Glossary term
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act is a U.S. financial privacy law that requires financial institutions to explain information-sharing practices and protect customer data.
Updated
Read time
What Is the Gramm-Leach-Bliley Act?
The Gramm-Leach-Bliley Act, often shortened to GLBA, is a U.S. law that governs financial privacy and customer information security at financial institutions. It requires covered institutions to explain certain information-sharing practices and to protect customers' nonpublic personal information.
The law is also known as the Financial Services Modernization Act of 1999 because it changed the structure of U.S. financial regulation by allowing broader combinations of banking, securities, and insurance activities. For households and customers, however, the most visible parts are the privacy notices, opt-out rights for some sharing, and data-safeguarding obligations.
Key Takeaways
- GLBA applies to many companies that provide financial products or services to consumers.
- Its privacy provisions cover nonpublic personal financial information.
- Covered institutions must give privacy notices explaining information-sharing practices.
- The Safeguards Rule requires an information security program to protect customer information.
- The law is a privacy and data-security framework, not a guarantee that all sharing is prohibited.
What the Law Covers
GLBA's financial privacy provisions apply to financial institutions, a term that reaches beyond traditional banks in some contexts. Depending on the regulator and activity, covered businesses can include lenders, mortgage brokers, financial advisers, tax preparers, debt collectors, and other firms that handle consumer financial information.
The law focuses on nonpublic personal information. That includes information a consumer gives to obtain a financial product or service, information generated from a transaction, and certain information otherwise obtained in providing the service. The practical concern is that financial data can reveal income, debt, account relationships, payment behavior, and household circumstances.
Privacy Notices and Opt-Out Rights
One major GLBA requirement is notice. Covered institutions generally must describe how they collect, share, and protect consumer information. They also must explain certain rights consumers have to limit some sharing with nonaffiliated third parties.
The opt-out framework is narrower than many people assume. GLBA does not give consumers a universal right to stop every transfer of information. Some sharing is allowed for processing transactions, servicing accounts, preventing fraud, complying with law, or operating within defined exceptions. The notice still matters because it tells customers what kind of sharing the institution says it does.
Information Security Duties
GLBA also has a security side. The FTC's Safeguards Rule requires covered financial institutions under FTC jurisdiction to develop, implement, and maintain a written information security program. The program must be appropriate to the size and complexity of the business, the nature of its activities, and the sensitivity of the customer information it handles.
In practical terms, the law turns customer data into a compliance obligation. A firm that collects sensitive financial information cannot treat privacy as a marketing promise alone. It needs governance, risk assessment, access controls, monitoring, vendor oversight, incident response, and other safeguards that match the risk.
Business and Consumer Impact
For consumers, GLBA explains why financial firms send privacy notices and why those notices often include opt-out instructions. The notices can be dense, but they provide a structured view of whether a firm shares information with affiliates, nonaffiliates, service providers, joint marketers, or others.
For businesses, GLBA affects contracts, vendor management, cybersecurity budgets, employee training, and recordkeeping. A small firm that handles financial data may still face meaningful obligations if it falls within the covered activities. A large institution may need a much more formal security program and board-level oversight.
GLBA also interacts with other privacy, cybersecurity, and consumer-protection regimes. A bank, lender, adviser, or financial technology provider may need to comply with GLBA while also meeting state privacy laws, banking rules, contractual data-security standards, and incident-response obligations. The law is one layer of a broader data-governance stack.
The Bottom Line
The Gramm-Leach-Bliley Act is a core U.S. financial privacy and information-security law. It does not stop all data sharing, but it requires covered financial institutions to disclose key practices and maintain safeguards for customer information.