Gramm-Leach-Bliley Act (GLBA): An overview

The GLBA establishes privacy and security requirements for financial institutions to protect consumer data. In this article, we explore who the GLBA applies to, the Act’s key provisions, and the compliance steps for businesses to take to safeguard consumers’ sensitive financial information.
Resources / Blog / Gramm-Leach-Bliley Act (GLBA): An overview
Published by Usercentrics
13 mins to read
Jan 10, 2025

The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, sets standards for protecting consumer data in the United States’ financial industry. Amid growing concerns about how  institutions collect, use, and share sensitive personal information, the Act was passed as part of sweeping reforms to modernize the financial services sector.

The GLBA was among the first US data privacy laws to impose specific data privacy and security requirements on businesses. Its aim is to give consumers more control over their personal information while requiring institutions to adopt robust data protection measures.

Although the GLBA predates the current wave of state-level privacy laws and federal privacy legislation, its requirements continue to shape how financial institutions approach consumer data protection. Its principles have influenced many subsequent regulations, and remain central to compliance efforts in the financial industry. 

The GLBA is also usually explicitly referenced in state-level US data privacy legislation passed to date, as those laws recognize that the federal GLBA is both robust in its protections and assigned responsibilities, and takes precedence.

What is the Gramm-Leach-Bliley Act (GLBA)?

The GLBA is a US federal law that addresses data security and data privacy practices in the US financial industry. It mandates that businesses that handle individual financial information, like banks, insurers, and loan providers, protect that data, inform customers of privacy practices, and limit data sharing.

GLBA summary

The GLBA was created to address concerns about data security and privacy within the financial sector. The regulation aims to protect consumers’ financial information and prevent sensitive data exposure by requiring that organizations follow responsible practices when handling data.

Any business that’s “significantly engaged” in financial activities and handles consumer financial data is required to follow the rules set out by the GLBA. 

This definition includes financial institutions in the traditional sense — like banks, credit unions, and insurance companies — as well as businesses that are not usually recognized in this category — such as loan brokers, debt collectors, mortgage lenders, financial advisors, and tax preparers. 

The GLBA requires these institutions to adhere to the following rules, which are aimed at maintaining transparency and accountability, while mitigating risks associated with data misuse:

  • Financial Privacy Rule: Financial institutions must provide clear privacy notices that detail how personal information is collected, used, and shared. They must also give consumers the opportunity to opt out of certain data-sharing practices with unaffiliated third parties.
  • Safeguards Rule: Businesses that handle consumer financial data must develop, implement, and maintain robust data security programs to protect customer information from unauthorized access or breaches.
  • Pretexting Rule: This provision, which has been designed to counter criminal activity like fraud and identity theft, makes it illegal for anyone to obtain, disclose, or attempt to obtain or disclose a financial institution’s customer information under false pretenses. 

GLBA updates

On May 13, 2024, an amendment to the Federal Trade Commission’s (FTC) Standards for Safeguarding Consumer Information (“Safeguards Rule”) came into effect. This update introduced more stringent requirements for security practices and data breach notifications. 

Before the amendment, the GLBA simply required financial institutions to “develop, implement, and maintain a comprehensive security program” that “contains administrative, technical, and physical safeguards” that were appropriate considering the size and complexity of the entity.

The updated rule includes more detailed requirements for these systems, outlining nine elements a business’s information security program must include.

Most significantly, though, is that it introduced a notification requirement. Financial institutions must now notify the FTC of any security event where there has been unauthorized access of customer information if 500 or more individuals are affected. Prior to the new rule being adopted in 2023, there was no notification requirement. A prior proposal set the threshold at 1,000 individuals, but it was amended to 500. Notifications of such a breach must be sent to customers as soon as possible, and no later than 30 days after discovery. 

This amendment created a very low threshold for mandatory breach notifications, bringing GLBA requirements in line with international regulations like the General Data Protection Regulation (GDPR).

GLBA definitions

Below, we’ll cover the definitions of certain concepts within the GLBA to provide clarity on how the Act may apply to your business.

Financial institution under GLBA

A financial institution under the GLBA is defined as “any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities.” In other words, any company that offers financial products or services to individuals, such as loans, financial or investment advice, or insurance. 

The Act states that this definition can include “banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.”

