USA LAW AND PRACTICE Contributed by: Nancy Libin, David Rice, Spencer Persson, Michael Borgia, Robert Stankey, Kara Trowell and Alexander Sisto, Davis Wright Tremaine LLP
3.2 Interaction of Data Regulation and Data Protection In the USA, some laws and regulations designed to foster competition in the digital information ecosystem also impose data privacy obligations, to ensure that such data will be protected even as the data is made available for new products and services. For instance, as previously noted, the CFPB’s Personal Financial Data Rights rule seeks to promote competition among various providers in the financial technology ecosystem by giving consumers the right – free of charge – to request the transfer of their personal financial data in usable format to third parties and to allow third parties to access such data with consumer authorisation. By requiring certain financial insti - tutions, defined as “data providers” (what would be “data holders” under the EU Data Act), to make this data available, consumers may be able to switch between financial institutions more easily, potentially increasing competition and improving service offerings. The CFPB’s rule is also intended to spur inno - vation in the fintech marketplace by enabling greater interoperability among banks and vari - ous fintech providers. At the same time, the rule also imposes privacy and data protections, such as requiring data providers and third parties to limit the purposes for which consumer data is used and disclosed, and prohibiting the sale of consumer data or its use for targeted advertising and cross-selling. The rule also imposes various data security obligations of the GLBA on data providers and third parties. Similarly, the state laws that give consumers the right to obtain their personal data in a portable and readily usable format, when technically fea - sible, are privacy laws that require companies to give consumers certain privacy rights and protections. These laws also generally impose
data minimisation requirements on companies, limiting the amount of personal data that they can process to what is necessary, reasonable and proportionate for the purposes disclosed to the consumer. These data minimisation require - ments may limit the amount of personal informa - tion that is ultimately available for transfer to or access by another entity. 3.3 Rights and Obligations Under Applicable Data Regulation Data-processing services, including cloud ser - vice providers and similar service providers, are subject to the laws and regulations described in the foregoing sections and that apply generally to controllers and processors of personal infor - mation. To that end, consumers have the right under state privacy laws to request that data- processing service providers give them a port - able and readily usable copy of their personal data, or otherwise enable the transfer of such data directly to another provider. 3.4 Regulators and Enforcement While the CFPB has authority to enforce the Per - sonal Financial Data Rights rule, there has been no enforcement of said rule as of this article’s publication, since the first of several compli - ance dates is not until 1 April 2026. The CFPB’s enforcement authority flows from the Consumer Financial Protection Act, which allows the CFPB to file an action in federal court or by initiating an administrative adjudication proceeding in response to violation of its regulations.
4. Sectoral Issues 4.1 Use of Cookies
Unlike in the EU, businesses are not required – except in limited circumstances – to obtain opt- in consent from consumers in the USA before
539 CHAMBERS.COM
Powered by FlippingBook