GLBA Compliance: What the Gramm-Leach-Bliley Act Requires

Illustration of the GLBA Act with a map of USA and some icons related to law

The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, sets standards for protecting consumer data in the United States financial industry. Amid growing concerns about how institutions collect, use, and share sensitive personal information, the Act was passed as part of sweeping reforms to modernize the financial services sector.

The GLBA was among the first U.S. data privacy laws to impose specific data privacy and security requirements on businesses. Its aim is to give consumers more control over their personal information while requiring institutions to adopt robust data protection measures.

Although the GLBA predates the current wave of state-level privacy laws and federal privacy legislation, its requirements continue to shape how financial institutions approach consumer data protection. Its principles have influenced many subsequent regulations and remain central to compliance efforts in the financial industry.

State-level U.S. data privacy laws passed to date usually reference the GLBA explicitly, recognizing that the federal Act is both robust in its protections and assigned responsibilities, and takes precedence over state rules where the two overlap.

What Is the Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act is a U.S. federal law that addresses data security and privacy practices in the U.S. financial industry. It mandates that businesses handling individual financial information, including banks, insurers, loan providers, and a wide range of other entities, protect that data, inform customers of their privacy practices, and limit data sharing.

Summary of the GLBA

The GLBA was created to address concerns about data security and privacy within the financial sector. Its overarching aim is to protect consumers' financial information and prevent personal data breaches by requiring organizations to follow responsible practices when handling data.

Any business "significantly engaged" in financial activities that handles consumer financial data must follow the rules set out by the GLBA. This definition includes traditional financial institutions — banks, credit unions, insurance companies — as well as businesses not usually recognized in that category, such as loan brokers, debt collectors, mortgage lenders, financial advisors, and tax preparers.

The GLBA requires these institutions to adhere to three rules aimed at maintaining transparency and accountability while mitigating risks associated with data misuse:

Financial Privacy Rule: Financial institutions must provide clear privacy notices detailing how personal information is collected, used, and shared. They must also give consumers the opportunity to opt out of certain data-sharing practices with unaffiliated third parties.
Safeguards Rule: Businesses handling consumer financial data must develop, implement, and maintain robust data security programs to protect customer information from unauthorized access or breaches.
Pretexting Rule: This provision makes it illegal for anyone to obtain, disclose, or attempt to obtain or disclose a financial institution's customer information under false pretenses — a measure designed to counter criminal activity such as fraud and identity theft.

GLBA Definitions

The following key concepts within the GLBA help clarify how the Act may apply to your business.

Financial Institution

A financial institution under the GLBA is any institution whose business involves activities that are financial in nature or incidental to financial activities. In practice, this means any company offering financial products or services to individuals.

This includes loans, financial or investment advice, or insurance, so applies to banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.

Financial Service

A financial service under the GLBA includes a financial institution's evaluation or brokerage of information collected in connection with a consumer's request for a financial product or service.

Activities covered include lending, exchanging, or transferring money; investing for others; safeguarding money or securities; providing financial or investment advice; and insurance underwriting. Services such as issuing credit cards, managing investment portfolios, and facilitating payment processing are all considered financial services under the Act.

Consumer and Customer

Under the GLBA, all customers are consumers, but not all consumers are customers. A consumer is an individual who obtains financial products or services from a financial institution; a customer is someone with an ongoing relationship with that institution.

For instance, a mortgage borrower is a customer because the loan requires an ongoing relationship. Someone using an ATM to withdraw cash is merely a consumer. This distinction matters because customers typically have more privacy rights under the GLBA than consumers do.

Nonpublic Personal Information (NPI)

Nonpublic personal information refers to personal details of consumers, typically personally identifiable information obtained as a result of transactions or services performed for the consumer.

NPI can include data a consumer provides to obtain a financial product or service, information resulting from a transaction between the consumer and the institution, or information the institution otherwise obtains in connection with providing a financial product or service.

Social Security numbers, account balances, payment histories, and information derived from consumer reports all fall into this category. Information that is publicly and lawfully available, such as data from public records, is not considered NPI.