If your company is significantly engaged in providing financial products or services to consumers, it’s likely subject to GLBA regulations and must adhere to its requirements for protecting customer information. 

Financial service under GLBA

According to the GLBA, a financial service “includes, among other things, a financial institution’s evaluation or brokerage of information that the institution collects in connection with a request or an application from a consumer for a financial product or service.”

This broad definition subjects a wide range of activities related to managing and handling money to the Act’s privacy and security requirements. These activities include:

  • lending, exchanging, or transferring money
  • investing for others
  • safeguarding money or securities
  • providing financial or investment advice
  • insurance underwriting

Services like issuing credit cards, managing investment portfolios, offering insurance policies, and facilitating payment processing (credit card companies and processors like PayPal, Square, Stripe, etc.) are all considered financial services under the GLBA. 

Consumer and customer under GLBA

According to the GLBA, all customers are consumers, but not all consumers are customers. A consumer is “an individual who obtains, from a financial institution, financial products or services,” while a customer is someone who has an ongoing relationship with a financial institution.

For instance, someone who takes out a mortgage loan from a bank would be a customer because the financing and servicing of that loan requires an ongoing relationship. However, if the same person were simply using one of that bank’s ATMs to withdraw cash, they would just be considered a consumer. 

This distinction is important because customers typically have more privacy rights under the GLBA than consumers do.

Nonpublic personal information under GLBA

Nonpublic personal information (NPI) refers to the personal details of consumers. This personally identifiable information is usually obtained by the institution as the result of transactions or services performed for the consumer. 

NPI can include information that “a consumer provides to a financial institution to obtain a financial product or service from the institution; results from a transaction between the consumer and the institution involving a financial product or service; or a financial institution otherwise obtains about a consumer in connection with providing a financial product or service.” 

Data like Social Security numbers, account balances, payment histories, and any information derived from consumer reports falls into this category. However, information that’s publicly and lawfully available, like data from public records, is not considered NPI.

Nonaffiliated third party under GLBA

A nonaffiliated third party is any entity that is not an affiliate of the financial institution. The GLBA defines an affiliate of a financial institution as “any company that controls, is controlled by, or is under common control with the financial institution.”

In other words, a nonaffiliated third party is an entity that doesn’t control, isn’t controlled by, and isn’t under common control with the institution. 

Nonaffiliated third parties are external companies or individuals with whom a financial institution may share consumers’ NPI, provided that consumers are given proper notice and the opportunity to opt out of such sharing. However, there are certain circumstances in which sharing is permitted without an opt-out option.

Opt-out right and exceptions under GLBA

The GLBA gives consumers the right to opt out of allowing financial institutions to share their NPI with nonaffiliated third parties. This means that, before sharing such information, institutions must provide a clear notice and the option for consumers to decline. 

The GLBA states that “consumers must be given a reasonable opportunity and a reasonable means to opt out.” It also clarifies that ”what constitutes a reasonable opportunity to opt out depends on the circumstances surrounding the consumer’s transaction, but a consumer must be provided a reasonable amount of time to exercise the opt out right.”

There are, however, instances in which opt-out rights do not apply. For example, when NPI is shared with service providers performing essential tasks on behalf of the institution, where the institution is legally compelled to share this information, like reporting suspicious activities under anti-fraud regulations, or if it is shared as part of a transaction requested by the consumer.

Who must comply with the GLBA

The GLBA’s scope applies to financial institutions beyond traditional banks, to include many other types of organizations. Let’s explore exactly who must comply and applicable exceptions.

GLBA applies to 

We’ve established that the GLBA’s broad definition of financial institutions means that it applies to a variety of entities. Here are some of the most common ones.

  • Banks: Institutions like commercial banks, savings associations, and credit unions that manage deposits, provide loans, and offer payment services.
  • Insurance companies: Companies that provide insurance coverage, and also commonly provide diversified offerings with other financial products and services.
  • Payday lenders: Businesses providing short-term, high-interest loans typically meant to cover expenses until the borrower’s next paycheck.
  • Mortgage brokers: Companies that act as intermediaries between borrowers and lenders, helping individuals secure home loans or refinancing options.
  • Non-bank lenders: Organizations offering loans without traditional banking structures, such as auto loan providers or personal loan companies.
  • Debt collectors: Entities that recover unpaid debts on behalf of creditors. Examples include collections agencies and legal recovery firms.
  • Personal property or real estate appraisers: Professionals or companies that determine the value of assets like homes, cars, or commercial property.
  • Professional tax preparers: Individuals or firms that provide tax advice and tax filing assistance.
  • Financial advisors and planners: Professionals who offer guidance on investments, retirement plans, estate planning, or wealth management.

