What Is the Gramm-Leach-Bliley Act (GLBA)?

By: Masha Komnenic CIPP/E, CIPM, CIPT, FIP Masha Komnenic CIPP/E, CIPM, CIPT, FIP | Updated on: February 2, 2024

What-Is-The-Gramm-Leach-Bliley Act-GLBA-01

The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law that modernized compliance requirements for financial services.

It outlines information-sharing obligations and practices concerning the personal information of customers of financial products, like service loans, insurance, and financial advisors.

In this article, learn about the requirements of the GLBA, how it impacts businesses and consumers, and the penalties for violating this law.

Table of Contents
  1. What Is the Gramm-Leach-Bliley Act (GLBA)?
  2. GLBA Key Terms and Definitions
  3. What Does the Gramm-Leach-Bliley Act Cover?
  4. Requirements of the Gramm-Leach-Bliley Act
  5. How Does the GLBA Impact Consumers?
  6. How Does the GLBA Impact Businesses?
  7. Who Must Comply With the GLBA?
  8. Who Is Exempt From the GLBA?
  9. How Can Businesses Prepare for the GLBA?
  10. How Is the GLBA Enforced?
  11. Fines and Penalties Under the Gramm-Leach-Bliley Act
  12. How Does Termly Help With GLBA Compliance?
  13. Are There Other Privacy Related Laws in the US?
  14. Summary

What Is the Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act, or GLBA, is a federal law in the U.S. that regulates how financial services collect, process, and safeguard their customers’ personal information.

The GLBA applies to the following types of entities:

  • Financial advisors
  • Insurance companies
  • Investment advice companies
  • Service loans
  • Other financial products

Through Title V, Subtitle A of the Act, organizations must notify customers of their data processing practices through a privacy policy.

They must also provide a mechanism for consumers to opt-out of the sharing or disclosing of their personal information to third parties in certain situations.

When Did the GLBA Take Effect?

The Gramm-Leach-Bliley Act has been in effect since 1999.

But in December 2011, the Consumer Financial Protection Bureau (CFPB) issued Regulation P (12 CFR Part 1016), which re-codifies some previous regulations issued by other bodies.

Regulation P outlines the requirements related to the privacy concerns for consumers under the GLBA, and its scope includes most companies engaged in financial activities — referred to as financial institutions.

It also applies to companies not engaged in financial activities but that receive personal information from financial institutions.

GLBA Key Terms and Definitions

To help you comply with the GLBA, I’ve included some of the key terms and their definitions as they appear in the text of the law:

What Does the Gramm-Leach-Bliley Act Cover?

The GLBA applies to businesses significantly engaged in financial activities as defined by  §4(k) of the Bank Holding Company Act of 1956, which the law refers to as financial institutions.

Activities that are financial in nature generally include — but are not limited to — the following:

  • Lending, exchanging, transferring, investing for others, or safeguarding money or securities. These activities cover services offered by lenders, check cashers, wire transfer services, and sellers of money orders
  • Providing financial, investment, or economic advisory services. These activities cover services offered by credit counselors, financial planners, tax preparers, accountants, and investment advisors
  • Brokering loans
  • Underwriting, dealing on, or making a market in securities
  • Servicing loans
  • Debt collecting
  • Providing real estate settlement services
  • Career counseling (of individuals seeking employment in the financial services industry)

It is noteworthy that Regulation P, the regulation issued by the CFPB, also includes in the scope of this definition:

Third parties that are not financial institutions but that receive nonpublic personal information from financial institutions with whom they are not affiliated.

If your company is engaged in such activities, you should have a privacy policy that complies with the requirements described below.

Requirements of the Gramm-Leach-Bliley Act

The GLBA outlines several requirements financial services must follow, which I’ll cover in detail in the following section.

Privacy Rules

The GLBA outlines a privacy notification rule that all covered financial institutions must follow.

You must notify consumers about:

  • What data is collected from them
  • How it’s shared
  • How it’s protected

In addition, customers have the right to opt out of having some of their data shared with certain unaffiliated third parties and must be presented with the notice again as soon as it changes.

I include more specific details about these requirements and what goes explicitly into them later in this guide.

