Sullivan & Cromwell Discusses CFPB’s Focus on Tech Companies and Personal Finance Data

Last week, the CFPB took three actions demonstrating the agency’s continued focus on technology companies and personal financial data protection.  First, the CFPB issued an interpretive rule explaining the CFPB’s view that many digital marketing providers may be “service providers” subject to the CFPB’s supervisory authority under the Consumer Financial Protection Act (“CFPA”), including its authority to address unfair, deceptive, or abusive acts or practices (“UDAAP”).  Second, the CFPB issued a circular explaining that insufficient data protection or information security by covered persons and service providers is an unfair act or practice under the CFPA.  Finally, the CFPB announced an enforcement action against a FinTech company whose algorithm led to deceptive acts or practices in violation of the CFPA.

Individually and collectively, these actions demonstrate the CFPB’s continued focus on the potential risks to consumers presented by certain financial technology-related advancements, including specifically algorithmic decision-making and digital advertising.  They also reflect the agency’s ongoing emphasis on the potential misuse and abuse of personal financial data, in particular by technology companies.


On August 10, 2022, the CFPB issued an interpretive rule explaining the CFPB’s views on digital marketing under the so-called “marketing exception” from the definition of “service provider” in the CFPA.[1]  Under the marketing exception, persons who offer or provide time or space for an advertisement for a consumer financial product or service in print, newspaper, or electronic media are not service providers “solely” by virtue of that activity.[2]  Persons who do not satisfy this exception (or any other exception) and who provide a material service to a “covered person”[3] in connection with offering or providing a consumer financial product or service are “service providers” under the CFPA and are subject to the CFPB’s supervisory authority, including its authority to address UDAAP.

According to the interpretive rule, digital marketing providers that commingle the targeting and delivery of advertisements to consumers, such as by using algorithmic models or other analytics, with providing time or space for an advertisement typically may not avail themselves of the marketing exception.  Indeed, according to the interpretive rule, digital marketers that provide additional services beyond airtime or physical space for an ad do not qualify for the exception.  In reaching this conclusion, the CFPB indicates that the activities of digital marketers are equivalent to functions traditionally performed by a covered person’s in-house marketing function and the “dramatically different role” played by digital marketing providers than traditional media sources.  More specifically, according to the CFPB, digital marketing providers target and deliver ads to specific consumers using sophisticated analytic techniques, including machine learning and behavioral analytics, relying on large amounts of consumer data, including data collected through harvesting.  According to the CFPB, these digital marketing providers are providing a “material service”—the development of content strategy by identifying or selecting prospective customers or selecting or placing content to affect customer engagement—and not “solely” time or space for an advertisement.  As such, the rule concludes that they are “service providers” under the CFPA.  The CFPB’s interpretation extends to digital marketing providers that target and deliver advertisements to users with certain characteristics or at specific times to specific users, even if those characteristics (e.g., all persons in a particular age range in specified zip codes) are specified by the covered person.  The interpretation also applies regardless of whether the digital marketer operates the website or platform on which the advertisement appears.

In the interpretive rule, the CFPB states that a digital marketer that is only “minimally involved” in identifying or selecting prospective customers or placing content to affect customer engagement may typically avail itself of the marketing exception.  Minimal involvement would include offering a covered person the ability to choose to run an advertisement on a particular webpage or application of the covered person’s choosing, if the advertisement would be seen by any user of the page or application.

In remarks released the same day, CFPB Director Rohit Chopra elaborated on the interpretive rule.[4]  In his remarks, he noted the “growing interest from Big Tech companies to find new ways to harvest and monetize our personal financial data” and described the Department of Housing and Urban Development’s 2019 suit against Facebook alleging that Facebook violated the Fair Housing Act by helping advertisers limit the audience for ads and target specific groups of people to the exclusion of protected classes.  He also highlighted the states’ authority to bring suit to enforce the CFPA, including against digital marketers.


On August 11, the CFPB issued a circular explaining that insufficient data protection or information security can lead to a violation of the CFPA’s prohibition on unfair acts or practices.[5]  The CFPB pointed to CFPB and FTC precedent identifying “reasonable cost-efficient measures to protect consumer data,” and states that, when those measures are not undertaken, a covered person or service provider may engage in an unfair act or practice because “the risk of substantial injury to consumers will outweigh any purported countervailing benefits to consumers or competition.”[6]  In particular, the CFPB pointed to: (1) the CFPB’s and FTC’s 2019 action against Equifax; (2) the FTC’s 2016 action against online check processor Qchex; (3) the FTC’s 2012 suit against the hospitality company Wyndham; and (4) the FTC’s 2022 action against the operators of CafePress.  According to the circular, these cases and the agencies’ experience point to several “common” data security practices that may reduce the likelihood of a company engaging in an unfair act or practice:

  • Multifactor authentication. Multi-factor authentication is a security enhancement that requires multiple credentials—or, “factors”—before an account can be accessed.  Covered persons and service providers should require multi-factor authentication for employees and offer multi-factor authentication as an option for consumers accessing systems and accounts, or a reasonably secure equivalent.  The circular notes that multi-factor authentication solutions that protect against credential phishing, such as those using the Web Authentication standard supported by web browsers, are especially important.
  • Password management. Covered persons and service providers should have adequate password management policies and practices, including processes to monitor for breaches at other entities where employees may be re-using logins and passwords and notifying users when a password reset is required as a result, and prohibiting use of default enterprise logins or passwords.
  • Timely software updates. Covered persons and service providers should routinely update systems, software, and code, including those utilized by contractors, including when notified of a critical vulnerability, maintain asset inventories of system software dependencies to make sure software is up to date and identify needs for patches, and not use versions of software that are no longer actively maintained by their vendors.


