Overview

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized its long-anticipated “Personal Financial Data Rights” rule (and Executive Summary) – more commonly known as the “Open Banking” rule – under Section 1033 of the Dodd-Frank Act. This landmark regulation aims to empower consumers by granting them greater control over their personal financial data, enabling them to access and share this information with third-party providers securely and without charge. According to the CFPB, the rule is designed to foster competition and innovation in the financial services industry by making it easier for consumers to switch financial providers and for new companies to offer innovative products and services.

The final rule requires covered entities – including banks, credit card issuers, digital wallet providers, and other financial institutions – to provide consumers and authorized third parties with access to specified consumer financial data upon request. It also establishes privacy and security protections, limiting third parties use of the data they receive to the purposes expressly authorized by the consumer. While the rule has been lauded for promoting consumer choice and competition, it has also faced criticism and legal challenges from industry stakeholders concerned about data security, compliance burdens, and statutory authority.

What Does the CFPB Open Banking Rule Entail?

The CFPB’s Open Banking rule mandates that covered data providers make available to consumers, or to third parties authorized by consumers, certain data related to covered consumer financial products or services free of charge.

• Covered data – data providers must make available:

• Account Balance and Transaction Information: At least 24 months of transaction history, including amounts, dates, payment types, merchant names, rewards credits, and fees or finance charges.
• Payment Initiation Information: Data necessary to initiate payments from accounts, facilitating services like “pay-by-bank.”
• Terms and Conditions: Details such as fee schedules, interest rates, credit limits, rewards program terms, and whether the consumer has entered into an arbitration agreement.
• Upcoming Bill Information: Information on upcoming payments due, including scheduled payments to third parties.
• Basic Account Verification Information: Names, addresses, email addresses, and phone numbers associated with the accounts.
• Exceptions – data providers do not have to make available:
  • Confidential commercial information.
  • Information collected for the sole purpose of preventing fraud/money laundering.
  • Information required to be kept confidential by law.
  • Information the data provider cannot retrieve in the ordinary course of business.

Entities that are “data providers” under the Rule?

The rule applies to a broad range of financial service providers, referred to as “covered data providers.” This includes:

• Regulation E financial institutions: Banks, saving associations, and credit unions holding consumer asset accounts.
• Regulation Z card issuers.
• Payment Facilitators: “Any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person.” This includes companies that enable transactions from consumer accounts, including digital wallet providers.

Notably, the final rule exempts depository institutions that hold assets of $850 million or less (i.e., equal to or less than the Small Business Administration size standard for such institutions), aiming to alleviate the compliance burden on smaller banks and credit unions.

Consumer and Developer Interfaces

Under the rule, data providers are required to establish and maintain two separate interfaces for accessing covered data: a consumer interface (e.g., online banking portals to allow consumers to access their data directly) and a developer interface for authorized third parties (e.g., APIs, though the rule is technology neutral) to facilitate secure and standardized access to covered data. Data providers must also provide certain information to consumers and authorized third parties, including: (i) its legal name and any assumed names; (ii) a link to its website; (iii) its Legal Entity Identifier (LEI) that is issued by a utility endorsed by the LEI Regulatory Oversight Committee or the Global LEI Foundation; and (iv) contact information for consumers or third parties to ask questions about accessing covered data. Data providers may not charge fees to either consumers or authorized third parties for accessing covered data. The developer interface must meet certain minimum performance standards and may not unreasonably restrict the frequency with which it receives or responses to requests from an authorized third party.

Data providers can deny access to their interfaces to third parties under certain limited circumstances, such as if the third party does not provide sufficient evidence that its security practices are adequate. Data providers may deny access to their developer interface if a third party does not present evidence that its information security practices are adequate to protect covered data or if the third party does not provide: (i) Its legal name (and any assumed names); (ii) a link to its website; (iii) its LEI that is issued by a utility endorsed by the LEI Regulatory Oversight Committee or the Global LEI Foundation; and (iv) contact information a data provider may use to inquire about the third party’s information security and compliance practices.

Like the proposed rule, the final rule does not explicitly prohibit authorized third parties screen scraping; however, the final rule seeks to curtail screen scraping by prohibiting authorized third parties from accessing a data provider’s developer interface by using any credentials that a consumer uses to access the consumer interface.

What Are the Privacy and Security Protections and Restrictions on Third Parties?

To safeguard consumer data, the rule imposes several privacy and security requirements on third parties:

• Purpose Limitation: When a consumer authorizes a third party to access the consumer’s financial data from a data provider, the third party can only use the data for the specific product or service requested by the consumer. Practices like selling the data or using the data for targeted advertising or cross-selling the third party’s other products/services, are prohibited (unless the consumer expressly consents to these purposes).
• Consent and Authorization: Third parties must obtain express consent from consumers through clear authorization disclosures, outlining the data to be accessed and the purpose.
• Limited Duration of Authorization. The authorization from a consumer is valid for one year, after which the third party must obtain new authorization from the consumer. If an authorization expires, the third party may no longer collect covered data and may no longer use or retain covered data collected under the expired or revoked authorization.
• Revocation Rights: Consumers have the right to revoke a third party’s access at any time, and third parties must (1) make revocation easy, (2) cease data collection and delete data unless retention is necessary to provide the requested service, and (3) notify the data provider if it receives a revocation request from the consumer.
• Data Security Programs: Third parties must implement data security measures in line with the Gramm-Leach-Bliley Act (GLBA), or, if not subject to the GLBA, the FTC Standards for Safeguarding Customer Information (i.e., Safeguards Rule).
• Policies and Procedure: Third parties would need to maintain their own internal written policies on procedures to comply with the rule and the rule’s record retention requirements.

