Privacy & Information Security Law Blog

On October 21, 2021, the Consumer Financial Protection Bureau (“CFPB”) issued orders to Google, Apple, Facebook, Amazon, Square and PayPal requesting detailed information about their business practices in relation to payment systems they operate. The CFPB issued the orders pursuant to its statutory authority under the Consumer Financial Protection Act.

In issuing the orders, the CFPB seeks to understand the following practices:

• Data Harvesting: whether the companies share payment data with third parties, including data brokers, and/or combine payment data across product lines;
• Data Monetization: whether the companies use or share payment data with third parties for behavioral targeting;
• Access Restriction and User Choice: whether the companies have taken any steps to restrict merchants and other companies from accessing and using their payment systems, and whether the companies encourage or require users of their other products or services to use their own payment systems; and
• Other Consumer Protections: whether the companies prioritize robust consumer protection in line with consumers’ expectations and under financial privacy laws, including the Gramm-Leach-Bliley Act and the Electronic Fund Transfer Act.

In an official statement, CFPB Director Rohit Chopra indicated that the CFPB also will study the payment system practices of major Chinese payment platforms, such as Alipay and WeChat Pay, to further inform the agency’s work in this area.

The deadline for companies to comply with these orders is December 15, 2021. The information provided pursuant to these orders may also be used in connection with potential rulemaking under Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.