The GLBA Privacy Rule: Privacy Notice Requirements for Financial Institutions

The GLBA Privacy Rule is a federal rule that governs GLBA privacy notices, the required disclosures that explain what nonpublic personal information (NPI) a financial institution collects, how it is shared, and what choices consumers have to limit that sharing. It is one of three rules under the Gramm-Leach-Bliley Act (GLBA), alongside the Safeguards Rule and the Pretexting Provisions.

Every financial institution subject to GLBA compliance must meet the Privacy Rule’s requirements for privacy notices, consumer opt-out rights, and data sharing disclosures. What the rule requires depends on how the organization collects, uses, and shares consumer data, and whether individuals are classified as consumers or customers.

This guide covers the Privacy Rule’s scope and enforcement, privacy notice content and delivery requirements, NPI definitions, consumer vs. customer distinctions, opt-out rights, the FAST Act exception, and the relationship between the Privacy Rule and data security obligations.

What Is the GLBA Privacy Rule?

The GLBA Privacy Rule establishes how financial institutions collect, use, and disclose consumers’ nonpublic personal information (NPI). It implements the privacy provisions of Title V of the Gramm-Leach-Bliley Act (GLBA) and defines both disclosure obligations and consumer rights.

The GLBA Privacy Rule governs how financial institutions collect, use, and disclose consumers’ nonpublic personal information. It establishes requirements for initial and annual privacy notices, defines consumer opt-out rights, and sets standards for how institutions communicate their data practices.

Each regulator enforces the Privacy Rule through its own implementing regulation: the CFPB through Regulation P (12 CFR Part 1016), the FTC through 16 CFR Part 313, and the SEC through Regulation S-P. The requirements are substantively the same across regulators — which regulation applies depends on which agency supervises the institution. The CFPB publishes examination procedures that detail how regulators assess compliance with these requirements.

To comply with the Privacy Rule, financial institutions must take three actions:

Provide an initial privacy notice. Delivered when a customer relationship is established.
Deliver an annual privacy notice. At least once every 12 months during the customer relationship (with limited exceptions).
Issue an opt-out notice. Before sharing NPI with non-affiliated third parties, including a clear method for consumers to exercise their opt-out rights.

Privacy Rule vs. Safeguards Rule

The GLBA Privacy Rule and Safeguards Rule address different parts of the same obligation.

The Privacy Rule governs what financial institutions must disclose about their data practices — what is collected, how it is shared, and what choices consumers have.
The Safeguards Rule governs how that information is protected. It requires administrative, technical, and physical controls to secure NPI.

Compliance with one does not satisfy the other. For a complete overview, see the GLBA compliance guide.

Who Enforces the GLBA Privacy Rule?

The Consumer Financial Protection Bureau (CFPB) administers Regulation P for most financial institutions, while federal banking agencies (OCC, FDIC, NCUA) enforce compliance. For non-bank financial institutions such as auto dealers, tax preparers, and other entities “significantly engaged” in financial activities, the Federal Trade Commission (FTC) enforces compliance. Under Regulation S-P, the SEC enforces parallel requirements for broker-dealers and investment advisers.

What Happens If an Institution Violates the Privacy Rule?

Violations of the GLBA Privacy Rule can lead to regulatory investigations, enforcement actions, civil penalties, and corrective measures such as revising privacy notices or changing data-sharing practices.

Enforcement is often triggered by inaccurate or incomplete disclosures. If a notice does not reflect actual data practices, the institution is out of compliance — even if security controls are effective. When data practices change, the notice must change with them. Generic or outdated disclosures create regulatory risk because they misrepresent how information is handled.

GLBA enforcement focuses on the gap between what an institution discloses and what it does. Organizations face penalties when privacy notices do not accurately reflect real data practices. The FTC maintains a public enforcement record of all privacy and security cases, including GLBA violations.

What Is a GLBA Privacy Notice?

A GLBA privacy notice is a written disclosure that financial institutions provide to consumers describing how their nonpublic personal information (NPI) is collected, used, shared, and protected. It is the primary compliance mechanism of the Privacy Rule — the way institutions meet their transparency obligations under the Privacy Rule.

A GLBA privacy notice is a written disclosure required by the GLBA Privacy Rule that describes what NPI a financial institution collects, how it is shared with third parties, and how consumers can opt out of certain sharing practices. Notices must be delivered at the start of the customer relationship and annually thereafter.

Privacy notices serve two functions: they inform consumers about data practices so they can make informed decisions, and they provide the foundation for opt-out rights that allow consumers to limit certain types of data sharing.

