Leach-Billey Act, has actually been around for quite some time. It was enacted way back in 1999. So, we're looking at a statue that's over 25 years old. When the CFPB was created back in 2010, they were given very clear authority under the Dodd-Frank Act that consolidated what was previously somewhat dispersed authority over the GLBA across the FTC, the other federal financial regulators, and consolidated all in the CFPB.
But the CFPB really never taken much opportunity to do much with the GLBA and Reg P, which is the implementing regulation under GLBA. I mean, they made some changes in response to the FAST Act in 2015. That's the congressional law that changed how companies, financial companies, have to send annual privacy notices, but they've never really done anything themselves. They've cited a couple of times to a GAO report, the Government Accountability Office. From a few years ago, this is a 2020 report that questioned whether or not GLBA privacy notices continue to serve the function for which they were initially developed. They cited to this report last fall when they made a plea, essentially, to states in their comprehensive privacy laws to stop handing out GLBA exemptions. They cited again here in this request for public comment. Really, again, it goes back to the fact that the CFPB doesn't really have their own data on this. They're referring to the GAO report. They refer to other studies that have been done.
But the CFPB, in their questioning, in their commentary with regard to this request, says things like the GLBA may not fully address modern data surveillance. It asks for comments about the effectiveness or lack thereof of the existing regulations, and the CFPB says it's not clear to them if consumers understand what's going on and whether or not consumers are aware of the types of data collections that are happening. Some of it, I think, is out of step with consumer expectations. They're making assumptions about what consumers think. For one of the examples that they give of a type of data collection that they view the CFPB at the time that they issued this request again, could change very shortly.
They believed that the data collection was unnecessary when processing a purchase transaction. They said, “All you should really need is the vendor and transaction amount.” But in their minds, it's unnecessary to actually get the SKU, the stock-keeping unit number, to identify the actual item being purchased by the consumer. In the CFPB's mind when they were asking these questions, they were asking, “Well, what's the nefarious purpose behind needing that additional information? You only need basic information to process a payment.” But again, is that different from consumer expectation? If I'm a consumer, I would assume if someone's processing my payment, they know what I'm buying.
So, I don't know whether or not this will continue in that vein. But again, words like intrusive, invasive, these are the types of words the CFPB is using here that, again, I think is very clear whether using terminology like that, what they think of the current GLBA regime, but that, again, not necessarily the same as what consumer expectation is.
Carlin McCrory:
Kim, can you describe a little bit? I mean, is there any interplay here with what the CFPB is looking for, then there's all of these state privacy laws that are continuing to be enacted, is there any relationship there?
Kim Phan:
The report that the CFPB released, this was November of last year. The CFPB was pretty clear. They're looking at all of these state privacy laws. There's now 19 across the country. All of them have some variation on an exemption for financial institutions that are subject to the Gramm-Leach-Bliley Act. Now, some of those exceptions are broader than others, right? Some provide a data-level exemption only in which if you're using data for a financial purpose under GLBA, it's exempt. Other states provide a much broader exemption, an entity-level exemption.
If you're a financial institution subject to GLBA period, you're exempt from the requirements of these state privacy laws. In the CFPB in their report last fall hinted at this upcoming request for information that they didn't believe GLBA was enough. They pointed out all these problems with GLBA and how it might not be adequate to protect consumer privacy and that states should stop making these types of exemptions for financial institutions under GLBA.
Now, at the time, one of the prime criticisms, which I also fielded against the CFPB was, “Look, you have GLBA rulemaking authority. If you have some problem with GLBA, it's in your authority to make changes to regulation P and how those privacy protections are extended to consumers. Don't ask for the states to do it on your behalf.” But that was then, this is now. Again, to the extent that the CFPB plans to do something in this area, I actually appreciate that they're being thoughtful and trying to get some consumer feedback and data before they start moving in a direction that, again, might not be reflective of where consumers are today when thinking about their financial privacy.
Carlin McCrory:
What privacy harms has the Bureau identified to merit this new regulation?
Kim Phan:
Again, I think the CFPB is doing a lot of speculation here. They don't point to concrete harms. They talk about things like personalized pricing and the development of dynamic pricing algorithms, tailoring the pricing of a product or service based on an entity's knowledge of a consumer's purchase history. But it's implied when they say this that that's bad. But they don't point out why or explain what's problematic with that. Maybe consumers would benefit from personalized pricing. You're able to increase the price for some who are willing to pay more for a product in order to make that product available to others, to may not be able to pay the higher price. That type of dynamic pricing could very easily lead to consumer benefits, but in the tone of this request, it's very clear that the CFPB implies that this is perceived by them to be a bad thing.
Also, compiling customer profiles for marketing purposes. We know that the CFPB somehow believes that marketing is some sort of great evil and a horrible harm that is brought against consumers. But frankly, as a consumer, I like it, marketing, right? I want to know about new products and services that are available in the marketplace. I want to know the difference between products that are made available from one entity to another. So again, it's presented here as something that should be assumed to be bad, but they don't actually explain that marketing is bad, so companies should be prevented from being able to do better marketing. They don't say that, but it's implied in how they're phrasing their questions.
