Numerous websites and mobile applications initially collected many types of consumer data (e.g., location data, shopping activities, web sites visited) and sold it to the third parties (data aggregators). Later, numerous states and the European Union developed a patchwork of consumer privacy and data security laws to regulate such information gathering and distribution. In the financial space, GLBA and FCRA have restricted certain consumer information sharing with others for decades and in the case of GLBA, created additional data security requirements. Today, as the consumer information market evolves, there are new entrants as well as regulatory proposals and rules for obtaining and sharing information as part of current and future financial product service offerings and transactions. Our attorneys have advised companies on data security and privacy requirements related to data sharing and use authorization as the heads of privacy in-house and as the head of Regulation P inquiries at the Office of Regulations at the CFPB. We have also been keenly aware of the CFPB's development of the 1033 rulemaking and the possible implications and opportunities enabled by the final rule.