It’s important to remember that the GLBA’s application depends on the nature of the relationship between an individual and a financial institution. In other words, it depends on whether that individual is a customer or a consumer.

When the individual is a customer with an ongoing relationship, e.g. a bank account holder or mortgage client, more comprehensive privacy protections apply. Conversely, a consumer who interacts with the institution for a one-time transaction, like cashing a check, may have fewer rights. 

GLBA exceptions

Sections 13, 14, and 15 of the GLBA outline cases in which financial institutions aren’t required to provide a privacy notice or opt-out option when sharing NPI. These exceptions cover cases in which the disclosure of NPI is limited.  

  • Section 13: “to a nonaffiliated third party to perform services for the financial institution or to function on its behalf, including marketing the institution’s own products or services or those offered jointly by the institution and another financial institution.” This exception is only permitted if the financial institution provides an initial notice of these arrangements and the third party signs a confidentiality contract that states they won’t disclose or use the information for anything other than the specified purposes. 
  • Section 14: “as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or under certain other circumstances relating to existing relationships with customers.”
  • Section 15: “for specified other disclosures that a financial institution normally makes.” These other disclosures can include efforts to prevent fraud or to comply with legal requirements by disclosing information to regulators. 

Consumer rights under the GLBA

Consumers have the right to opt out of having their NPI shared with certain nonaffiliated third parties. 

When a financial institution intends to share a consumer’s NPI with one of these third parties for purposes not explicitly exempt under the law, it must first provide a clear privacy notice that outlines the types of information collected, how that information will be shared, and the consumer’s ability to opt out.

Then, the consumer must be given a reasonable means and timeframe to exercise their opt-out right.

It’s important to note that the Act makes a distinction between consumer and customer rights. For customers, the GLBA states that they “are entitled to initial and annual privacy notices regardless of the information disclosure practices of their financial institution unless an exception to the annual privacy notice requirement applies.”

So, in addition to being able to opt out of NPI disclosure, customers also have a right to receive privacy notices that outline the financial institution’s ongoing use of their data. 

What are financial institutions obliged to do under the GLBA?

Under the GLBA, financial institutions must take measures to protect customer data and provide privacy and opt-out notices.

Privacy notices under the GLBA

Financial institutions must provide clear and concise privacy notices to customers that explain how their NPI is collected, used, and shared. 

They must provide these notices at the start of the customer relationship and annually thereafter. These notices must also be easily accessible, written in plain language, and displayed in a manner that enables consumers to review them before making decisions about their data.

Opt-out notices under the GLBA

Opt-out notices are required when a financial institution plans to share NPI with nonaffiliated third parties. These notices must clearly inform consumers of their right to opt out, outline the methods available to do so, like forms, online options, or toll-free numbers, and allow a reasonable timeframe for response.

Safeguarding NPI under the GLBA

Financial institutions must protect consumer data from unauthorized access, misuse, and breaches. This includes creating a comprehensive security program that includes administrative, technical, and physical safeguards. 

The FTC’s Safeguards Rule now requires that financial institutions create a written information security plan (WISP) that outlines their strategy for securely handling consumer data and protecting against potential threats and breaches. According to the FTC, if your business meets the definition of a financial institution, your plan “must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue.”

Additionally, financial institutions must assess risks, regularly monitor systems, and train employees to promote the confidentiality, integrity, and security of customer information.

Enforcement of the Gramm-Leach-Bliley Act

In the absence of a comprehensive federal privacy law that is not sectoral (important laws like HIPAA, the CPPA, COPPA, FERPA, etc. are largely sector-specific), the GLBA operates alongside numerous state-level data privacy laws. These state laws often include enforcement exemptions for institutions covered under the GLBA, since it is a federal law that supersedes state regulations. 