On August 10, the CFPB announced a Consent Order with Hello Digit, a FinTech company that offers an automated-savings tool to consumers that relies on algorithmic decision-making.[7]  Based on its proprietary algorithm, Hello Digit initiates automatic electronic-fund transfers—so-called “autosaves”—to move money from the consumer’s checking account to an interest-bearing account held in Hello Digit’s name at a third-party bank.  According to the Consent Order, Hello Digit engaged in several practices that violated the CFPA’s prohibition on deceptive acts or practices.[8]  First, Hello Digit told consumers that the algorithmic autosave tool saves “the perfect amount” and never transfers more than the consumer can afford when Hello Digit knew that autosaves using the algorithm frequently caused consumers’ checking accounts to overdraft because the algorithm relies on stale data and cannot predict all relevant behavior.  Second, Hello Digit told consumers that it would reimburse overdraft fees resulting from autosaves, but it failed in many instances to actually do so.  And, third, Hello Digit told consumers it was returning to them the interest it earned on their funds held in the bank account, but it actually retained some of that interest.  The order requires Hello Digit to provide at least $68,145 in redress to consumers, pay a $2.7 million penalty, and undertake various remedial measures.


Consistent with other recent CFPB issuances and our prior observations, the digital marketing interpretive rule, particularly when coupled with the CFPB’s recent actions and Director Chopra’s recent statements with respect to FinTech and “Big Tech” companies, signals continuing efforts by the CFPB to assert CFPB jurisdiction over a wide array of technology companies and other digital businesses, including “Big Tech.”[9]  The Hello Digit action highlights the CFPB’s continued interest in taking action that showcases the harms that can be caused by algorithms and algorithmic decision-making.  Addressing those harms has been a longstanding priority of Director Chopra, as we have also previously discussed.  Finally, the data protection circular furthers the CFPB’s and Director Chopra’s ongoing efforts to address the potential misuse and abuse of personal financial data, in particular by technology companies.[10]

Digital marketing companies that serve covered persons should closely review the interpretive rule, as should the covered persons they serve, and consider the potential implications on their relationships.  In addition, covered persons should review their data security practices to ensure they incorporate the “common” practices the CFPB identifies in the circular.  Although neither the interpretive rule nor the circular on data protection was subject to formal notice and comment before issuance, they are strong indications of the CFPB’s prioritization of these topics and could foreshadow additional actions based at least in part on the standards set out in the two releases.


[1]           CFPB Interpretive Rule, Limited Applicability of Consumer Financial Protection Act’s “Time or Space” Exception with Respect to Digital Marketing Providers (Aug. 10, 2022), available at

[2]           12 U.S.C. 5481(26)(B).

[3]           A “covered person” is, generally, a person that offers or provides a financial product or service to consumers.

[4]           Director Chopra’s Prepared Remarks at the 2022 National Association of Attorneys General Presidential Summit (Aug. 10, 2022), available at

[5]           CFPB Circular 2022-04, Insufficient data protection or security for sensitive consumer information (Aug. 11, 2022), available at  As noted in the circular, these practices may also violate laws and rules specifically targeted at data protection and information security.

[6]           The CFPB also states it is unaware of any court that has found that the substantial injury caused by poor data security practices was outweighed by benefits to consumers or competition.

[7]           In the Matter of Hello Digit, No. 2022-CFPB-0007 (Aug. 10, 2022), available at  Hello Digit was acquired by Oportun Financial Corporation in December 2021.

[8]           12 U.S.C. 5536(a).

[9]           See, e.g., CFPB Invokes Dormant Authority to Examine Nonbank Companies Posing Risks to Consumers (Apr. 25, 2022), available at  CFPB Shutters Lending by VC-Backed Fintech for Violating Agency Order (Dec. 21, 2021), available at; Consumer Financial Protection Bureau Opens Inquiry into “Buy Now, Pay Later” Credit (Dec. 16, 2021), available at; Statement Regarding the CFPB’s Inquiry into Big Tech Payment Platforms (Oct. 21, 2021), available at

[10]         See, e.g., Prepared Statement of Director Rohit Chopra before the House Committee on Financial Services (April 27, 2022), available at; “New risk emerge as line between payments and commerce blurs” (Aug. 4, 2022), available at; Statement Regarding the CRPB’s Inquiry into Big Tech Payment Platforms (Oct. 21, 2021), available at

This post comes to us from Sullivan & Cromwell LLP. It is based on the firm’s memorandum, “Recent CFPB Actions –CFPB Issuances Demonstrate Continued Focus on Technology Companies and Personal Financial Data Protection,” dated August 16, 2022, and available here.