NPI is, in essence, a category of personally identifiable information (PII) specific to the financial context and carries correspondingly stringent handling requirements.

Nonaffiliated Third Party

A nonaffiliated third party is any entity that is not an affiliate of the financial institution. The GLBA defines an affiliate as any company that controls, is controlled by, or is under common control with the institution.

Nonaffiliated third parties are external companies or individuals with whom a financial institution may share consumers' NPI, provided consumers are given proper notice and a meaningful opportunity to opt out.

Opt-Out Rights and Exceptions

The GLBA gives consumers the right to opt out of allowing financial institutions to share their NPI with nonaffiliated third parties. Institutions must provide a clear notice and a reasonable means to decline before any such sharing takes place.

Opt-out rights do not apply in every circumstance, however. Exceptions exist where NPI is shared with service providers performing essential tasks on behalf of the institution, where the institution is legally compelled to disclose the information, or where sharing forms part of a transaction the consumer themselves requested.

Who Must Comply With the GLBA?

The GLBA's scope extends well beyond traditional banks. The following types of organizations are among those most commonly required to comply:

Banks: Commercial banks, savings associations, and credit unions managing deposits, providing loans, and offering payment services.
Insurance companies: Providers of insurance coverage, particularly those offering diversified financial products and services.
Payday lenders: Businesses providing short-term, high-interest loans typically intended to cover expenses until the borrower's next paycheck.
Mortgage brokers: Intermediaries between borrowers and lenders helping individuals secure home loans or refinancing options.
Non-bank lenders: Organizations offering loans outside traditional banking structures, such as auto loan providers or personal loan companies.
Debt collectors: Entities recovering unpaid debts on behalf of creditors, including collections agencies and legal recovery firms.
Property and real estate appraisers: Professionals or companies determining the value of homes, vehicles, or commercial property.
Professional tax preparers: Individuals or firms providing tax advice and filing assistance.
Financial advisors and planners: Professionals offering guidance on investments, retirement plans, estate planning, or wealth management.

Higher education institutions processing Title IV federal student financial aid are also subject to GLBA compliance obligations.

The extent of protection afforded to an individual depends on the nature of their relationship with the institution, whether they are a customer with an ongoing relationship or a consumer engaging in a one-time transaction.

GLBA Exceptions

The GLBA sets out three categories of exception, found in Sections 13, 14, and 15 of the Act, under which financial institutions are not required to provide a privacy notice or offer an opt-out before sharing NPI with nonaffiliated third parties.

Section 13 covers sharing necessary for a third party to perform services on behalf of the institution — including joint marketing arrangements — provided the institution has given an initial notice of these arrangements and the third party is bound by a confidentiality agreement limiting their use of the information to the specified purpose.

Section 14 covers sharing that is necessary to carry out, administer, or enforce a transaction that the consumer themselves requested or authorized, as well as certain disclosures arising from existing customer relationships.

Section 15 covers a range of other disclosures that financial institutions routinely make in the ordinary course of business — including reporting to regulators, complying with legal obligations, and sharing information for fraud prevention purposes.

GLBA Consumer Rights

Under the GLBA, consumers and customers have the following key rights:

Right to privacy notice: Customers must receive a clear, conspicuous privacy notice at the start of the customer relationship and annually thereafter (subject to certain exceptions). This notice must explain what information is collected, how it is used, with whom it is shared, and how consumers can exercise their opt-out rights.
Right to opt out: Consumers have the right to direct financial institutions not to share their NPI with nonaffiliated third parties for most purposes.
Right to protection of information: Consumers have the right to expect that institutions safeguard their data through a robust information security program.
Right to breach notification: Since the 2024 Safeguards Rule amendment, customers affected by qualifying security events must be notified as soon as possible — and no later than 30 days after discovery.

What Are the GLBA Compliance Obligations for Financial Institutions?

GLBA compliance requires financial institutions to meet obligations under each of its three rules.

