These are NCLC comments to the CFPB’s Proposed Rule Implementing Section 1033 of the Dodd-Frank Act, Personal Financial Data Rights. In general, we support the proposed regulation and believe it is a strong, protective rule that will ensure that consumers can share data from their deposit, prepaid, and credit card accounts without such access being misused or exploited. The consumer protections in the rule should serve as a model of how to safeguard consumer control and privacy when a consumer grants permission to a business to use data about themselves.
Even with this strong proposed rule, we do have some suggestions for improvement. The most critical of these suggestions are as follows:
- The CFPB should expand the scope of coverage of data providers to include payroll processors, debt collectors, closed-end creditors, and most especially, companies that process transactions for Electronic Benefits Transfer (EBT) recipients.
- The CFPB should require data providers to (1) disclose in their consumer interfaces those third parties accessing the consumer’s covered data and (2) provide a revocation mechanism for such access.
- The CFPB should issue model forms for the authorization disclosure and data aggregator’s certification, including mobile-friendly versions. The CFPB should also prescribe reading level and a timing requirement.
- The consumer protections at proposed § 1033.421 are the most critical part of the proposed rule and we strongly support their adoption, including the prohibition against secondary uses of covered data. Furthermore, the CFPB should limit each authorization disclosure to only one product or service. The CFPB should require a waiting period, such as 14 days, before a consumer can be solicited (which cannot be based on covered data) to consent to a second authorization disclosure for a second product or service.
Additional suggestions are discussed throughout the text of the comments.