The Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801–6827) applies to financial institutions (banks, credit unions, insurance companies, mortgage brokers, investment advisors, and any company "significantly engaged" in financial activities). GLBA imposes three main obligations with direct CDP architectural implications.
GLBA Privacy Rule. Financial institutions must give customers a clear privacy notice and an opportunity to opt out before sharing NPI with non-affiliated third parties. NPI is any consumer financial information that is not publicly available — account numbers, transaction histories, credit scores, loan terms, insurance policy details, and any information derived from these. The opt-out right is ongoing: customers may revoke permission at any time, and the institution must honor revocation before the next sharing event.
Architectural implication 1 — NPI field classification. The CDP data model must classify every customer attribute as either NPI or non-NPI. Activation pipelines that push data to third-party ad networks, DMPs, or data brokers must be gated by the NPI opt-out flag for each customer. A blanket "marketing_consent = true" flag does not satisfy GLBA — the classification must be at the field (data type) level, not at the customer level alone. In composable stacks, this classification belongs in the CDW's data catalog; in packaged CDPs, it must be configured at the profile-attribute level with destination-level enforcement.
Architectural implication 2 — Third-party activation gating. Standard CDP activation to Meta Custom Audiences, Google Customer Match, or any programmatic DSP involves transmitting customer identifiers (hashed email, phone) to a third-party platform. For GLBA-covered institutions, this transmission may constitute "sharing NPI with a non-affiliated third party." The activation pipeline must verify opt-out status before any sync that sends NPI fields. GLBA's opt-out right covers sharing, not just internal use — an opt-out that prevents internal segmentation is over-broad; an activation pipeline that ignores opt-out status for third-party sharing is non-compliant.
Architectural implication 3 — Safeguards Rule (amended 2021, further updated 2023). GLBA's Safeguards Rule requires financial institutions to develop, implement, and maintain an information security program protecting NPI. Key 2021/2023 amendments include: multi-factor authentication for any system accessing customer financial data, encryption of NPI in transit and at rest, annual penetration testing, and a designated Chief Information Security Officer (CISO) accountability requirement for covered organizations above a size threshold. For CDPs and CDWs that ingest NPI, these requirements directly govern access control, encryption, and security audit requirements. Composable stacks (CDW = Snowflake, BigQuery) running in financial-services environments must be configured to meet Safeguards Rule requirements — not all cloud warehouse default configurations satisfy these.
Where the agent should surface this. For any organization with org-dim.industry.financial-services, this constraint is non-negotiable. Ask: "Does your CDP data model classify NPI fields explicitly? How does your activation pipeline gate on customer opt-out status before sharing with third-party ad platforms?"