In July 2010, Congress passed and President Obama signed the Dodd-Frank Wall Street Reform and Consumer Protection Act. The Act created the Consumer Financial Protection Bureau. The CFPB consolidates most federal consumer financial protection authority in one place. The consumer bureau is focused on watching out for American consumers in the market for consumer financial products and services.
The , as amended, 5 U.S.C. § 552a, governs the protection of personally identifiable information (“PII”). It regulates how Executive Branch agencies and departments collect, store, use, and give out PII.
By its terms, the Privacy Act provides statutory privacy rights and protections only to U.S. citizens and Legal Permanent Residents, also called “U.S. persons.”1 The Privacy Act does not apply to non-U.S. citizens who are not Legal Permanent Residents, also called “non-U.S. persons.” Nevertheless, the Office of Management and Budget has issued that encourages agencies that maintain a mixed system of records to treat non-U.S. persons’ information as if they were subject to the Privacy Act.
As a matter of discretion, the CFPB will treat any PII that it maintains in its mixed systems of records as being subject to the provisions of the Privacy Act, regardless of whether or not the information relates to U.S. persons covered by the Privacy Act.
The CFPB will handle information relating to a non-U.S. person in accordance with the fair information practices, as set forth in the Privacy Act as well as the CFPB Privacy Principles. Non-U.S. persons have the right of access to their PII and the right to amend their records, unless a Privacy Act exemption applies. In this way, the CFPB reinforces its commitment to protecting individual privacy and follows OMB’s 1975 guidance on the Privacy Act.
Mixed system of records – Any system of records that collects, maintains, or disseminates information, which is in an identifiable form, and which contains information about U.S. persons and non-U.S. persons.
System of records –A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.2