Enforcement authority

Enforcement of the GLBA is shared between federal and state agencies. The entity responsible for ensuring compliance with the law depends on the type of financial institution in question. Enforcement authorities include:

  • The FTC: Oversees non-bank financial institutions, such as mortgage brokers, payday lenders, and tax preparers.
  • Federal banking regulators: These include the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve, and the Office of the Comptroller of the Currency (OCC), which enforce GLBA compliance for banks and similar entities.
  • State insurance commissioners: Responsible for ensuring that insurance providers comply with the Act at a state level.

Damages and fines

Financial institutions may face civil fines of up to USD 100,000 per violation. Responsible individuals, e.g. corporate officers or directors, can incur personal fines up to USD 10,000. They may also face criminal penalties for intentional violations, including imprisonment for up to five years. 

Beyond legal consequences, noncompliance can result in reputational damage, loss of consumer trust, and increased scrutiny from regulatory bodies. These can have lasting effects on an institution’s success, making compliance with the GLBA crucial for applicable organizations. 

The GLBA requires financial institutions to provide privacy notices explaining how customer data is collected, used, and shared, along with the option for consumers to opt out of sharing their NPI with nonaffiliated third parties.

Managing these processes manually can be taxing and time-consuming. Fortunately, there are specialized platforms that help simplify compliance efforts. Usercentrics products, for example, automate privacy notices, track opt-out preferences, and keep consumers informed of their rights. 

By centralizing consent management, the platform helps to simplify adherence to GLBA requirements, fosters transparency, and strengthens customer trust — all while reducing the administrative burden of compliance on your businesses.

The Usercentrics CMP helps you tailor consent messages, manage user opt-out choices, and stay compliant with relevant privacy laws.

Learn about consent management with Usercentrics

Financial institutions need to safeguard consumer NPI, provide clear privacy notices, and offer opt-out options for data sharing to meet the GLBA’s requirements. 

Achieving compliance with this comprehensive regulation and other data privacy laws means implementing robust security programs, conducting regular risk assessments, and creating transparency in your data handling practices.

Usercentrics simplifies privacy compliance by aligning your data handling practices with the requirements of the various data privacy laws applicable to your business. We help manage consumer consent, generate privacy notices, and more, so you can stay legally compliant while building trust and increasing transparency with your customers.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Frequently asked questions

Which are three key rules of the GLBA?

The three key rules of the GLBA include:

  • Financial Privacy Rule: requires financial institutions to provide clear privacy notices to customers. They must also give consumers the ability to opt out of certain data-sharing practices.
  • Safeguards Rule: requires financial institutions to develop, implement, and maintain robust data security programs.
  • Pretexting Rule: makes it illegal for anyone to obtain, disclose, or attempt to obtain or disclose a financial institution’s customer information under false pretenses.

What is an example of a GLBA violation?

An example of a GLBA violation could be a firm that provides financial advice failing to provide an annual privacy notice to its customers. Another example would be a credit union failing to prepare a written information security plan (WISP) outlining their data protection strategy.

What does the GLBA prohibit?

The GLBA prohibits financial institutions from mishandling consumers’ nonpublic personal information (NPI). The Act requires these organizations to develop safeguards for protecting NPI, inform customers of how they handle their information, and give consumers the ability to opt-out of data sharing with nonaffiliated third parties.

What are the new requirements for the GLBA?

The FTC’s Standards for Safeguarding Customer Information (also known as the Safeguards Rule) took effect in May of 2023. This new rule requires financial institutions to “develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.”

This plan must be written and documented, and it must encompass nine key elements outlined by the FTC.

Jan 8, 2025
Québec Law 25 modernizes privacy laws for the Canadian province, introducing stricter rules for obtaining consent, protecting personal information, and individuals' rights. Learn what this means for organizations that operate in Québec, and how they can comply with the law’s requirements.
Jan 3, 2025
Australia has passed a strict new law banning much social media access for children under age 16. The ban is intended to address safety and mental health concerns for children and teens online. Access to various social platforms is prohibited and implementing age-gating measures is required.
Dec 27, 2024
Change in data privacy continued full steam ahead in 2024. Government regulation and business requirements got a lot more intertwined, further proving that data privacy is no longer a “nice to have”. It’s critical for customer satisfaction and sustainable growth. Let’s look ahead to 2025.