PROTECTED Act Changes Small Business Loan Data Rules: Banks Can’t Use Visual Observation, But Regulators Lose Some Data

The “Preventing Regulatory Overreach to Empower Communities to Thrive and Ensure Data Privacy Act”—or the PROTECTED Act—is focused on changing how financial institutions collect and report data when small businesses apply for loans. Essentially, it’s a policy push that tries to balance applicant privacy with regulatory oversight, and it makes some big changes to both sides of that equation.

The New Rules of Engagement: Privacy First

Starting now, if you’re a small business owner applying for a loan, the bank has to give you a written memo explaining why they’re asking for sensitive data—like demographic information. They must explicitly state that the government (the CFPB) requires them to ask, but that providing the information is completely optional and won't impact your loan decision. This is a huge win for transparency. Imagine being told, “We have to ask, but you absolutely don’t have to answer, and it won’t hurt your chances.” That’s a clear upgrade from the previous, often opaque, process.

Even more interesting is the new privacy block: the bill strictly prohibits financial institutions from gathering data about applicants through visual observation or any means other than the applicant actively providing it. No more guessing or recording based on appearance. If you don't hand over the data, they can't record it. This provision (SEC. 2. New Rules on Data Collection and Privacy) locks down a significant privacy loophole and respects the applicant’s choice not to share.

Less Data for the Watchdogs

While applicants gain privacy, regulators lose some visibility. The bill removes three specific categories of data—previously labeled (C), (G), and (H)—from the annual reporting requirements that financial institutions must submit to the government. For the people tasked with spotting unfair lending practices—the CFPB and fair lending advocates—this is a big deal. Their ability to catch subtle discrimination often relies on comprehensive data points. Removing specific categories means the picture regulators see will be less complete, which could make it harder to flag disparities in who gets approved for small business loans (SEC. 2. Changes to Data Reporting Requirements).

Furthermore, the bill says regulators can't use the percentage of applicants who choose to provide the data as a metric to judge whether a bank is meeting its reporting obligations. This removes a key compliance pressure point for banks, but it also ties the hands of regulators who might otherwise use very low collection rates as a sign of potential non-compliance or discouragement tactics.

Who This Affects (And Who Gets a Pass)

These new rules only apply to the big players. A “financial institution” must have originated at least 2,500 small business credit transactions in the last two years and have assets of $10 billion or more. So, if your local credit union or a smaller community bank is helping you finance your new food truck, they are likely exempt from these new disclosure and privacy requirements. This creates an uneven regulatory field: the biggest banks have to follow the strict privacy rules, but smaller lenders don't (SEC. 2. Defining Who This Applies To).

Finally, don't expect these changes tomorrow. The CFPB gets a two-year “safe harbor” period after the rules become effective before they can enforce compliance. The effective date itself is tied to the completion of a required cost-benefit analysis, meaning the full implementation of the PROTECTED Act is still a ways off. This extended timeline gives financial institutions plenty of runway to update their systems, which is good news for operational stability.