CFPB: New regulations will better protect consumers’ personal financial data

A new Consumer Financial Protection Bureau (CFPB) rule that gives consumers more choice over financial products and services includes significant privacy protections safeguarding individual’s data, the agency announced Tuesday.

The rule will require that banks and other institutions only use personal financial data for purposes consumers request, CFPB said. It also blocks third parties from using consumer data to benefit themselves.

Additionally, the new rule will push the financial industry to stop “screen scraping,” a practice in which a consumer provides their login credentials to a third party, giving them the ability to access the consumer’s data, according to a CFPB press release. 

Screen scraping can lead to the sharing of inaccurate data and the dissemination of login information, according to remarks CFPB Director Rohit Chopra will deliver when he unveils the rule later today.

Large financial institutions will be required to begin complying with the regulation, known as the Personal Financial Data Rights Rule, by April 2026 while smaller ones will be given until April 2030, according to a CFPB fact sheet. Some especially small banks and credit unions will be exempt from the regulation.

The final rule prohibits what the CFPB press release called “bait-and-switch data harvesting” by mandating that third parties can only gather, use, or store data to provide the financial product the consumer asks for. 

“A company that ingests consumer’s data can use the data to provide the product or service the consumer asked for, but not for unrelated purposes the consumer doesn’t want,” according to the prepared remarks. “And it doesn’t matter that the company has included those purposes in legal fine print that you don’t have any practical ability to reject.” 

The new rule also gives consumers the right to revoke access to their data and upon doing so immediately block companies from using it, the agency said. A separate element of the rule makes data deletion automatic after a year unless a consumer explicitly consents to extending that period.

Chopra portrayed the new rule’s impact on data privacy and consumer protection as significant.

Companies will no longer be able “use your data against you by feeding it to a dynamic pricing model that ends up charging you more for an airline ticket,” according to his prepared remarks. “That’s not what you were in the market to get.”

The rule relies on authorities provided by the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act and is the first significant regulation put in place to take advantage of the law’s provision that consumers can access their personal financial data in a “standardized format,” according to Chopra’s remarks.