Data Safeguards

Financial services under the GLBA must have a written security plan in place with the goal of protecting customers’ personal information.

The plan must be appropriate and consider the following:

  • The size of the company
  • The scope and nature of its activities
  • The sensitivity of the information collected

Entities must perform regular tests and risk assessments to monitor the integrity of the security controls and to ensure the ongoing safety of customer data.

Pretexting Protections

In addition to having a security plan, the GLBA also required institutions to take measures to protect against unauthorized access or disclosure of data, called pretexting.

The required nature and level of protection varies based on the size and complexity of the financial service.

Model Privacy Forms

In 2006, the Financial Services Regulatory Relief Act amended the GLBA to allow companies to rely on Model Privacy Forms to satisfy the notice and opt-out requirements of the GLBA.

Although the use of model privacy forms is not a requirement, displaying the forms on a company’s website constitutes compliance with the notice and opt-out provisions of the Act.

There are two types of forms available, and I’ll briefly explain both:

  • Notice with opt-out method
  • Notice with no opt-out method

Notice With Opt-Out Method

Under the GLBA, a notice with an opt-out form provides the customer with information on how the financial institution processes their nonpublic information.

The form satisfies the privacy notice requirements of Regulation P §1016.6 and the opt-out notice requirements in §1016.7.

See an example of this form in the screenshot below from the CFPB – Regulation P Appendices.

Notice-With-No-Opt-Out-Methods-CFPB- Regulation-P-Appendices

Opt-out forms give the customer the right to opt out of the disclosure of their information by telephone or online.

An institution allowing consumers to opt out online must provide a specific opt-out page on their website, and the opt-out choices must match the “Yes” responses in the disclosure table’s ‘Can you limit this sharing?’ column.

Note that another version of this form exists, known as the Mail-In Opt-Out.

Notice With No Opt-Out Method

Similar to Opt-Out Forms, you can also use a notice with no opt-out method to satisfy the privacy notice requirements of Regulation P §1016.6.

See a screenshot of this form below from the CFPB – Regulation P Appendices.

Model-Privacy Forms-CFPB- Regulation-P-Appendices

Exceptions to opt-out requirements are described in §1016.13 to §1016.15 of Regulation P, where an organization would not be required to provide opt-out notice and method.

I explain this in detail later in this guide, but these exceptions are:

  • When disclosing NPI to a nonaffiliated third party to perform services for the financial institution or on its behalf, including joint marketing.
  • When processing and servicing transactions, namely processing transactions at the consumer’s request and where necessary to effect, administer, or enforce a transaction.
  • When disclosing NPI for specified disclosures that financial institutions normally make, such as preventing actual or potential fraud or compliance with regulatory obligations.

How Does the GLBA Impact Consumers?

The Gramm-Leach-Bliley Act impacts consumers by providing them with more safety, control, and confidentiality concerning their personal financial data.

Consumers have the right to know what data is collected about them, when their data is shared with other entities, and to opt out of that sharing in certain situations.

Additionally, because it requires financial services to safeguard the information, consumers can trust that financial institutions will adequately secure and protect their data.

Who Does the GLBA Apply To?

The GLBA applies to all financial institutions, related entities, and individuals working in the industry in the U.S.

It protects the personal information of those entities’ customers.

Businesses located outside of the U.S. that offer financial services to consumers within the country are also obligated to follow the law.

How Does the GLBA Impact Businesses?

Along with the data security and protection requirements, the GLBA heavily impacts businesses’ privacy policies.

How Does the GLBA Affect My Privacy Policy?

Financial institutions must fulfill the specific notice requirements laid out by Section 502 of the Act, which impacts portions of your privacy policy.

As laid out in Regulation P, a privacy notice must include the following details:

Who Must Comply With the GLBA?

Any financial institution in the U.S. must comply with the Gramm-Leach-Bliley Act, including:

  • Financial or investment advice
  • Insurance
  • Financial products
  • Service loans
  • ATM operators
  • Debt collectors
  • Car rental companies

Organizations outside of the U.S. offering financial services to individuals in the country are also subject to the law.

Who Is Exempt From the GLBA?

