On October 18, 2017, the Consumer Financial Protection Bureau released its Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (Principles).
According to the CFPB, the Principles express the Bureau’s vision for realizing a robust, safe, and workable data aggregation market that gives protection, usefulness, and value. The CFPB also specifically noted that the Principles are not intended to alter, interpret, or otherwise provide guidance on—although they may accord with—existing protections. The Principles do not themselves establish binding requirements or obligations relevant to the Bureau’s exercise of its rulemaking, supervisory, or enforcement authority. In addition, the Principles are not intended as a statement of the Bureau’s future enforcement or supervisory priorities.
There are nine Principles: (1) Access, (2) Data Scope and Usability, (3) Control and Informed Consent, (4) Authorizing Payments, (5) Security, (6), Access Transparency, (7) Accuracy, (8) Ability to Dispute and Resolve Unauthorized Access, and (9) Efficient and Effective Accountability Mechanisms.
A copy of the article can be found, here.
The CFPB Principles can be found here: http://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation.pdf.
Key Takeaway: The FTC and the CFPB are actively seeking to ensure a workable data aggregation market that gives consumers protection and value. Those in the lead generation and aggregation marketplace should disclose clearly to consumers who they are and how they will share consumer information. Consumers should be able, upon request, to obtain information about their ownership or use of a financial product or service from their product or service provider and to be generally able to authorize trusted third parties to obtain such information from account providers to use on behalf of consumers, for consumer benefit, and in a safe manner. All parties that access, store, transmit, or dispose of data should use strong protections and effective processes to mitigate the risks of, detect, promptly respond to, and resolve and remedy data breaches, transmission errors, unauthorized access, and fraud, and transmit data only to third parties that also have such protections and processes. Consumers should be informed of or able to readily ascertain the identity and security of each third party the consumer has authorized to access or use the consumer’s account information, the data they access, their use of such data, and the frequency at which they access the data is reasonably ascertainable to the consumer throughout the period that the data are accessed, used, or stored. Consumers should have reasonable means to dispute and resolve data inaccuracies and to resolve instances of unauthorized access and data sharing.
Richard B. Newman is an Internet marketing compliance and regulatory defense attorney at Hinch Newman LLP focusing on advertising and digital media matters. His practice includes conducting legal compliance reviews of advertising campaigns, representing clients in investigations and enforcement actions brought by the Federal Trade Commission and state Attorneys General, commercial litigation, advising clients on promotional marketing programs, and negotiating and drafting legal agreements.
ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35thFloor, New York, NY 10005 | (212) 756-8777.