GLBA

Gramm-Leach-Bliley Act

Flag of US
United States (Federal)Opt-outSector-specific
Back to Regulations Guide

Key Facts

Effective Date
July 1, 2001
Enacted
November 12, 1999
Enforcing Authority
FTC, federal banking regulators (OCC, FDIC, Federal Reserve), SEC, state insurance regulators
Consent Model
Opt-out
Applies To
Financial institutions — banks, credit unions, insurance companies, securities firms, and companies providing financial products or services

Overview

The GLBA requires financial institutions to explain their information-sharing practices and provide customers with the right to opt out of sharing with non-affiliated third parties. The updated Safeguards Rule (effective June 2023) mandates comprehensive information security programs including encryption, MFA, and incident response plans.

What This Means for Your Website

  • If you are a financial institution, privacy notices explaining information-sharing practices are required
  • Customers must have an opt-out mechanism for sharing with non-affiliated third parties
  • A comprehensive written information security program is mandatory under the Safeguards Rule
  • Most US state privacy laws exempt GLBA-regulated entities from their requirements
  • A CMP serving financial institution websites must account for GLBA opt-out requirements

Key Requirements

Multiple regulators enforce GLBA: FTC, federal banking regulators, SEC, and state insurance regulators. Criminal penalties include up to $100,000 per institution and $10,000 per individual plus 5 years imprisonment. The Safeguards Rule requires a designated qualified individual overseeing the security program, risk assessments, and incident response planning.

How ConsentStack Handles This

ConsentStack supports financial institution websites by implementing the opt-out model required by GLBA alongside any applicable state law requirements.

Penalties

Criminal: up to $100,000 per institution + $10,000 per individual + 5 years imprisonment. Civil penalties vary by regulator.

Maximum Fine
$100,000 per violation

Key Requirements

  • Privacy notices explaining information-sharing practices
  • Opt-out mechanism before sharing NPI with non-affiliated third parties
  • Comprehensive written information security program
  • Designation of a qualified individual to oversee security
  • Risk assessments and incident response planning

Notable Provisions

  • Updated Safeguards Rule effective June 2023 (encryption, MFA, incident response)
  • Most US state privacy laws exempt GLBA-regulated entities
  • Applies to broadly defined financial institutions

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
CCPACalifornia, United States
The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

Frequently Asked Questions

Does GLBA apply to cookies?

Indirectly. GLBA applies to nonpublic personal information collected through any means including online. Cookie-based data collection at financial institutions falls within GLBA scope.

Are GLBA entities exempt from state privacy laws?

Most US state comprehensive privacy laws provide exemptions for GLBA-regulated entities, though the scope of exemptions varies by state.

What changed in the GLBA Safeguards Rule?

The updated Safeguards Rule (June 2023) added requirements for encryption, multi-factor authentication, and incident response plans for financial institutions.

Stay compliant with GLBA

ConsentStack helps you implement Opt-out consent for United States (Federal) automatically.

Get started free