What Is the Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act, or GLBA, is a federal law in the U.S. that regulates how financial services collect, process, and safeguard their customers’ personal information.

The GLBA applies to the following types of entities:

Financial advisors
Insurance companies
Investment advice companies
Service loans
Other financial products

Through Title V, Subtitle A of the Act, organizations must notify customers of their data processing practices through a privacy policy.

They must also provide a mechanism for consumers to opt-out of the sharing or disclosing of their personal information to third parties in certain situations.

When Did the GLBA Take Effect?

The Gramm-Leach-Bliley Act has been in effect since 1999.

But in December 2011, the Consumer Financial Protection Bureau (CFPB) issued Regulation P (12 CFR Part 1016), which re-codifies some previous regulations issued by other bodies.

Regulation P outlines the requirements related to the privacy concerns for consumers under the GLBA, and its scope includes most companies engaged in financial activities — referred to as financial institutions.

It also applies to companies not engaged in financial activities but that receive personal information from financial institutions.

GLBA Key Terms and Definitions

To help you comply with the GLBA, I’ve included some of the key terms and their definitions as they appear in the text of the law:

Financial Institution: Any institution or business that is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.
Nonpublic personal information: Any information that is not publicly available and that:
- A consumer provides to a financial institution to obtain a financial product or service from the institution;
- Results from a transaction between the consumer and the institution involving a financial product or service;
- A financial institution otherwise obtains about a consumer in connection with providing a financial product or service.
Nonaffiliated third party: Any person except a financial institution’s affiliate or a person employed jointly by a financial institution and a company that is not the institution’s affiliate.
Affiliate: Any company that controls, is controlled by, or is under common control with the financial institution.
Consumer: An individual who obtains or has obtained a financial product or service to be used primarily for personal, family, or household purposes or that individual’s legal representative.
Customer: A consumer who has a ‘customer relationship’ with a financial institution. A ‘customer relationship’ means a continuing relationship between a consumer and a financial institution under which the financial institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

What Does the Gramm-Leach-Bliley Act Cover?

The GLBA applies to businesses significantly engaged in financial activities as defined by §4(k) of the Bank Holding Company Act of 1956, which the law refers to as financial institutions.

Activities that are financial in nature generally include — but are not limited to — the following:

Lending, exchanging, transferring, investing for others, or safeguarding money or securities. These activities cover services offered by lenders, check cashers, wire transfer services, and sellers of money orders
Providing financial, investment, or economic advisory services. These activities cover services offered by credit counselors, financial planners, tax preparers, accountants, and investment advisors
Brokering loans
Underwriting, dealing on, or making a market in securities
Servicing loans
Debt collecting
Providing real estate settlement services
Career counseling (of individuals seeking employment in the financial services industry)

It is noteworthy that Regulation P, the regulation issued by the CFPB, also includes in the scope of this definition:

Third parties that are not financial institutions but that receive nonpublic personal information from financial institutions with whom they are not affiliated.

If your company is engaged in such activities, you should have a privacy policy that complies with the requirements described below.

Requirements of the Gramm-Leach-Bliley Act

The GLBA outlines several requirements financial services must follow, which I’ll cover in detail in the following section.

Privacy Rules

The GLBA outlines a privacy notification rule that all covered financial institutions must follow.

You must notify consumers about:

What data is collected from them
How it’s shared
How it’s protected

In addition, customers have the right to opt out of having some of their data shared with certain unaffiliated third parties and must be presented with the notice again as soon as it changes.

I include more specific details about these requirements and what goes explicitly into them later in this guide.

Data Safeguards

Financial services under the GLBA must have a written security plan in place with the goal of protecting customers’ personal information.

The plan must be appropriate and consider the following:

The size of the company
The scope and nature of its activities
The sensitivity of the information collected

Entities must perform regular tests and risk assessments to monitor the integrity of the security controls and to ensure the ongoing safety of customer data.

Pretexting Protections

In addition to having a security plan, the GLBA also required institutions to take measures to protect against unauthorized access or disclosure of data, called pretexting.

The required nature and level of protection varies based on the size and complexity of the financial service.

Model Privacy Forms

In 2006, the Financial Services Regulatory Relief Act amended the GLBA to allow companies to rely on Model Privacy Forms to satisfy the notice and opt-out requirements of the GLBA.

