The GLBA

On 12 November 1999, the U.S. Congress enacted the Financial Services Modernization Act. The Act is commonly referred to as the GLBA after the lead sponsors Senator Phil Gramm of Texas, Representative James Leach of Iowa, and Representative Thomas Bliley of Virginia.

The GLBA attempted to make sweeping reforms of the financial services industry and includes the following six titles:

1. Title I addresses common ownership between and among banks, securities firms, and insurance companies.
2. Title II discusses the functional federal regulators responsible for broker dealers, bank investment companies, and bank holding companies.
3. Title III addresses federal and state regulation of insurance industries.
4. Title IV imposes limitations on the ownership of certain assets by savings and loan holding companies.
5. Title V imposes privacy and security obligations on financial institutions in connection with non-public personal information.
6. Title VI issues specifics to the home loan banking system.

The GLBA applies to 'financial institutions', a term which is broadly defined to include 'any institution the business of which is engaged in financial activities as described in section 1843(k) of title 12 [the Bank Export Services Act]'¹. Subsection 1843(k) of the Bank Export Services Act refers to activities that are 'financial in nature', 'incidental to such financial activit[ies]', or 'complementary to a financial activity'². While not exclusive, the code identifies the following seven activities that are deemed to be 'financial in nature':

1. lending, exchanging, transferring, investing for others, or safeguarding money or securities;
2. insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, or providing and issuing annuities, and acting as principal, agent, or broker for purposes of the foregoing, in any state;
3. providing financial, investment, or economic advisory services, including advising an investment company;
4. issuing or selling instruments representing interests in pools of assets permissible for a bank to hold directly;
5. underwriting, dealing in, or making a market in securities;
6. engaging in any activity that the Board of Governors of the Federal Reserve System has determined, by order or regulation that is in effect on 12 November 1999, to be so closely related to banking or managing or controlling banks as to be a proper incident thereto; and
7. engaging, in the US, in any activity that a bank holding company may engage in outside of the US; the Board of Governors of the Federal Reserve System has determined, under regulations prescribed or interpretations issued pursuant to Subsection (c)(13) (as in effect on the day before 12 November 1999), to be usual in connection with the transaction of banking or other financial operations abroad³.

As indicated above, Title V of the GLBA specifically governs privacy and security of non-public personal information of consumers⁴. In 2000, the federal banking agencies, the U.S. Securities and Exchange Commission ('SEC'), and the Federal Trade Commission ('FTC') began publishing joint regulations implementing Title V. These regulations apply to financial institutions subject to supervision by the respective agencies. To-date, the following are some of the main privacy and security regulations that have been promulgated:

The type of information protected by the GLBA

The GLBA and the implementing regulations referenced above impose privacy requirements upon financial institutions that collect 'nonpublic personal information about individuals who obtain (or apply for) financial products or services primarily for personal, family, or household purposes'⁶. The agencies responsible for enforcing the GLBA have taken the position that Title V of the GLBA, and the regulations implementing Title V, do not apply to personal data collected in the following contexts:

• Business-to business ('B2B') and services: when a financial institution collects information about individuals 'who obtain financial products or services for business, commercial, or agricultural purposes', such as information collected when providing commercial loans, commercial checking accounts, or other B2B services⁷.
• Visitors to financial institutions' websites who have not applied for a product or service: when a financial institution collects information from, or about, visitors to the institution's website who do not have (or are not seeking) a relationship with the institution⁸.
• Employee information: when a financial institution collects information from, or about, its employees in an employment-related context.

Does the GLBA preempt state privacy laws?

The GLBA preempts state laws only to the extent that compliance with a state law would be 'inconsistent with' the requirements of the GLBA⁹. A state law is not considered 'inconsistent' if it provides a person with 'protection' that 'is greater than the protection provided' under the GLBA¹⁰. As a result, the GLBA does not preempt state privacy laws, such as the CCPA or the CPRA, that purport to impose additional privacy requirements on businesses.

Can state laws exempt GLBA-regulated entities or GLBA-regulated data?

Just as the GLBA permits states to extend greater protections than afforded by the GLBA, states also can choose to exempt GLBA-regulated entities from compliance with state privacy statutes. For example, comprehensive privacy laws passed in Virginia, Colorado, Utah, and Connecticut all expressly carve out GLBA-regulated entities from compliance.

Do the CCPA/CPRA provide an exemption for financial institutions?

The CCPA/CPRA do not provide a blanket exemption for financial institutions. Instead, the statutes provide a partial exemption that contains two significant exceptions to the exemption.

First, the exemption only applies to information collected by financial institutions if that information is itself subject to the GLBA (e.g. information about individuals who have obtained personal financial products from the institution, or who have applied for a financial product). As a result, if a financial institution that is subject to the GLBA for some types of data collection (e.g. consumer financial accounts), collects personal information in other contexts (e.g. business financial accounts, information about website visitors who are not customers), the personal information collected that is not subject to the GLBA would not be exempt from the CCPA/CPRA (i.e. the CCPA/CPRA would apply to such information). In addition, a financial institution with employees in California would also have to comply with the CCPA/CPRA with respect to personal information of those employees.

