Gramm-Leach-Bliley Act — FTC Business Guidance

FTC's official guidance hub for the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to protect the privacy, confidentiality, and security of consumer financial information.

Key regulatory components:

• Financial Privacy Rule: Financial institutions must provide customers a clear notice of their privacy policies and practices and allow consumers to opt out of disclosure of nonpublic personal information (NPI) to non-affiliated third parties (with exceptions for service providers under contract and certain legally permitted disclosures).
• Safeguards Rule: Covered institutions must develop, implement, and maintain a written information security program with administrative, technical, and physical safeguards. Amended in 2021 to add specific technical controls; 2023 amendment (effective May 2024) added mandatory reporting of qualifying data breaches to the FTC within 30 days.
• Pretexting Provisions: Prohibit obtaining consumer financial information through false pretenses, social engineering, or impersonation.

Covered entities: Any company that engages in "financial activities" as defined by the Bank Holding Company Act — including traditional banks, mortgage lenders, insurance companies, tax preparers, real estate settlement services, and fintech companies that collect or process consumer financial data.

NPI definition: "Nonpublic personal information" (NPI) is any personally identifiable financial information collected in connection with providing a financial product or service, unless otherwise publicly available.

CDP/data-pipeline relevance: When a marketing CDP pipeline ingests, unifies, or activates data for a financial-institution client, GLBA governs how NPI flows to non-affiliated third parties. Activation destinations receiving NPI must be operating under a qualifying exception (e.g., service-provider contract) or the consumer must have exercised their opt-out rights. Data minimization and purpose limitation are implicit GLBA requirements.