Business-to-business transactions by entities not considered financial services typically fall outside the GLBA’s scope.

Additionally, there are a few exemptions to the privacy notification requirements mentioned previously in this article, which I’ll cover in detail in the following sections.

Exception To Initial Privacy Notice Requirement

The GLBA outlines some exceptions to the initial privacy notice requirement.

You’re exempt if you don’t disclose any nonpublic personal information about the consumer to any nonaffiliated third party.

Alternatively, as authorized by §1016.14 and §1016.15, you’re exempt if you do disclose the data but under the exceptions that it is for processing transactions:

  • At the consumer’s request
  • Necessary to effect, administer, or enforce a transaction
  • To receive a service from a nonaffiliated third party, including joint marketing

You’re also exempt if you don’t have a customer relationship with the consumer.

Exceptions To Allow Delayed Delivery of Notice

Some exceptions to the GLBA allow you to delay the delivery of the privacy notice to your customers.

For example, you may provide the initial privacy notice within a reasonable time after establishing a customer relationship if establishing the customer relationship is not at the customer’s election.

Or, you can provide a notice when you establish a customer relationship that would substantially delay the customer’s transaction, and the customer agrees to receive the notice at a later time.

Exception To Annual Privacy Notice Requirement

Finally, under the GLBA, you are not required to deliver an annual privacy notice for two primary reasons.

First, you provide nonpublic personal information to nonaffiliated third parties following the provisions of §1016.13, §1016.14, or §1016.15.

As a reminder, these provisions refer to processing transitions:

  • At the consumer’s request
  • Necessary to effect, administer, or enforce a transaction
  • To receive a service from a nonaffiliated third party, including joint marketing

Second, you don’t need to send an annual notice if you haven’t changed your policies and practices about disclosing nonpublic personal information from the ones previously disclosed to the customer under the most recent privacy notice.

How Can Businesses Prepare for the GLBA?

To prepare your business for GLBA compliance, take the following steps:

  • Step one: Review the law to understand how its scope impacts your financial service.
  • Step two: Verify which regulatory body enforces the GLBA provisions for your business.
  • Step three: Update your privacy policy to meet all notification requirements.
  • Step four: Provide a method for customers to opt out of certain data processing.
  • Step five: Implement security methods to protect the personal information you collect.

How Is the GLBA Enforced?

Section 504 of Title V gave rule-making authority to several federal financial regulatory agencies to enforce the GLBA.

Each regulatory body issues its own regulations to enforce the provisions of the GLBA, which include the:

  • Board of Governors of the Federal Reserve System (FRS)
  • National Credit Union Administration (NCUA)
  • Office of the Comptroller of the Currency (OCC)
  • Office of Thrift Supervision (OTS)
  • Federal Deposit Insurance Corporation (FDIC)
  • Federal Trade Commission (FTC)

But in 2011, the Dodd-Frank Act transferred rule-making authority for privacy provisions (Title V of the GLBA) to the CFPB to harmonize this complex system.

Some exceptions remain, such as the FTC, which maintains authority over specific motor vehicle dealers.

Because several regulatory bodies issue rules on different groups of financial institutions, it’s critical to confirm which regulator you must comply with before consulting the relevant rules.

Here is a complete list of each regulator’s scope and the issued rules implementing the GLBA’s notice and opt-out requirements.