Financial Privacy Rule Obligations

Provide customers with an initial privacy notice at the start of the relationship.
Provide an annual privacy notice (unless an exception applies).
Explain data collection, use, sharing practices, and consumer rights clearly and in plain language.
Enable and honor opt-out requests.
Limit sharing of account numbers and similar identifiers for direct marketing purposes.

Safeguards Rule Obligations

The Safeguards Rule, as updated in 2021 and 2023, requires covered institutions to develop, implement, and maintain a comprehensive information security program that includes the following elements:

Designate a qualified individual to oversee, implement, and enforce the information security program.
Conduct written risk assessments to identify foreseeable internal and external threats to the security, confidentiality, and integrity of customer information.
Design and implement safeguards to control identified risks, including access controls, encryption of customer information in transit and at rest, multi-factor authentication, and activity monitoring.
Regularly test or monitor the effectiveness of safeguards — at minimum through annual penetration testing and semi-annual vulnerability assessments, or equivalent continuous monitoring.
Train staff to implement the information security program.
Oversee service providers through written contracts requiring appropriate safeguards.
Maintain an incident response plan for security events.
Report to the board (or equivalent senior oversight body) on the information security program at least annually.
Notify the FTC of any qualifying breach involving 500 or more customers within 30 days of discovery.

Institutions with fewer than 5,000 consumer records are exempt from some of these requirements.

Pretexting Rule Obligations

Financial institutions must implement procedures to verify the identity of anyone seeking access to customer information, train staff to recognize pretexting attempts, and establish controls that prevent unauthorized access through social engineering or false pretenses.

Federal, state, and industry rules. Which ones apply to you?

Financial businesses often fall under multiple overlapping regulations. Find out exactly which ones apply to you. No signup requried, takes less than 2 minutes.

Find my regulation

GLBA Enforcement

Enforcement of the GLBA is shared between federal and state agencies, and the responsible authority depends on the type of institution:

The FTC: Oversees non-bank financial institutions such as mortgage brokers, payday lenders, and tax preparers.
Federal banking regulators: The Federal Deposit Insurance Corporation (FDIC), the Federal Reserve, and the Office of the Comptroller of the Currency (OCC) enforce GLBA compliance for banks and similar entities.
The National Credit Union Administration (NCUA): Oversees credit unions.
State insurance commissioners: Responsible for ensuring insurance providers comply with the Act at a state level.

Penalties for GLBA Non-Compliance

Financial institutions can face civil fines of up to USD 100,000 per violation.
Corporate officers and directors can incur personal fines of up to USD 10,000 per violation and up to five years imprisonment for willful violations.
State penalties may apply in addition, with institutions liable for up to USD 5,000 per violation and individuals for up to USD 5,000 per violation and one year imprisonment.

Beyond legal consequences, non-compliance can result in significant reputational damage, loss of customer trust, and increased regulatory scrutiny — lasting effects that can materially affect an institution's operations.

Notable FTC enforcement actions under the GLBA include a USD 4.7 billion suspended judgment against crypto platform Celsius Network in 2023. This was the first time the FTC had brought suit against a digital asset company.

There was also a 2018 consent decree against PayPal over Venmo's privacy and security practices, and more recent cases targeting student loan debt relief schemes, rental property manager Greystar (2025), and merchant cash advance operators.

GLBA and State Privacy Laws

The GLBA operates as the federal baseline for financial privacy. State-level consumer privacy laws passed to date, including the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), generally recognize the GLBA's authority and carve out GLBA-covered data from their own requirements. However, state laws may impose additional obligations in some circumstances, and institutions must track both federal and state developments carefully.

GLBA Updates

On May 13, 2024, an amendment to the Federal Trade Commission (FTC) Standards for Safeguarding Consumer Information (the "Safeguards Rule") came into effect. This update introduced more stringent requirements for security practices and breach notifications.

Before the amendment, the GLBA required financial institutions simply to develop and maintain a comprehensive security program with administrative, technical, and physical safeguards appropriate to the entity's size and complexity. The updated rule is considerably more prescriptive, outlining nine elements that a business's information security program must include.

Most significantly, the amendment introduced a notification requirement. Financial institutions must now notify the FTC of any security event involving unauthorized access to customer information where 500 or more individuals are affected.