Second, even with respect to data that is subject to the GLBA, the CCPA/CPRA only exempt a financial institution from having to follow the data privacy requirements of the CCPA/CPRA (i.e. those requirements related to the collection, use, and volitional sharing of the personal data). It does not exempt the financial institution from having to follow the data security requirements of the CCPA/CPRA (i.e. those requirements related to the protection of personal data). As a result, the California Attorney General ('AG'), the California Privacy Protection Agency ('CPPA'), and private plaintiffs may still bring suit against financial institutions for alleged data security failures that lead to data breaches.

Do other state privacy laws exempt financial institutions?

As the following chart illustrates, other modern state privacy statutes confer a broader exemption for financial institutions as compared to the exemption conferred by the CCPA/CPRA¹¹. The chart compares California's CCPA/CPRA, Nevada's Online Privacy Notice Statute, the Virginia Consumer Data Protection Act ('CDPA'), the Colorado Privacy Act ('CPA'), and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA').

Exemptions for financial institutions/data for modern state privacy law

(exemptions in green; situations where the state statute applies in red)

David Zetoony Shareholder
[email protected]
Jena Valdetero Shareholder
[email protected]
Greenberg Traurig LLP, Denver

1. 15 U.S.C. § 6809(3) (2022).
2. 12 U.S.C. § 1843(k)(1)(A), (B) (2022).
3. 12 U.S.C. § 1843(k)(4) (2022).
4. FDIC Compliance Examination Manual Section VIII-1.1 (April 2021). While Title V does not explicitly state that its scope is limited to the collection of non-public personal information about consumers, each of the requirements within Title V references 'consumer' or 'customer' non-public personal information.
5. Repealed as part of transfer of rulemaking authority to CFPB.
6. 12 C.F.R. 216.1(b).
7. See e.g. 12 C.F.R. § 332.1(b)(1) (2022).
8. Federal Reserve, Regulation P: Privacy of Consumer Financial Information Frequently Asked Questions, at B.5 (Dec. 2001).
9. 15 U.S.C. § 6807(a) (2022).
10. 15 U.S.C. § 6807(b) (2022).
11. It should be noted that courts and regulatory agencies have not provided guidance regarding the applicability of the statutes depicted below to financial institutions. As a result, it is possible that a court or a regulatory agency might take the position that, despite broadly worded exemptions, the state privacy law does, in fact, apply to financial institutions in the contexts depicted by 'no's' in the chart.
12. Cal. Civ. Code § 1798.145(e) (West 2022).
13. N.R.S. 603A.330(2)(b) (2022).
14. Va. Code Ann. § 59.1-576(B) (2022).
15. C.R.S. 6-1-1304(2)(j)(II).
16. Conn. Sub. Bill No. 6, § 3(a)(5) (2022).
17. Cal. Civ. Code § 1798.145(e) (West 2022).
18. Note that while the Nevada Online Privacy Notice statute does not impart data security obligations, Nevada has other statutes which do impose obligations to secure personal information or to report data breaches. Financial institutions are not fully exempt from those provisions.
19. Va. Code Ann. § 59.1-576(B) (2022).
20. C.R.S. 6-1-1304(2)(j)(II).
21. Conn. Sub. Bill No. 6, § 3(a)(5) (2022).
22. Cal. Civ. Code § 1798.145(e) (West 2022).
23. N.R.S. 603A.330(2)(b) (2022).
24. Va. Code Ann. § 59.1-576(B) (2022).
25. C.R.S. 6-1-1304(2)(q) (2022).
26. Conn. Sub. Bill No. 6, § 3(a)(5) (2022).
27. Cal. Civ. Code § 1798.145(e) (West 2022).
28. Note that while the Nevada Online Privacy Notice statute does not impart data security obligations, Nevada has other statutes which do impose obligations to secure personal information or to report data breaches. Financial institutions are not fully exempt from those provisions.
29. Va. Code Ann. § 59.1-576(B) (2022).
30. C.R.S. 6-1-1304(2)(q) (2022).
31. Conn. Sub. Bill No. 6, § 3(a)(5) (2022).
32. Cal. Civ. Code § 1798.145(e) (West 2022).
33. N.R.S. 603A.330(2)(b) (2021).
34. Va. Code Ann. § 59.1-576(B) (2022).
35. C.R.S. 6-1-1304(2)(q) (2022).
36. Conn. Sub. Bill No. 6, § 3(a)(5) (2022).
37. Cal. Civ. Code § 1798.145(e) (West 2022).
38. Note that while the Nevada Online Privacy Notice statute does not impart data security obligations, Nevada has other statutes which do impose obligations to secure personal information or to report data breaches. Financial institutions are not fully exempt from those provisions.
39. Va. Code Ann. § 59.1-576(B) (2022).
40. C.R.S. 6-1-1304(2)(q) (2022).
41. Conn. Sub. Bill No. 6, § 3(a)(5) (2022).