What Are the Compliance Deadlines?

Compliance with the rule will be implemented in phases as follows:

Key Takeaways

This significant regulatory development carries several implications for businesses in the financial sector:

• Prepare for Compliance: Covered entities, both data providers and third parties, should begin assessing their data infrastructure, security protocols, compliance procedures, and obtain required LEI identifiers to meet the new requirements within the specified timelines.
• Review Data Sharing Practices: Companies seeking to access covered data must evaluate their data collection, use, and retention policies to ensure they align with the purpose limitations and consent requirements of the rule.
• Enhance Privacy and Security Measures: Robust data security programs compliant with GLBA and other regulations must be implemented to protect consumer data during access and transfer. This is particularly important for third party recipients who may not be as familiar with these requirements (as noted above, if the third party is not subject to the GLBA already, the third party must follow the FTC Safeguards Rule, which sets out detailed security requirements for protecting consumers’ financial information).
• Monitor Legal Developments: Ongoing legal challenges could impact the implementation and enforcement of the rule. Companies should follow these proceedings and be prepared to adapt accordingly.
• Engage with Industry Standards: Participation in recognized standard-setting bodies may aid in compliance and contribute to the development of interoperable systems that benefit the industry as a whole (the CFPB finalized its rule regarding standard-setting bodies earlier this summer).

For more information about these developments and how they may affect your organization, contact your DLA relationship partner, the authors of this blog post, or any member of DLA’s Data Protection, Privacy, and Security team.

On February 21, 2024, the California Attorney General (CA AG) announced that it had reached a settlement with DoorDash over allegations that the company failed to comply with “sale” requirements under the California Consumer Privacy Act (CCPA) and disclosure requirements under the California Online Privacy Protection Act (CalOPPA). The settlement requires DoorDash to pay a $375,000 civil penalty and comply with specific injunctive terms.

The CA AG’s complaint alleges that DoorDash participated in marketing co-operatives (“co-ops”) that involved the company providing its customers’ personal information (such as names, addresses, and transaction histories) to the co-op without providing its customers with notice or an opportunity to opt-out of the sale. Upon receiving DoorDash’s customer personal information, the co-op would combine DoorDash’s customer data with the customer data of other third-party co-op members, analyze the data, and allow members to send mailed advertisements to potential leads. The CA AG considered such data disclosure a “sale” of personal information under the CCPA’s broad definition of that term. Specifically, DoorDash received “valuable consideration” in exchange for disclosing its customer data to the co-op, namely the “opportunity to advertise its services directly to the customers of the other participating companies.”

The CA AG’s second cause of action invoked CalOPPA, a 20-year-old California privacy law that imposes transparency obligations on companies that operate websites for commercial purposes and collect personally identifiable information from Californians. The complaint alleged violations of CalOPPA by DoorDash due to the company’s failure to disclose in its privacy policy that it would share its customers’ personally identifiable information with other third-party businesses (e.g., marketing co-op members) for those businesses to contact DoorDash customers with ads.

Key Takeaways

This settlement serves as a critical reminder of the importance of compliance with current and emerging state privacy laws, emphasizing the broad definition of “sale” under the CCPA and the strict requirements for transparency and consumer choice. Additionally, we expect the California Privacy Protection Agency, another California privacy regulator (vested with full administrative power, authority, and jurisdiction to implement and enforce the CCPA) to ramp up its own investigative and enforcement efforts this year. Thus, businesses should consider the following:

• “Selling” is Broader than Cookies – companies should re-assess how their data disclosure activities may be considered “selling” under the CCPA. Many companies focus on the use of third-party ad and analytics cookies on their websites as the main trigger for “sale” compliance obligations under the law. This settlement makes clear that companies should broaden their review and assessment of their marketing department’s use of personal information to consider non-cookie related data disclosures.
• Review and Update Privacy Policies – an outdated, unfair and deceptive, or misleading privacy policy serves as an online billboard announcing a company’s non-compliance with state privacy laws as well as state unfair competition laws (such as for example California’s Unfair Competition Law (UCL)). As this settlement demonstrates, this can be a magnet for consumer complaints and regulatory scrutiny (including at the federal level under Section 5 of the Federal Trade Commission Act). Companies should continually review and update their privacy policies if they materially change how they handle personal information. Under the CCPA, privacy policies must be updated at least annually.
• Opt-Out Mechanisms. Companies should ensure that compliant opt-out mechanisms, including an interactive webform and a “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link, are in place. Opt-out mechanisms must also recognize and respond to universal opt-out preferences signals, such as the Global Privacy Control (GPC) signal.   
• Don’t Forget the Apps – the complaint noted that both the DoorDash website and mobile application (App) failed to inform consumers about the sale of their personal information and their right to opt-out. Companies that collect personal information via an App and engage in “backend” selling of personal information should ensure that the App includes sufficient CCPA disclosures and a mechanism for users to easily opt-out of the sale of their personal information (see here for the CA AG’s previous announcements of an investigative sweep focused on violations of CCPA in the App context).
• Marketing Co-Ops – this enforcement action makes clear the California regulators consider a company’s participation in a marketing co-operative to be a “sale” under the CCPA. Companies participating in marketing co-ops and other third-party data sharing engagements should carefully review their agreements with the data recipients to ensure they restrict the recipients’ ability to further disclose or sell consumer personal information.

For more information about these developments and the CCPA in general, contact your DLA relationship Partner, the authors of this blog post, or any member of DLA’s Data, Privacy and Cybersecurity team.