They also talk about privacy policies and how, again, this is very conditional. They say it may be burdensome for consumers to understand these privacy policies and when companies update them and make changes, that will apply retroactively to data, financial data companies already have. But again, this sort of assumes that consumers care. It's this very basic question, right? You have questions of privacy theory. In theory, consumers care about their privacy. But in their behavior, we see over and over again. The consumers are willing to forego even all of their privacy for even a tiny financial benefit, a 5% coupon on something or a discount or a waiver of fees, right? We see over and over again, the consumers may not care about privacy to the extent the regulators believe, but let's assume that the consumers do care and that privacy policy should be more clear.
One of the questions that the CFPB asks is, should they expand the disclosure that were required under GLBA? Should they have a separate notice, a privacy notice, an opt-out notice? Right? So, if the idea is they want to make this easier for consumers, they're now proposing all kinds of things that would add length to the types of disclosures consumers would have to read in order to exercise their privacy rights. Again, I think the CFPB is not quite sure what the actual harm is and what the fix is. In their minds, they want to add more disclosures, which would burden some of business, but also burden some of consumers who would have to figure these things out and read them. I don't know, there's an underlying paternalism here that the CFPB wants to make everything as easy as possible for the consumer. But some of these financial products and services are actually quite complex. Why is it a burden on the business to make sure the consumer understands? If the business makes available the terms and makes clear the functionality of a product, the privacy disclosure should reflect that. Consumers have to take on some responsibility for understanding what products and services they're using and what that means for them and their financial privacy.
All of that is to say that it's interesting that CFPB is very focused on these potential harms, these prospective harms, these theoretical harms. They don't spend a ton of time thinking about the potential benefits to consumers. It's certainly not in these questions. They ask very little about benefits. One of the things that they pointed out as a potential use for this data is companies using consumer behavior to estimate the likelihood that a consumer might contact customer services, and so the business can prioritize access to a live customer service agent to that person when they reach out for help.
That sounds like a good thing to me, but the CFB doesn't characterize it in that way at all. I would love to see some great data come out of this and some thoughtful changes to the rule if that makes sense. But again, I think the way that the CFPB is approaching it and the nature and form of their questions shows some bias on their part.
Carlin McCrory:
That's really great insight, Kim. Do we expect a shift in the CFPB away from these efforts to regulate big tech considering the change in administration?
Kim Phan:
I think we're absolutely going to see that. The reality is the CFPB's efforts to hook big tech, as I said at the beginning of the podcast, have always been based on some pretty tenuous arguments and stretching the law in interesting and new and novel ways. I think there's a broad expectation that the CFPB, under the new administration and under the leadership of a new director, is much more likely to pull back on those types of novel arguments and really focus on the bread and butter of regulation enforcement, looking at true privacy harms, things that you know are a problem. Someone not sending a privacy notice at all versus questioning the content of that privacy notice in compliance with regulation P.
I do think that the public comment period should go forward. Right now, in response to the CFPB's request for public comment, comments can be accepted all the way through April 11th of 2025. I think it would be useful to hear from players in the industry about how they're thinking about these things. I think that would be useful and informative to the CFPB, again, as long as the CFPB has an open mind. Whether or not any of this, these studies as data that's compiled will end up in any actual changes to GLBA or regulation P, you have to be determined. Again, if there's something clear-cut that a new administration's leadership of the CFPB might find appealing, sure, maybe we'll see something. But I think whatever the prior CFPB staff were thinking when they issued this rulemaking, whatever their intent was at that time will probably shift under new leadership.
Carlin McCrory:
And notwithstanding the administration change, it sounds like, but correct me if I'm wrong, that your opinion is that this data will be really helpful for the CFPB, such that companies should propose comments or provide their comments to the RFI. What type of entities would you suggest still submit comments on this?
Kim Phan:
Well, I'm sure we're going to see comments from the general public. John Public will certainly submit some comments, will certainly see comments from consumer advocate organizations and others in that space. I think it would behoove the financial industry to participate as well, whether or not individual data from specific companies or aggregated data that's submitted through trade associations or other players in the financial industry, I think that would be valuable to the CFPB.
Now, there are certainly some considerations there, trade secret and other types of internal business practices made publicly available could be problematic for some companies. But again, that's a great role for the American Bankers Association or others in the financial industry space to think about what role they could play in aggregating some of this data and provide valuable insights to the CFPB. So, whether this administration or the next will have this information as they make their decision-making as opposed to trying to operate in a vacuum or relying entirely again on data being provided by consumer advocacy organizations and others.
Carlin McCrory:
Well, Kim, this has been absolutely great and very insightful. Thank you so much for joining us today and thanks to our audience for listening to today's episode. Don't forget to visit our blog, troutmanfinancialservices.com and subscribe so you can get the latest updates. Please make sure to also subscribe to this podcast via Apple Podcasts, Google Play, Stitcher, or whatever platform you use. We look forward to next time.
Copyright, Troutman Pepper Locke LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper Locke. If you have any questions, please contact us at troutman.com.