Although the use of model privacy forms is not a requirement, displaying the forms on a company’s website constitutes compliance with the notice and opt-out provisions of the Act.

There are two types of forms available, and I’ll briefly explain both:

Notice with opt-out method
Notice with no opt-out method

Notice With Opt-Out Method

Under the GLBA, a notice with an opt-out form provides the customer with information on how the financial institution processes their nonpublic information.

The form satisfies the privacy notice requirements of Regulation P §1016.6 and the opt-out notice requirements in §1016.7.

See an example of this form in the screenshot below from the CFPB – Regulation P Appendices.

Notice-With-No-Opt-Out-Methods-CFPB- Regulation-P-Appendices

Opt-out forms give the customer the right to opt out of the disclosure of their information by telephone or online.

An institution allowing consumers to opt out online must provide a specific opt-out page on their website, and the opt-out choices must match the “Yes” responses in the disclosure table’s ‘Can you limit this sharing?’ column.

Note that another version of this form exists, known as the Mail-In Opt-Out.

Notice With No Opt-Out Method

Similar to Opt-Out Forms, you can also use a notice with no opt-out method to satisfy the privacy notice requirements of Regulation P §1016.6.

See a screenshot of this form below from the CFPB – Regulation P Appendices.

Model-Privacy Forms-CFPB- Regulation-P-Appendices

Exceptions to opt-out requirements are described in §1016.13 to §1016.15 of Regulation P, where an organization would not be required to provide opt-out notice and method.

I explain this in detail later in this guide, but these exceptions are:

When disclosing NPI to a nonaffiliated third party to perform services for the financial institution or on its behalf, including joint marketing.
When processing and servicing transactions, namely processing transactions at the consumer’s request and where necessary to effect, administer, or enforce a transaction.
When disclosing NPI for specified disclosures that financial institutions normally make, such as preventing actual or potential fraud or compliance with regulatory obligations.

How Does the GLBA Impact Consumers?

The Gramm-Leach-Bliley Act impacts consumers by providing them with more safety, control, and confidentiality concerning their personal financial data.

Consumers have the right to know what data is collected about them, when their data is shared with other entities, and to opt out of that sharing in certain situations.

Additionally, because it requires financial services to safeguard the information, consumers can trust that financial institutions will adequately secure and protect their data.

Who Does the GLBA Apply To?

The GLBA applies to all financial institutions, related entities, and individuals working in the industry in the U.S.

It protects the personal information of those entities’ customers.

Businesses located outside of the U.S. that offer financial services to consumers within the country are also obligated to follow the law.

How Does the GLBA Impact Businesses?

Along with the data security and protection requirements, the GLBA heavily impacts businesses’ privacy policies.

How Does the GLBA Affect My Privacy Policy?

Financial institutions must fulfill the specific notice requirements laid out by Section 502 of the Act, which impacts portions of your privacy policy.

As laid out in Regulation P, a privacy notice must include the following details:

The categories of nonpublic personal information that you collect
The categories of nonpublic personal information that you disclose
The categories of affiliates and nonaffiliated third parties you disclose nonpublic personal information to, other than those you disclose information to effect, administer, or enforce a transaction that a consumer requests or authorizes.
Information about your former customers:
- The categories of nonpublic personal information about your former customers that you disclose
- The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your former customers, other than those parties to whom you disclose information to effect, administer, or enforce a transaction that a consumer requests or authorizes
If you disclose nonpublic personal information to a nonaffiliated third party that performs a service for you, including joint marketing, a separate statement of the categories of information you disclose and the categories of third parties with whom you have contracted
An explanation of the consumer’s right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right at that time
Any disclosures that you make under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates)
Your policies and practices for protecting the confidentiality and security of nonpublic personal information
Any disclosure that you make to nonaffiliated third parties, subject to exceptions

Who Must Comply With the GLBA?

Any financial institution in the U.S. must comply with the Gramm-Leach-Bliley Act, including:

Financial or investment advice
Insurance
Financial products
Service loans
ATM operators
Debt collectors
Car rental companies

Organizations outside of the U.S. offering financial services to individuals in the country are also subject to the law.

Who Is Exempt From the GLBA?

Business-to-business transactions by entities not considered financial services typically fall outside the GLBA’s scope.