Who Must Provide a GLBA Privacy Notice

Every entity classified as a “financial institution” under GLBA must deliver privacy notices. GLBA defines “financial institution” based on activity, not charter type — any organization that collects NPI in connection with providing a financial product or service is likely covered. This includes:

Banks and credit unions, including savings associations and bank holding companies
Insurance companies offering insurance products or services
Non-bank financial institutions such as mortgage brokers, auto dealers, payday lenders, tax preparers, real estate settlement services, and debt collectors
Higher education institutions that administer Title IV federal student financial aid — see GLBA compliance in higher education

The breadth of this definition means many organizations that do not consider themselves “financial institutions” are still subject to Privacy Rule requirements.

What Does a GLBA Privacy Notice Include?

The Privacy Rule requires institutions to disclose specific categories of information about how consumer data is handled. These disclosures are mandatory and must reflect actual data practices.

A compliant GLBA privacy notice must:

Describe the categories of NPI collected. This includes the types of nonpublic personal information the institution gathers, such as account numbers, transaction history, credit information, and Social Security numbers.
Describe the categories of NPI disclosed. If information is shared, the notice must explain what types of data are disclosed to third parties.
Identify the categories of third parties receiving the information. This includes affiliates, non-affiliated third parties, and joint marketing partners.
Explain practices related to former customers. The notice must state whether the institution continues to share NPI after the customer relationship ends.
Describe information security practices. The notice must include a general explanation of how the institution protects the confidentiality and security of NPI.
Explain opt-out rights and how to exercise them. The notice must clearly explain the consumer’s right to opt out of certain information sharing with non-affiliated third parties, along with a reasonable method to do so.

Disclosure Accuracy, Clarity, and Update Requirements

Each disclosure must accurately represent how the institution handles consumer data in practice. If data practices change, disclosures must be updated accordingly. The interagency privacy rule FAQs, issued jointly by all eight GLBA-implementing agencies, provide detailed interpretive guidance on notice content, delivery timing, and opt-out mechanics.

Privacy notices must be clear and conspicuous — reasonably understandable and designed so consumers can easily notice and comprehend them. Vague, overly legal, or buried disclosures may still be non-compliant.

Notices must be updated whenever material changes occur in data collection, use, or sharing practices. This includes onboarding new vendors, introducing new products, or changing how consumer data is used.

Inaccurate or misleading privacy notices can result in regulatory enforcement. Many inaccuracies originate from incomplete visibility into vendor data sharing practices.

Disclosure Category	What to Include	Example	Risk if Inaccurate
NPI collected	Types of personal financial data gathered	Account numbers, balances, transaction history, credit reports	Misrepresentation of data scope; incomplete disclosure of regulated information
NPI disclosed	Types shared with third parties	Name, address, account information	Undisclosed data sharing; violation of disclosure requirements
Third-party categories	Who receives information	Service providers, joint marketers, affiliates	Lack of transparency into data recipients; increased regulatory scrutiny
Former customer practices	Whether sharing continues after relationship ends	“We continue to share NPI of former customers as described above”	Ongoing non-compliance after relationship termination
Security practices	General protection description	“We maintain physical, electronic, and procedural safeguards”	Misalignment with Safeguards Rule expectations; misleading security posture
Opt-out rights	How to exercise rights	Toll-free number, opt-out form, online mechanism	Violation of consumer rights; enforcement risk for improper data sharing

To simplify compliance, regulators provide a standardized model privacy form that serves as a safe harbor. The CFPB hosts downloadable versions of all four form variants along with an online form builder. Institutions that use the model form are deemed to meet the Privacy Rule’s content and formatting requirements, provided the information is accurate.

Nonpublic Personal Information (NPI) Under GLBA

Nonpublic personal information (NPI) is personally identifiable financial information that a financial institution collects in connection with providing a financial product or service. This can include information provided directly by the consumer, generated through transactions, or obtained from third parties.

Under GLBA, the defining criteria are straightforward: the information must be personally identifiable and financially related.

What Qualifies as NPI

NPI encompasses a wide range of data tied to an individual’s financial activity or relationship with an institution. Examples include:

Information provided by consumers: Social Security numbers, income and employment information on loan applications, account numbers, credit card numbers
Information generated through transactions: Account balances, payment history, loan amounts, transaction records, overdraft history
Information obtained by the institution: Credit reports, credit scores, and data collected through online interactions when consumers access financial services, including information gathered through cookies when a consumer visits the institution’s website.

What Is NOT NPI

Not all information held by a financial institution qualifies as NPI:

Publicly available information: Information lawfully available to the general public, including published phone numbers and data from government records or widely distributed public sources.
Non-financial information: Information with no connection to a financial product or service. For example, a university’s academic records are not NPI — but student financial aid records are, because they relate to a financial service (Title IV funds). See GLBA compliance in higher education for how this applies to colleges and universities. The Department of Education’s GENERAL-23-09 guidance confirms GLBA obligations for Title IV institutions.
Aggregate or de-identified data: Information aggregated or de-identified so it cannot reasonably be linked to a specific individual.