Regulator Code citation Scope of application
Federal Reserve 12 C.F.R. §216.1 State member banks, bank holding companies and certain of their nonbank subsidiaries or affiliates, State uninsured branches and agencies of foreign banks, commercial lending companies owned or controlled by foreign banks, and Edge and Agreement corporations.
Federal Deposit Insurance Corporation (FDIC) 12 C.F.R. §332 Banks insured by the FDIC (other than members of the Federal Reserve System), insured state branches of foreign banks, and certain subsidiaries of such entities.
Office of Thrift Supervision (OTS) 12 C.F.R. §573 Savings associations whose deposits are insured by the Federal Deposit Insurance Corporation and any subsidiaries of such savings associations but not subsidiaries that are brokers, dealers, persons providing insurance, investment companies, or investment advisers
Office of the Comptroller of the Currency (OCC) 12 C.F.R. §40 National banks, Federal branches and Federal agencies of foreign banks, and any subsidiaries of such entities except a broker or dealer that is registered under the Securities Exchange Act of 1934, a registered investment adviser, an investment company registered under the Investment Company Act of 1940, an insurance company that is subject to supervision by a State insurance regulator, and an entity subject to regulation by the Commodity Futures Trading Commission.
Federal Trade Commission (FTC) 16 C.F.R. §313 Any persons described in 12 U.S.C. 5519 predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both.
Securities and Exchange Commission (SEC) 17 C.F.R. §248 Brokers, dealers, and investment companies, as well as investment advisers that are registered with the Commission. It also applies to foreign brokers, dealers, investment companies, and investment advisers registered with the Commission.
Commodity Futures Trading Commission (CFTC) 17 C.F.R. §160 All futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, major swap participants, and swap dealers subject to the jurisdiction of the Commission, regardless of whether they’re required to register with the Commission.
Consumer Financial Protection Bureau (CFPB) 12 C.F.R. §1016

(Regulation P)

Any financial institution and other covered person or service provider subject to Subtitle A of Title V of the GLBA, including third parties that are not financial institutions but receive nonpublic personal information from financial institutions with whom they’re not affiliated. This part does not apply to certain motor vehicle dealers described in 12 U.S.C. 5519 or to entities for which the Securities and Exchange Commission or the Commodity Futures Trading Commission has rulemaking authority pursuant to sections 504(a)(1)(A)–(B) of the GLB Act (15 U.S.C. 6804(a)(1)(A)–(B[/small].

Fines and Penalties Under the Gramm-Leach-Bliley Act

Fines under the GLBA are significant and can impact individuals or entire organizations.

Organizations that violate the law may be fined as much as $100,000 per violation, whereas officers or directors may receive fines of up to $10,000 per violation.

How Does Termly Help With GLBA Compliance?

Updates take time, but Termly is working on to update our Privacy Policy Generator and enable users to meet the privacy notification requirements outlined by the GLBA.

Once live, it will ask simple questions about your business and its data processing activities, then make a unique policy based on your answers.

You will then be able to link it directly to your website or mobile app and update it as needed in your Termly dashboard.

Check back soon to learn when this privacy policy generator update is live!

While the U.S. doesn’t currently have a federal privacy law, the following pieces of legislation exist at the state level and are in force or entering into force within the next few years:

  • California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — in force
  • Colorado Privacy Act (CPA) — in force
  • Connecticut Data Privacy Act (CTDPA) — in force
  • Delaware Personal Data Privacy Act (DPDPA) — January 1, 2025
  • Florida Digital Bill of Rights (FDBR) — July 1, 2024
  • Iowa Consumer Data Protection Act (Iowa CDPA) — January 1, 2025
  • Indiana Consumer Data Protection Act (Indiana CDPA) — January 1, 2026
  • Montana Consumer Data Privacy Act (MCDPA) — October 1, 2024
  • Oregon Consumer Privacy Act (OCPA) — July 1, 2024
  • Tennessee Information Protection Act (TIPA) — July 1, 2025
  • Texas Data Privacy and Security Act (TDPSA) — July 1, 2024
  • Utah Consumer Privacy Act (UCPA) — in force
  • Virginia Consumer Data Protection Act (VCDPA) — in force

The GLBA and U.S. State Privacy Laws

As a federal law, the GLBA may conflict with other U.S. state laws that seek to regulate the same organizations or personal information.

Section 507 of the GLBA specifically addresses this case and provides that the GLBA would preempt these state laws if these laws are inconsistent with the requirements of the GLBA.

A state law is not considered inconsistent if it provides a person with protection ‘greater than the protection provided’ by the Act.

Similarly, the GLBA enables states to exempt GLBA-regulated entities from compliance with state privacy laws.

Summary

If you fall under the scope of the Gramm-Leach-Bliley Act, it’s essential to present your customers with a compliant privacy policy and appropriate controls regarding opting out of the sharing of their personal data.

You must also develop and implement a written plan to keep the data you collect safe and secure from unauthorized access or data breaches.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources