On August 10, 2022, the Consumer Financial Protection Bureau (CFPB) issued a final Interpretive Rule stating that the Consumer Financial Protection Act (CFPA) applies to companies engaged in targeted advertising of financial products and services. Because the CFPB considers these companies to be covered by the CFPA, they would be subject to civil money penalties for any “unfair, deceptive, or abuse practices” (UDAAP), even for first-time violations. Despite the significance of the Interpretive Rule, there was no opportunity for the public to provide comments—the Interpretive Rule will be effective as of the date it is published in the Federal Register.


The CFPA applies to “covered persons” and their “service providers.” A “covered person” is someone who offers or provides financial products or services for use by consumers primarily for personal, family, or household purposes. 12 U.S.C § 5481(6). A service provider is “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” 12 U.S.C § 5481(26)(A). Significantly, the term “service provider” does not include entities that provide covered persons either 1) “a support service of a type provided to businesses generally or a similar ministerial service,” or 2) “time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media.” 12 U.S.C. § 5481(26)(B). The CFPB explains that digital marketing companies engaged in targeted advertising services are service providers under the CFPA, and that they don’t fall under the exception for providing “time or space for an advertisement.”

The CFPB reasons that entities engaging in targeted advertising go beyond simply providing “time or space for an advertisement…through print, newspaper, or electronic media” because they are involved in the “identification or selection of prospective customers” or the “selection or placement of content to affect consumer engagement.” Even though the carve-out applies to advertising in “electronic media,” the CFPB explains its view that this term only encompasses advertising that is similar to print or newspaper ads, such as contextual advertising. (It seems, though, that if Congress meant for the CFPA to cover advertisers targeting financial products and services, it would have said so, given that regulators were well aware of the practice in 2010, when the CFPA was passed.)

The CFPB goes on to provide some examples of when digital media companies would be covered by the CFPA. It states that they would be subject to the CFPA, even if the covered provider of financial products or services chooses the criteria for delivering an ad or identifies by name who an ad should be delivered to. If the digital marketing company chooses times that the ad should be delivered to maximize engagement, the CFPA would apply to that company. The CFPB even notes that companies engaged in marketing analytics services alone could be subject to the CFPA.

Notably, although the CFPB goes to some length explaining why the exception for “time or space for an advertisement” does not apply, it does not attempt to explain why targeted advertising is outside the other exception for “a support service of a type provided to business generally or a similar ministerial service.”


Taken together with a prior CFPB announcement that it intends to use its UDAAP authority to take action against algorithmic discrimination, this Interpretive Rule firmly cements the CFPB’s intention to be a tech regulator. This is significant, given that tech companies working with companies offering financial products or services would be subject to civil money penalties if the CFPB finds them engaged in unfair, deceptive, or abusive practices in violation of the CFPA. 12 U.S.C. § 5565(a)(2). Companies with questions about the CFPB’s authority, potential priorities, and remedies should reach out to Maneesha Mithal, Libby Weingarten, or any other member of the firm’s privacy and cybersecurity practice.