As we noted in our assessment last week, CFPB Director Chopra has taken another bold step rewriting consumer finance with a strong stand in favor of stiff new consumer-data protections. These would abandon the notice-and-consent approach which, as Mr. Chopra rightly says, leaves most of us with little privacy and less protection. Instead, certain uses to which firms put our data would simply be prohibited. If the CFPB can get this right, then it will strike a blow not only for personal privacy, but also for sound finance with far fewer high-risk conflicts of interest.
The notice-and-consent approach to privacy protection is the epitome of information asymmetry and thus of ineffective consumer protection. We all know what it is by virtue of the regular process by which our smart phones apprise us of updates often designed more to capture our data than to improve reliability or functionality. Under pressure, phone providers have recently added a bit more information on what each update does if one can find and then understand it, but failure to agree to an update endangers continued cell-phone service. This is the equivalent of solitary confinement and so each of us dutifully agrees to each update no matter how much of our privacy we give away.
Financial-privacy disclosures are still largely an analog game by virtue of the privacy notices required under the 1999 Gramm-Leach-Bliley Act. Back then, finance was bereft of digital paraphernalia and banks dominated it. Thus, these privacy notices were and are essentially paper-based and largely limited to banks. This is bad enough, but these notices also don’t work because, again, few of us read them, most can’t understand them, and virtually all of us take them as a necessary cost of doing business.
Mr. Chopra’s new, better idea is express prohibitions on consumer financial data deployed to profit the provider in unseemly or even improper ways. This approach is likely to be far more effective than notice-and-consent and far less disruptive than the express data-ownership rights President Biden has urged to promote market competition because it is like-kind for like-kind use regardless of charter and fraught with fewer complexities and risks.
To be sure, it will be hard to define the borders between data use to enhance efficiency, security, and innovation and data principally aimed at knowing more about us to make more money from us in opaque ways that threaten informed consent and market integrity. But hard doesn’t mean impossible and I think it’s more than possible to set up bright-line borders that significantly enhance consumer privacy and thereby also increase fair competition and sound finance.
Better consumer-data protection means greater financial-market integrity because it means more equitable market competition founded on true consumer choice. As early as 2018, FedFin noted the dangers to market efficiency, consumer rights, and the regulatory perimeter when diversified, unregulated nonbanks such as tech-platform firms use personal financial data to target social-media, advertising, or retail- and financial-product offerings. We noted then and said still more about this in a 2019 paper, showing also that these risks are considered so grave that banks are governed by express restrictions designed to prevent them.
For example, bank holding companies are barred by anti-tying prohibitions in the Bank Holding Company Act preventing banks from conditioning essential product offerings on purchase of an ancillary product or service. Banks are also required to warn consumers before offering certain nonbank products to ensure that consumers don’t fall for blandishments suggesting insurance or other services are backed by the FDIC.
When banking and commerce are packaged, consumer data are even more potent in terms not only of the enormous clout embedded in surveillance capitalism, but also due to immediate risk to a consumer’s well-being now. Tech-platform companies already devise limited product offerings based not on what our data say we might like or the most cost-effective option, but on higher-cost or inside-vendor items that may suit their own purposes far better than ours. This conflict of interest afflicts us every day, but it’s at least bearable when it comes to sneakers. It’s not when it comes to choosing products such as a sound place to put our money, a life-insurance policy, or a home mortgage.
Bad decisions here put family financial security at grave risk. Banks, brokers, and insurance companies don’t always give customers the best buy, but the rules that govern them limit the products they offer and define the protections that apply regardless of whether the consumer understands these back-end safeguards. Banks can’t shave a bit off a product’s seeming cost to make it up by opaque payment-transfer fees and they can also ensure payment finality, another vital consumer protection we won’t know is gone until it is. Even worse, bad decisions may well be made for us by conflicted firms thanks to all the consumer data they possess to enhance profitability without our ever being wise to what’s being done seemingly to serve our needs.
No notice of any reasonable size or readability can help us see these risks coming and most Americans don’t have time to read or the legal skills to understand any disclosure that purports to do so. Informed consent to any notice about how platform companies use our data now and to come is impossible. Hard though they will be to craft, bright-line prohibitions are thus essential.