The CFPB is Reconsidering Personal Financial Data Rights Rule Under the Dodd-Frank Act

On August 22, 2025, the Consumer Financial Protection Bureau (CFPB) issued an advance notice of proposed rulemaking seeking public comment on potential revisions to its Personal Financial Data Rights Rule (the Rule) under Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).  Specifically, the CFPB is seeking comments on four issues:

1. Section 1033 of the Dodd-Frank Act defines a “consumer” to include an individual or an agent, trustee, or representative acting on behalf of a customer. The CFPB is requesting comment on whether representatives must be fiduciaries or whether non-fiduciary third parties can also qualify.
2. The Rule prohibits data providers from charging Consumers or third parties fees for providing access to data. The CFPB is requesting comment to determine the optimal approach to whether reasonable cost recovery should be allowed and whether caps should be imposed if fees are permitted to defray the costs incurred by a “covered person” in responding to a customer-driven request.
3. The CFPB is seeking comment on whether existing data security requirements under the Gramm-Leach-Bliley Act are sufficient; the cost-benefit for implementing secure systems in compliance with Section 1033 of the Dodd-Frank Act; how responsibilities should differ between fiduciary and non-fiduciary representatives; and if there are any peer-reviewed studies to assess whether levels of information security materially vary between those businesses that have fiduciary duties to their clients and those that do not.
4. The Rule required informed consent for third-party access and limited data use to the product requested by the Consumer. The CFPB is requesting comment on whether the Rule provides adequate protection of Consumer privacy; how prevalent the licensure or sale of Consumer Financial Data by bank and non-bank financial institutions is where customers either have the right to opt into or opt out of having their data licensed or sold; what the approximate balance is between such regimes where the customer is given a choice; and what estimates exist on the percentage of financial service platform users who actually read and/or understand user agreements and privacy notices in their entirety.

Comments must be submitted by October 21, 2025. The CFPB will use the information it gathers from the comments to determine whether to formally propose a new rule. We will continue to monitor developments in the rulemaking process.