Additionally, there are a few exemptions to the privacy notification requirements mentioned previously in this article, which I’ll cover in detail in the following sections.

Exception To Initial Privacy Notice Requirement

The GLBA outlines some exceptions to the initial privacy notice requirement.

You’re exempt if you don’t disclose any nonpublic personal information about the consumer to any nonaffiliated third party.

Alternatively, as authorized by §1016.14 and §1016.15, you’re exempt if you do disclose the data but under the exceptions that it is for processing transactions:

At the consumer’s request
Necessary to effect, administer, or enforce a transaction
To receive a service from a nonaffiliated third party, including joint marketing

You’re also exempt if you don’t have a customer relationship with the consumer.

Exceptions To Allow Delayed Delivery of Notice

Some exceptions to the GLBA allow you to delay the delivery of the privacy notice to your customers.

For example, you may provide the initial privacy notice within a reasonable time after establishing a customer relationship if establishing the customer relationship is not at the customer’s election.

Or, you can provide a notice when you establish a customer relationship that would substantially delay the customer’s transaction, and the customer agrees to receive the notice at a later time.

Exception To Annual Privacy Notice Requirement

Finally, under the GLBA, you are not required to deliver an annual privacy notice for two primary reasons.

First, you provide nonpublic personal information to nonaffiliated third parties following the provisions of §1016.13, §1016.14, or §1016.15.

As a reminder, these provisions refer to processing transitions:

At the consumer’s request
Necessary to effect, administer, or enforce a transaction
To receive a service from a nonaffiliated third party, including joint marketing

Second, you don’t need to send an annual notice if you haven’t changed your policies and practices about disclosing nonpublic personal information from the ones previously disclosed to the customer under the most recent privacy notice.

How Can Businesses Prepare for the GLBA?

To prepare your business for GLBA compliance, take the following steps:

Step one: Review the law to understand how its scope impacts your financial service.
Step two: Verify which regulatory body enforces the GLBA provisions for your business.
Step three: Update your privacy policy to meet all notification requirements.
Step four: Provide a method for customers to opt out of certain data processing.
Step five: Implement security methods to protect the personal information you collect.

How Is the GLBA Enforced?

Section 504 of Title V gave rule-making authority to several federal financial regulatory agencies to enforce the GLBA.

Each regulatory body issues its own regulations to enforce the provisions of the GLBA, which include the:

Board of Governors of the Federal Reserve System (FRS)
National Credit Union Administration (NCUA)
Office of the Comptroller of the Currency (OCC)
Office of Thrift Supervision (OTS)
Federal Deposit Insurance Corporation (FDIC)
Federal Trade Commission (FTC)

But in 2011, the Dodd-Frank Act transferred rule-making authority for privacy provisions (Title V of the GLBA) to the CFPB to harmonize this complex system.

Some exceptions remain, such as the FTC, which maintains authority over specific motor vehicle dealers.

Because several regulatory bodies issue rules on different groups of financial institutions, it’s critical to confirm which regulator you must comply with before consulting the relevant rules.

Here is a complete list of each regulator’s scope and the issued rules implementing the GLBA’s notice and opt-out requirements.