This threshold is notably low, bringing the GLBA closer to the notification standards of international frameworks such as the EU’s GDPR. Notifications must be sent as soon as possible and no later than 30 days after discovery.

In 2025, the FTC also released Frequently Asked Questions specifically addressing how the Safeguards Rule applies to motor vehicle dealers.

Separately, the Consumer Financial Protection Bureau (CFPB) issued a Request for Information in January 2025 seeking public input on whether and how to modernize the GLBA's Privacy Rule, including possible improvements to opt-out rights and guidance on fintech and data broker coverage.

GLBA: What's on the Horizon

The regulatory landscape around the GLBA is in active flux. At the federal level, both the FTC and the CFPB have been revisiting key rules, while Congress has been considering more sweeping reforms to the Act's foundational privacy framework.

House Financial Services Committee Discussion Draft

A discussion draft circulated by Representative Bill Huizenga (R-MI) in connection with the House Financial Services Committee hearing of March 17, 2026, titled "Updating America's Financial Privacy Framework for the 21st Century," would, if enacted, significantly modernize Title V of the GLBA.

Key proposals in the draft include:

Data minimization: A statutory obligation limiting collection, use, retention, and disclosure of NPI to what is necessary for legitimate business, legal, or regulatory purposes.
Strengthened opt-out rights: Consumers would be able to direct an institution not to share their NPI prior to initial disclosure as well as at any time thereafter. The draft's approach to opt-out aligns with the direction of signals such as Global Privacy Control (GPC), which enables consumers to communicate opt-out preferences automatically across platforms.
Financial data aggregator coverage: Fintech platforms and data aggregators using consumer credentials to access accounts would be formally defined as covered entities and subject to upfront disclosure obligations.
Expanded privacy notices: Institutions would be required to disclose their data retention practices, the use of artificial intelligence in processing consumer data, and how consumers can request access to or deletion of their information.
New consumer rights: A right to obtain a copy of NPI held by an institution and a right to request deletion of data after the customer relationship ends, subject to legal and regulatory exceptions.
Federal preemption: The draft would substantially revise the GLBA's preemption provisions, centralizing financial privacy and security standards at the federal level and superseding most state privacy rules as they apply to NPI.

The draft is at an early stage. However, it signals that significant reform of the federal financial privacy framework is firmly on the legislative agenda.

How to Achieve GLBA Compliance: Key Steps

Achieving GLBA compliance requires a structured, ongoing approach rather than a one-time exercise. The following steps provide a practical foundation:

1. Determine Whether the GLBA Applies to Your Organization

Confirm whether your organization qualifies as a "financial institution" under the GLBA's broad definition. This includes non-traditional entities such as colleges processing Title IV student financial aid, auto dealers arranging consumer financing, and tax preparation firms.

The key test is whether your business is "significantly engaged" in financial activities — a threshold that turns on both the existence of a formal arrangement and the regularity with which the activity is conducted. If you are unsure, the FTC's plain-language guidance on the Safeguards Rule is a useful starting point, and legal counsel familiar with the GLBA can help assess whether your specific activities bring you within scope.

2. Appoint a Qualified Individual

Designate a senior person responsible for overseeing, implementing, and enforcing your information security program. This does not need to be a dedicated role. A qualified employee, affiliate, or service provider can serve in this capacity, but the individual must report to the board or equivalent senior oversight body on the status of the program at least annually.

3. Conduct a Written Risk Assessment

Identify and document the types of customer information you hold, the internal and external risks to that information, and the adequacy of existing safeguards. The assessment must be written and should include criteria for evaluating and categorizing identified risks, an assessment of the confidentiality and integrity of your information systems, and a description of how identified risks will be mitigated or accepted.

Risk assessments are not a one-time exercise. The Safeguards Rule requires them to be repeated periodically, and whenever significant changes to your operations or environment occur.

4. Develop and Implement an Information Security Program

Address the nine elements required by the updated Safeguards Rule, including access controls, encryption, multi-factor authentication, activity monitoring, and an incident response plan.

