Technology Regulation by Default: Platforms, Privacy, and the CFPB
In the absence of a technology-focused regulator, diverse administrative agencies have been forced to develop regulatory models for governing their sphere of the data economy. These largely uncoordinated efforts offer a laboratory of regulatory experimentation on governance architecture. This symposium essay explores what the Consumer Financial Protection Bureau (CFPB) has done in its first several years to regulate financial technology (“fintech”), in the context of broader technology-related concerns identified in the literature.
The CFPB offers an example of an agency that avoids some of the major potential institutional challenges that other regulators might face: susceptibility to capture, a lack of technological sophistication, and insufficient authority. Launched in 2011 with a “technocratic impulse,” the CFPB embraced its identity as a 21st century agency from the outset. It opened a Twitter account and hired a large number of computer engineers before becoming operational, and has developed a suite of online digital tools for consumers. Compared to the Federal Trade Commission (FTC), the CFPB has more authority to write rules, impose civil penalties, and monitor what businesses are doing with algorithms. Its funding is independent of congressional appropriations, and its director can only be fired for cause. Granted, the CFPB has its own relative limitations, including a long list of important, post-financial-crisis needs waiting at its inception; strong political and industry resistance; and a mission focused only on finance. The agency nonetheless offers a window into how a powerful, independent, and technologically savvy agency might regulate the data economy.
The body of this essay begins with a survey of what the CFPB has undertaken using more traditional administrative agency tools—enforcement and rulemaking—in areas such as privacy, consumer control over data, and regulatory sandboxes. It then looks at how the CFPB has used technology to protect consumers, through Twitter and online advisory tools. The essay closes by considering open questions, including the possibility of the CFPB’s privacy activities extending its oversight of tech giants like Facebook and Amazon, and the extent to which the CFPB might exercise additional authority to inspect financial algorithms. More systematic study of the agency’s activities is needed, but the CFPB’s early experiences both provide examples that other agencies might follow and indicate the difficulty of relying on industry-specific regulators to govern the data economy, rather than an agency focused on technology.
Rory Van Loo
Associate Professor of Law, Boston University; Affiliated Fellow, Yale Law School Information Society Project. For excellent research assistance, I am grateful to Daniela Abadi, Phoebe Dantoin, Amy Mills, Thomas Perkins, and Kelsey Sullivan. The author was on the implementation team that set up the Consumer Financial Protection Bureau. All information below is based on publicly available sources.