Regulator	Code citation	Scope of application
Federal Reserve	12 C.F.R. §216.1	State member banks, bank holding companies and certain of their nonbank subsidiaries or affiliates, State uninsured branches and agencies of foreign banks, commercial lending companies owned or controlled by foreign banks, and Edge and Agreement corporations.
Federal Deposit Insurance Corporation (FDIC)	12 C.F.R. §332	Banks insured by the FDIC (other than members of the Federal Reserve System), insured state branches of foreign banks, and certain subsidiaries of such entities.
Office of Thrift Supervision (OTS)	12 C.F.R. §573	Savings associations whose deposits are insured by the Federal Deposit Insurance Corporation and any subsidiaries of such savings associations but not subsidiaries that are brokers, dealers, persons providing insurance, investment companies, or investment advisers
Office of the Comptroller of the Currency (OCC)	12 C.F.R. §40	National banks, Federal branches and Federal agencies of foreign banks, and any subsidiaries of such entities except a broker or dealer that is registered under the Securities Exchange Act of 1934, a registered investment adviser, an investment company registered under the Investment Company Act of 1940, an insurance company that is subject to supervision by a State insurance regulator, and an entity subject to regulation by the Commodity Futures Trading Commission.
Federal Trade Commission (FTC)	16 C.F.R. §313	Any persons described in 12 U.S.C. 5519 predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both.
Securities and Exchange Commission (SEC)	17 C.F.R. §248	Brokers, dealers, and investment companies, as well as investment advisers that are registered with the Commission. It also applies to foreign brokers, dealers, investment companies, and investment advisers registered with the Commission.
Commodity Futures Trading Commission (CFTC)	17 C.F.R. §160	All futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, major swap participants, and swap dealers subject to the jurisdiction of the Commission, regardless of whether they’re required to register with the Commission.
Consumer Financial Protection Bureau (CFPB)	12 C.F.R. §1016 (Regulation P)	Any financial institution and other covered person or service provider subject to Subtitle A of Title V of the GLBA, including third parties that are not financial institutions but receive nonpublic personal information from financial institutions with whom they’re not affiliated. This part does not apply to certain motor vehicle dealers described in 12 U.S.C. 5519 or to entities for which the Securities and Exchange Commission or the Commodity Futures Trading Commission has rulemaking authority pursuant to sections 504(a)(1)(A)–(B) of the GLB Act (15 U.S.C. 6804(a)(1)(A)–(B)).

Fines and Penalties Under the Gramm-Leach-Bliley Act

Fines under the GLBA are significant and can impact individuals or entire organizations.

Organizations that violate the law may be fined as much as $100,000 per violation, whereas officers or directors may receive fines of up to $10,000 per violation.

How Does Termly Help With GLBA Compliance?

Updates take time, but Termly is working on to update our Privacy Policy Generator and enable users to meet the privacy notification requirements outlined by the GLBA.

Once live, it will ask simple questions about your business and its data processing activities, then make a unique policy based on your answers.

You will then be able to link it directly to your website or mobile app and update it as needed in your Termly dashboard.

Check back soon to learn when this privacy policy generator update is live!

While the U.S. doesn’t currently have a federal privacy law, the following pieces of legislation exist at the state level and are in force or entering into force within the next few years:

California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — in force
Colorado Privacy Act (CPA) — in force
Connecticut Data Privacy Act (CTDPA) — in force
Delaware Personal Data Privacy Act (DPDPA) — January 1, 2025
Florida Digital Bill of Rights (FDBR) — July 1, 2024
Iowa Consumer Data Protection Act (Iowa CDPA) — January 1, 2025
Indiana Consumer Data Protection Act (Indiana CDPA) — January 1, 2026
Montana Consumer Data Privacy Act (MCDPA) — October 1, 2024
Oregon Consumer Privacy Act (OCPA) — July 1, 2024
Tennessee Information Protection Act (TIPA) — July 1, 2025
Texas Data Privacy and Security Act (TDPSA) — July 1, 2024
Utah Consumer Privacy Act (UCPA) — in force
Virginia Consumer Data Protection Act (VCDPA) — in force

The GLBA and U.S. State Privacy Laws

As a federal law, the GLBA may conflict with other U.S. state laws that seek to regulate the same organizations or personal information.

Section 507 of the GLBA specifically addresses this case and provides that the GLBA would preempt these state laws if these laws are inconsistent with the requirements of the GLBA.

A state law is not considered inconsistent if it provides a person with protection ‘greater than the protection provided’ by the Act.

Similarly, the GLBA enables states to exempt GLBA-regulated entities from compliance with state privacy laws.

Summary

If you fall under the scope of the Gramm-Leach-Bliley Act, it’s essential to present your customers with a compliant privacy policy and appropriate controls regarding opting out of the sharing of their personal data.

You must also develop and implement a written plan to keep the data you collect safe and secure from unauthorized access or data breaches.

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

New Jersey Data Privacy Act: First Look & Summary

What Is the IAB’s Global Privacy Platform (IAB GPP)?

American Privacy Rights Act (APRA): First Look & Summary

109 Biggest Data Breaches, Hacks, and Exposures as of 2024

New Zealand Data Privacy Act 2020 Explained

Personal vs. Sensitive Personal Information

Privacy Policy for Hotel Websites

Privacy Policy for Gym Websites

Privacy Policy for Real Estate Websites

What Is the Gramm-Leach-Bliley Act (GLBA)?