GLBA — Gramm-Leach-Bliley Act
GLBA (1999) requires US financial institutions to protect customers' financial data through privacy notices, opt-out rights, and information security safeguards.
Summary
The Gramm-Leach-Bliley Act (GLBA) is a US federal law passed in 1999 requiring financial institutions to protect the privacy and security of their customers' nonpublic personal information (NPI).
- Financial Privacy Rule: Financial institutions must provide customers with privacy notices and the right to opt out of sharing their information with third parties.
- Safeguards Rule: Financial institutions must implement information security programs to protect customer data.
- Pretexting prohibition: Prohibition on obtaining financial information through deception.
- FTC Safeguards Rule (2023): Substantially strengthened security requirements for non-bank financial institutions.
History
GLBA was signed by President Clinton on 12 November 1999. The law was primarily aimed at partially repealing the Glass-Steagall Act — specifically Sections 20 and 32 on affiliation restrictions between banks and securities firms — thereby allowing banks, securities firms, and insurance companies to merge. Sections 16 and 21 of the Glass-Steagall Act remained in effect. Data privacy provisions were included as part of the legislation. The FTC published the Financial Privacy Rule in May 2000. The Safeguards Rule was issued in May 2002 and took effect in May 2003. The Safeguards Rule was substantially revised in 2021 (fully effective from June 2023), significantly strengthening technical security requirements including encryption mandates, multi-factor authentication, and breach reporting obligations. In May 2024, the breach notification requirement of the revised Safeguards Rule took effect. The SEC adopted amendments to Regulation S-P in 2024 with updated privacy and security requirements for broker-dealers and investment advisers. At the state level, Montana (SB 297, effective October 1, 2025) and Connecticut (SB 1295, effective July 1, 2026) are restricting GLBA entity-level exemptions in their state privacy laws.
Scope
GLBA applies to "financial institutions" broadly defined: banks, savings institutions, credit unions, securities dealers, insurance companies, mortgage lenders, financial advisors, tax preparers, debt collectors, travel agencies (if offering financial services), and many others. The FTC Safeguards Rule applies specifically to non-bank financial institutions. The Federal Reserve, OCC, and FDIC have their own parallel regulations for banks.
Key Requirements
- Privacy notice: Privacy notices to customers detailing data collected and sharing practices. Since the FAST Act (2015), financial institutions that have not changed their privacy practices and only share data under certain statutory exceptions are exempt from the annual delivery requirement.
- Opt-out right: Customers must have the opportunity to opt out of sharing their data with non-affiliated third parties.
- Information security program: Written, comprehensive security program with risk assessment, technical and administrative safeguards.
- Technical requirements (Safeguards Rule 2023): Encryption, multi-factor authentication, penetration testing, vulnerability assessments, designated security officer.
- Breach notification: Notification of data breaches to the FTC within 30 days when at least 500 consumers are affected (from May 2024).
- Vendor oversight: Oversight of service providers with access to customer data.
Related Frameworks
Corrections & Errata
2 corrections:
- Breach notification threshold missing: 500-consumer minimum not mentioned
- Incorrect chronology: FTC Privacy Rule and Safeguards Rule not issued simultaneously
2 updates:
- Annual privacy notices: FAST Act exception (2015) not mentioned
- Missing recent developments 2024-2026: State legislation and CFPB modernization
2 clarifications.