On January 10, 2025, in the waning days of the Biden Administration, the Consumer Financial Protection Bureau issued a Request for Information Regarding the Collection, Use, and Monetization of Consumer Payment and Other Personal Financial Data. The Request signals the Bureau’s strong concern with the ways financial institutions, and particularly new financial tools like widespread use of mobile banking, collect and use sensitive consumer-financial data. The Request was motivated by the results from the data that the Bureau collected in developing its Personal Financial Data Rights Rule, finding that “actual business practices show significant deviation from longstanding consumer expectations when it comes to the collection, use, and monetization of data harvested from payment transactions.” Among the Bureau’s chief concerns was consumers’ general ignorance about financial data that Americans believe “is kept private just because it is sensitive.” On the contrary, the Bureau found that not only is consumers’ sensitive financial information monetized, but also that it is commingled with consumer attributes like geographic location, social-media habits, and even individual voices. Such advancements, the Bureau worries, could lead to “dynamic pricing algorithms” that show different pricing for different users, based on their harvested personal data.  

The Request reiterated the Bureau’s authority under the Gramm-Leach-Bliley Act, the Consumer Financial Protection Act, and Regulation P, which requires financial institutions to provide certain privacy notices to consumers and limit disclosure of certain nonpublic information, to protect Americans’ financial privacy. The Request emphasized that the model privacy notice under Regulation P that financial institutions must provide to consumers has not been updated since 2009 and signaled that the time is ripe for revisions to both the model form and Regulation P generally. To that end, the Request offered fifteen public inquiries, many with additional subparts, centered around identifying the efficacy of the current Regulation P model form and its opt-out provision. Specifically, the Bureau asks questions such as whether consumers have a reasonable opportunity to opt out of the disclosure of nonpublic information, whether it would be more beneficial to separate the required privacy disclosure from the opt-out notice, whether Regulation P has shortcomings, and what could be done to improve the efficacy of Regulation P generally, among other questions.

The Bureau has asked for comments by April 11, 2025, but it remains to be seen whether the new administration, under a new CFPB Director, will likewise take such a pointed stance on revising Regulation P and protecting American financial privacy.