On September 22, the GAO issued a report regarding the privacy and data security implications of the CFPB’s data collection practices. The report, performed in part based on a request by Senator Crapo, notes the CFPB’s data includes three one-time collections of data that contain information that directly identifies individuals: arbitration case records, deposit account data regarding deposit advance products, and borrower-level activity regarding storefront payday loans. The report highlights several areas for improvement: (i) development of written procedures and documentation regarding data intake and information security risk assessments; (ii) implementation of privacy control steps and information security practices; and (iii) Paperwork Reduction Act compliance regarding credit card data. In a comment appended to the report, the CFPB outlines the reasons for its data collection efforts and concurs with the GAO’s recommendations addressed to the CFPB.