Gramm-Leach-Bliley Act: Financial Data Protection Rules

The Gramm-Leach-Bliley Act (GLBA), enacted by Congress in 1999, establishes the federal framework governing how financial institutions collect, use, and protect the nonpublic personal information of consumers. The Act applies broadly across the financial services sector, encompassing banks, insurance companies, securities firms, and nontraditional financial entities. Its three core components — the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions — define distinct obligations that shape compliance programs across the data protection service landscape.

Definition and scope

GLBA defines a "financial institution" broadly under 15 U.S.C. § 6809(3) as any institution significantly engaged in financial activities, a definition that extends well beyond traditional banks to include mortgage lenders, payday lenders, tax preparers, check cashers, auto dealerships that arrange financing, and real estate settlement service providers.

The Act covers "nonpublic personal information" (NPI) — any personally identifiable financial information provided by a consumer to a financial institution, resulting from a transaction with the consumer, or otherwise obtained by the institution. This includes account numbers, Social Security numbers, income data, and credit histories.

Three federal regulators share primary enforcement authority under GLBA:

• The Federal Trade Commission (FTC) has jurisdiction over non-bank financial institutions (FTC GLBA page).
• The Federal Reserve, OCC, FDIC, and NCUA supervise their respective depository institutions.
• The Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) cover broker-dealers and commodity traders.

Civil penalties under GLBA can reach $100,000 per violation for institutions and $10,000 per violation for individual officers and directors, with criminal penalties of up to 5 years imprisonment for knowing violations (15 U.S.C. § 6823).

How it works

GLBA compliance operates through three structurally distinct rule sets, each administered and enforced through separate regulatory instruments.

1. The Financial Privacy Rule
Regulated under 16 C.F.R. Part 313 (FTC version), this rule requires financial institutions to provide clear privacy notices to consumers at account opening and annually thereafter. Notices must disclose what NPI is collected, with whom it is shared, and how consumers may opt out of sharing with nonaffiliated third parties. The opt-out mechanism must be clear, conspicuous, and functional.

2. The Safeguards Rule
The FTC's updated Safeguards Rule, which took effect in June 2023 (16 C.F.R. Part 314), requires covered financial institutions to develop, implement, and maintain a written information security program. The 2023 amendments introduced 9 specific administrative, technical, and physical safeguards, including:

Institutions with fewer than 5,000 customer records are exempt from certain requirements, including the written risk assessment and annual reporting obligations.

3. Pretexting Provisions
Under 15 U.S.C. § 6821, obtaining customer financial information through false pretenses — a practice known as pretexting — constitutes a federal violation. This applies to social engineering attacks where third parties impersonate account holders to extract NPI from institutions.

Common scenarios

GLBA obligations arise across a range of service configurations that practitioners encounter in the data protection provider network.

Third-party data sharing arrangements: A mortgage servicer sharing borrower data with a third-party marketing company must provide opt-out rights to affected consumers and verify the third party's contractual obligations to protect that data. Joint marketing agreements between affiliated entities operate under a separate carve-out but still require notice.

Breach notification triggers: The 2023 Safeguards Rule amendments added a breach notification requirement: covered institutions must notify the FTC within 30 days of discovering a security breach affecting 500 or more customers. This requirement contrasts with the broader state-level breach notification landscape, where timelines vary from 30 to 90 days depending on jurisdiction.

Vendor oversight: A tax preparation firm using a cloud-based software platform must assess that vendor's data security controls as part of its own written information security program. GLBA's Safeguards Rule treats third-party service providers as extensions of the covered institution's security environment.

Annual privacy notice exemptions: Under a 2015 amendment codified at 15 U.S.C. § 6803(f), institutions that share data only under GLBA-permitted exceptions and have not changed their privacy policies are exempt from the annual notice requirement — a significant operational distinction from the pre-amendment standard.

Decision boundaries

GLBA intersects with and sometimes overlaps other federal and state privacy regimes, and the boundaries between them require careful structural analysis. The covers those distinctions across statutes.

GLBA vs. HIPAA: When a financial institution handles health-related financial products (e.g., health savings accounts), GLBA governs the financial data while HIPAA governs protected health information held by the plan itself. The two frameworks apply simultaneously to the same entity but regulate different data categories.

GLBA vs. CCPA/CPRA: California's Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.145(e)) exempts NPI already regulated under GLBA from most CPRA obligations, creating a functional carve-out for GLBA-covered entities operating in California.

Bank vs. nonbank coverage: A fintech company providing buy-now-pay-later products may be a "financial institution" under GLBA even if not chartered as a bank. The FTC's jurisdiction over nonbank entities means that GLBA coverage does not require a banking charter — functional activity determines applicability.

Federal preemption limits: GLBA does not fully preempt state financial privacy laws. States may enact stricter standards, and institutions operating across state lines must reconcile GLBA's baseline with state-specific requirements — a compliance structure detailed further in the how to use this data protection resource reference.