Recent advances in data-driven technology in consumer financial markets, commonly referred to as “fintech,” have resurfaced the question of whether and to what extent data, particularly consumers’ personal data, should be a locus for regulatory intervention in these markets. While innovation in fintech and the accompanying increase in the processing of personal data offer to improve the functioning of consumer financial markets, like all advances in technology, they also come with costs and risks. In 2024, in a move that favored the regulation of personal financial data per se and many of the traditional features of personal data protection regulation, the Consumer Financial Protection Bureau (CFPB or “the Bureau”) issued a new “Personal Financial Data Rights Rule.” The Rule seeks to mitigate the costs and risks of fintech and capture its benefits, specifically due to “Open Banking,” a fast-growing digital network that enables consumers to transfer their personal financial data between financial institutions.
As fintech innovation advances and the Bureau looks to personal data protection regulation as a model for regulating consumer fintech markets, this Article sounds a note of caution. As theory predicts and empirical evidence corroborates, despite its intuitive appeal, there are clear limits to the effectiveness of personal data protection regulation. The problem is not only the limitations of the traditional, mostly procedural and contractarian approach of personal data protection regulation, but also, more conceptually, the limitations of personal data per se as a locus for balancing the costs and benefits, and opportunities and risks, of data-driven innovation. This is increasingly true in a world of “big data” and sophisticated “artificial intelligence” systems.
Coming from a position of pragmatism, and using consumer credit markets as a case study, this Article cautions against overreliance on the logic and traditional features of personal data protection regulation in consumer fintech markets. Regulators should not rely too heavily on traditional features such as categorical ex ante limits on the flow of consumer data, high-level principles such as “data minimization,” or individual data processing rights such as consent and data deletion that require consumers to self-police and prevent harm. Rather, regulators should seek to facilitate the secure flow of consumer data in consumer fintech markets, while carefully controlling, through “product,” “conduct,” and “prudential,” regulation, how firms use and apply that data in the design and sale of digital consumer financial products and services. Thus, data use, rather than data flow, becomes the more meaningful locus for mitigating the costs and risks and capturing the benefits and opportunities of fintech innovation.
In making this argument, this Article also advocates for a more consequentialist approach to consumer financial privacy, whereby the benefits to some consumers resulting from the use of their data—such as access to more affordable credit—can be balanced against, and conceivably outweigh, any intrinsic harms due to the collection and transmission of personal data per se, or consequential harms to other consumers due to harmful uses of that data—such as higher cost, less affordable credit. Relatedly, this Article advocates for the greater pursuit of substantive fairness—more favorable substantive outcomes for consumers due to the use of their data—and not only procedural fairness in digital consumer financial markets. This Article’s conclusions could have broader implications for the methods and limits of personal data regulation in other digital consumer markets not limited to consumer fintech markets.