The program must be written and tailored to the size, complexity, and sensitivity of your operations. A large bank and a small tax preparation firm will have very different programs, and the rule accommodates that.

Institutions with fewer than 5,000 consumer records are exempt from certain elements, including the penetration testing and vulnerability assessment requirements and the obligation to report annually to the board.

5. Prepare and Deliver Privacy Notices

Draft clear, conspicuous privacy notices that accurately reflect your data collection, sharing, and protection practices. Deliver initial notices at account opening and annual notices thereafter (unless an exception applies).

Notices must be written in plain language and designed to call attention to their significance. Burying key disclosures in fine print or low-contrast text, as the FTC's action against PayPal/Venmo illustrated, will not satisfy the requirement. A model privacy form is available from the CFPB and provides a safe harbor for institutions that use it correctly.

6. Establish and Honor Opt-out Mechanisms

Provide consumers with a straightforward means of opting out of NPI sharing with nonaffiliated third parties — typically a toll-free number, web form, or mail-in form — and process such requests within a reasonable timeframe.

Opt-out rights must be offered before any sharing takes place, and consumers must be given a reasonable period — generally 30 days — to respond. Once a consumer opts out, that preference must be honored indefinitely unless the consumer affirmatively revokes it.

7. Implement Vendor Oversight Controls

Require service providers with access to customer information to maintain appropriate safeguards, and incorporate these obligations into contractual agreements.

The Safeguards Rule makes clear that GLBA compliance obligations cannot be delegated to third parties. You remain responsible for the security of customer information even when it is held or processed by a vendor. This means conducting due diligence during vendor selection and periodically reassessing providers based on the risk they present.

8. Train Staff

Ensure employees understand the requirements of the GLBA, can recognize pretexting attempts, and know how to handle customer information appropriately. Training should be provided at onboarding and refreshed regularly as threats and regulatory requirements evolve.

The FTC has signaled through enforcement actions that inadequate staff training and weak internal controls are common contributors to the compliance failures it investigates.

9. Test and Monitor Your Safeguards

Conduct annual penetration testing and semi-annual vulnerability assessments, or implement continuous monitoring that achieves comparable outcomes. Testing should be scoped based on the risks identified in your written risk assessment, with higher-risk systems prioritized.

Results must feed back into your security program. Identifying a vulnerability and failing to remediate it offers no protection, and could itself become evidence of non-compliance in an enforcement action.

10. Plan for Breach Notification

Ensure that you have processes in place to detect, assess, and report qualifying security events to the FTC within 30 days of discovery, and to notify affected customers promptly. A qualifying event is the unauthorized acquisition of unencrypted customer information affecting 500 or more individuals.

Notifications must be submitted electronically via the FTC's online reporting form, and your incident response plan should designate who is responsible for making that determination and filing the report under time pressure.

11. Review and Update Regularly

The GLBA compliance landscape continues to evolve. Monitor FTC guidance, CFPB rulemaking, and state-level developments, and revise your program accordingly.

The proposed amendments to Title V currently before Congress, which include data minimization obligations, expanded privacy notices, and new consumer access and deletion rights, signal that the compliance requirements for financial institutions are likely to become more demanding in the coming years, not less.

The GLBA requires financial institutions to provide clear privacy notices and to manage consumer opt-out preferences accurately and reliably. For organizations operating digital channels — websites, web applications, or mobile platforms — a consent management platform (CMP) can help automate and centralize much of this work.

A consent management platform (CMP) enables institutions to present compliant privacy notices, capture and store opt-out preferences, and maintain records of consumer consent decisions. This is particularly valuable given the GLBA's requirement that privacy notices be clear and conspicuous, and that opt-out mechanisms be straightforward to use.

Cookiebot by Usercentrics helps financial institutions and other covered entities manage consent in line with GLBA requirements, ensuring that privacy notices are delivered reliably and that consumer choices are honored consistently across digital touchpoints.

One compliance gap can cost you.

Financial websites face strict scrutiny, and manual compliance doesn't scale. Know what your website collects. Try the interactive demo and start your free 14-day trial.

Try it free