CFPB Seeks Input on Digital Payment Privacy and Consumer Protections

WASHINGTON, D.C. - Today, the CFPB announced that it is seeking public input on strengthening privacy protections and preventing harmful surveillance in digital payments, particularly those offered through large technology platforms. The agency is requesting comment on implementing existing financial privacy law and how to address intrusive data collection and personalized pricing. Additionally, the CFPB requested comment on a proposed interpretive rule outlining how the Electronic Fund Transfer Act, which provides consumers with protections against errors and fraud, applies to new types of digital payment mechanisms, such as those currently offered through large technology companies and video gaming platforms, as well as stablecoins and other digital currencies that are not widely used today in consumer transactions.

"When people pay for their family expenses using new forms of digital payments, they must be confident that their transactions are not tainted by harmful surveillance or errors," said CFPB Director Rohit Chopra. "The CFPB is seeking public input on how to apply longstanding consumer and privacy protections to new and emerging payment mechanisms."

Emerging Forms of Digital Payments

While most consumer payments are transacted using accounts connected to banks and credit unions, new payment mechanisms have emerged for consumer use. For example, the CFPB has previously published research on new forms of digital payments used in video gaming platforms. Some video game platforms have proprietary currencies that players can use to purchase and sell items and services. The CFPB has also conducted extensive research into the digital payment offerings of Big Tech companies and popular person-to-person payment apps.

In addition, the Treasury Department and financial regulators have undertaken a multi-year effort to determine how existing law applies to stablecoins. Unlike certain crypto assets that are designed to fluctuate in value, stablecoins are typically marketed as being pegged to the value of a sovereign currency, like the U.S. dollar. Stablecoins are heavily used today for the purposes of trading and investment and market participants have suggested consumer use of stablecoins will likely increase in the coming years.

The CFPB is publishing two notices for public comment.

Request for Information on Privacy of Consumer Payment Data and Other Financial Transactions

First, the CFPB is requesting public comment to better understand how companies that offer or provide consumer financial products or services collect, use, share, and protect consumers' personal financial data, including data harvested from consumer payments. The Request for Information published by the CFPB outlines some of the agency's prior research and monitoring of payment platforms, such as those offered by Big Tech companies. The CFPB found that these payment mechanisms collect and use data in excess of what is needed to initiate and complete a transaction. This data can be matched with a wide range of other data about a consumer, including their location, social networking, and browsing history. This data could be used in ways that allow payments companies to facilitate personalized pricing, where a price is based on factors specific to an individual consumer.

Currently, the federal framework for financial data privacy protections consists largely of the Gramm-Leach-Bliley Act (GLBA) and its implementing regulation, Regulation P, along with the Fair Credit Reporting Act (FCRA). The CFPB has also used its authority to address unfair or deceptive acts or practices related to the handling of consumer data. The GLBA's current regulatory framework is built around disclosures and opt-out requirements that scholars and others have noted may not fully address the challenges posed by modern data surveillance.

A recent Government Accountability Office (GAO) study noted "the consumer opt-out rate is generally low," and that consumers "may be largely unaware of how fintech apps use their personal information and the privacy risks that such usage poses." In particular, the GAO noted that the model privacy form widely adopted by the financial industry "may be out of date and may not accurately represent the increased and varied ways financial institutions share information compared to when the form was implemented over 10 years ago."

The Request for Information seeks comments about the effectiveness (or lack thereof) of existing regulations, including the existing model form, privacy notices, and opt-out mechanisms. The request solicits input on ways to strengthen the existing framework, as well as the types of data the public believes that the CFPB should monitor on a routine basis.

Comments on the Request for Information must be received on or before April 11, 2025.

Proposed Interpretive Rule on the Applicability of the Electronic Fund Transfer Act

In addition, the CFPB has proposed an interpretive rule on how the Electronic Fund Transfer Act (EFTA) and Regulation E would apply to new and emerging digital payment mechanisms. Among other protections, EFTA gives consumers the right to dispute erroneous or fraudulent transactions. While courts have issued rulings on specific fact patterns, the proposed interpretive rule provides a framework for determining when EFTA's protections apply to emerging digital payment mechanisms. The CFPB's proposed interpretive rule would ensure that consumers can consistently invoke their rights under federal law, while also assisting market participants developing these payment mechanisms.

Comments on the proposed interpretive rule must be received by March 31, 2025.

In addition to today's issuances, the CFPB is taking other steps to address emerging data privacy challenges. The CFPB also wants to ensure that traditional banks and credit unions are not put at a competitive disadvantage when new market entrants seek to circumvent federal law. The CFPB recently issued a final rule to ensure Big Tech companies and others offering digital funds transfer and payment wallet apps adhere to consumer financial protection laws, including restrictions related to consumer data. The agency also issued a final rule to give consumers more control over their personal financial data. Additionally, in December the CFPB released a proposed rule to confirm that federal privacy protections apply to data brokers, reining in the sale of Americans' sensitive personal and financial information.

Previously, the CFPB published a report highlighting carveouts for financial institutions in state data privacy laws. The report noted that many new state data privacy protections exempt financial institutions and consumer financial data covered by federal law, even though states generally have authority to provide greater protection than federal law.

The CFPB also published a blog asking video gamers and parents to comment on the interpretive rule and share their experiences with gaming assets and transactions.

Read today's Interpretive Rule.

Read today's Request for Information Regarding the Collection, Use, and Monetization of Consumer Payment and Other Personal Financial Data.

Consumers can submit complaints about financial products and services by visiting the CFPB's website or by calling (855) 411-CFPB (2372).

Employees who believe their company has violated federal consumer financial protection laws are encouraged to send information about what they know to [email protected]. To learn more about reporting potential industry misconduct, visit the CFPB's website.

Public link

Please use the above public link if you want to share this noodl on another website.