CFPB, Federal Agencies, State Agencies, and Attorneys General
The quality of the CFPB’s information security program “has decreased since last year, leading us to conclude the program no longer is effective,” the bureau’s Inspector General (IG), said in a report.
The bureau’s overall security program has decreased from “manageable and measurable” to “defined,” the IG said in an annual audit conducted between April 2025 and October 2025, which is only one step above the lowest security rating.… Continue Reading
On December 3, 2024, the Consumer Financial Protection Bureau (CFPB) published its long-anticipated proposed rule aimed at regulating data brokers under the Fair Credit Reporting Act (FCRA). Although the CFPB’s future is uncertain under the upcoming administration, if implemented, the rule would significantly expand the reach of the FCRA.
In the accompanying press release, the CFPB stated that its “proposal would ensure data brokers comply with federal law and address critical threats from current data broker practices, including” national security and surveillance risks; criminal exploitation; and violence, stalking, and personal safety threats to law enforcement personnel and domestic violence survivors. … Continue Reading
On November 12, 2024, the Consumer Financial Protection Bureau (CFPB) released a report examining the carve outs and limitations contained in comprehensive state privacy laws relating to financial institutions. In an accompanying press release, the CFPB stated that in its assessment, “privacy protections for financial information now lag behind safeguards in other sectors of the economy.”… Continue Reading
On October 22, 2024, the Consumer Financial Protection Bureau (“CFPB”) issued its final rule implementing Section 1033 of the Dodd-Frank Act (the “Final Rule” or the “Open Banking Rule”), granting consumers greater access rights to the data their financial institutions hold. Although there are some differences, the Final Rule largely tracks the Proposed Rule announced by the CFPB last year on October 19, 2023, with the largest concession coming in the form of the extended effective date.… Continue Reading
The CFPB has launched the process for independent standard-setting bodies to receive formal recognition, as part of its efforts to shift towards open banking in the United States.
On June 5, 2024, the CFPB finalized a rule outlining the minimum attributes that standard-setting bodies must exhibit to issue standards in compliance with CFPB’s proposed Personal Financial Data Rights Rule.… Continue Reading
Minnesota becomes the latest state to move to pass legislation regulating the processing and controlling of personal data (HF 4757 / SF 4782). If signed into law by Governor Tim Walz, the Minnesota Consumer Data Privacy Act, or MCDPA, would go into effect on July 31, 2025 and provide various consumer data privacy rights and impose obligations on entities that control or process Minnesota residents’ personal data.… Continue Reading
Colorado has become the first state to pass legislation (SB24-205) regulating the use of artificial intelligence (AI) within the United States. This legislation is designed to address the influence and implications, ethically, legally, and socially, of AI technology across various sectors.
Any person doing business in Colorado, including developers or deployers of high-risk AI systems that are intended to interact with consumers. … Continue Reading
The FTC published guidance warning companies that “[i]t may be unfair or deceptive for a company to adopt more permissive data practices—for example, to start sharing consumers’ data with third parties or using that data for artificial intelligence (AI) training—and only inform consumers of this change through a surreptitious, retroactive amendment to its terms of service or privacy policy.” … Continue Reading
On November 21, the Federal Trade Commission (“FTC”) approved in a 3-0 vote a resolution authorizing the use of compulsory process in nonpublic investigations involving products and services that involve or claim to involve artificial intelligence (AI).
Compulsory process is akin to a subpoena, and it allows the FTC to request the production of information, documents, or testimony relevant to an investigation. … Continue Reading
On November 27, 2023, the California Privacy Protection Agency (CPPA) published proposed Automated Decision-Making Rules to be discussed by the CCPA board at its upcoming meeting on December 8, 2023. While the proposed rules are far from final—indeed, they are not even official draft rules—they signal that the CPPA is considering rules that would have significant impact on businesses subject to the California Consumer Privacy Act (CCPA).… Continue Reading