Consumer vs. Customer Under GLBA

The distinction between “consumers” and “customers” determines the scope, timing, and frequency of GLBA privacy notice requirements — when to deliver notices, whether ongoing disclosures are required, and how opt-out rights apply.

A consumer is any individual who obtains or has obtained a financial product or service from an institution for personal, family, or household purposes. This is the broader category and includes both one-time interactions and ongoing relationships.
A customer is a consumer with an ongoing relationship with the financial institution — a subset of consumers. Account holders, mortgage borrowers, insurance policyholders, and individuals with active lines of credit are all customers.

The distinction determines which notice requirements apply:

Institutions serving consumers must provide a privacy notice only before sharing NPI with non-affiliated third parties.
Institutions serving customers must provide an initial privacy notice at the start of the relationship and an annual notice for as long as it continues.

Opt-out rights apply in both cases, but only when sharing NPI with non-affiliated third parties outside of permitted exceptions.

	Consumer	Customer
Definition	Any individual obtaining a financial product or service (one-time or limited interaction)	Individual with an ongoing relationship
Relationship Type	One-time or short-term interaction	Continuing relationship or service arrangement
Example	ATM user, denied loan applicant, one-time transaction	Account holder, mortgage borrower, insurance policyholder
Initial Privacy Notice	Required only before sharing NPI with non-affiliated third parties	Required at the start of a relationship
Annual Privacy Notice	Not required	Required annually
Opt-out Rights	Yes. Required before sharing NPI with non-affiliated third parties	Yes. Required and ongoing (applies throughout the relationship)
Ongoing Obligations	Limited to specific data-sharing scenarios	Continuous notice and disclosure obligations

Opt-Out Rights and Requirements under GLBA

GLBA gives consumers the right to opt out of certain data sharing with non-affiliated third parties. Financial institutions must disclose this right and provide a practical method for consumers to exercise it.

Before sharing NPI with non-affiliated third parties, financial institutions must:

Provide a clear and conspicuous opt-out notice. The notice must be easy to understand and clearly visible.
Describe the data sharing practice. This includes what information may be shared and with whom.
Offer a reasonable opt-out method. Common methods include online forms, toll-free numbers, or mailed forms.
Allow a reasonable window. Consumers must be given sufficient time (typically around 30 days) to respond before sharing begins.
Honor the opt-out. Once a consumer opts out, the institution must continue to respect that choice for as long as the opt-out remains in effect.

Opt-Out Exceptions

Not all information sharing triggers opt-out requirements. GLBA allows certain types of sharing without opt-out rights, including:

Service providers acting on behalf of the institution ( e.g., vendors processing transactions or providing operational support).
Legally required disclosures, including responses to subpoenas or regulatory requirements.
Fraud prevention and security purposes.
Joint marketing agreements (when conducted under GLBA-compliant arrangements).
Securitization and secondary market transactions.

These exceptions still require disclosure in the privacy notice but do not require opt-out. Institutions must identify when opt-out triggers apply and align notices accordingly.

State-level requirements. Some states impose stricter standards than GLBA’s federal opt-out framework. California (CFIPA) and Vermont require opt-in consent before sharing NPI with nonaffiliated third parties. Connecticut’s amended data privacy act (effective July 2026) narrows the GLBA entity-level exemption for non-bank financial institutions. Institutions operating across state lines must meet both federal and state privacy notice requirements.

Privacy Notice Delivery Requirements

GLBA requires financial institutions to deliver privacy notices at specific points in the relationship, using approved methods, to the appropriate recipients. Requirements depend on whether the individual is a consumer or customer.

Initial Notice

The initial privacy notice must be provided at the time the customer relationship is established.
For consumers who are not customers, the notice must be delivered before the institution shares their NPI with non-affiliated third parties.

Annual Notice

Customers must receive a privacy notice at least once every 12 months for as long as the relationship continues.
The annual notice must reflect the institution’s current data and privacy practices, not outdated or prior disclosures.

Under the FAST Act exception (codified in 2018), financial institutions are not required to deliver an annual notice if:

They only share NPI under exceptions that do not trigger opt-out rights.
Their privacy practices have not changed since the last notice was provided.

Delivery Methods

Privacy notices must be delivered in a way that the consumer can reasonably access and retain. Acceptable methods include:

Mail, physical delivery to the consumer’s address.
Electronic delivery, with the consumer’s affirmative consent, compliant with the E-Sign Act.
In-person delivery, provided directly to the consumer at the time of the transaction.

Model Privacy Form

Regulation P includes a model privacy form that provides a safe harbor for compliance. The standardized format uses a two-page layout with clear headings, tables showing information-sharing practices, and a tear-off opt-out form.

GLBA Privacy and Data Security

The GLBA Privacy Rule and Safeguards Rule work in tandem. Privacy notices tell consumers what data is collected and shared. The Safeguards Rule ensures that data is protected through a comprehensive information security program, built on a formal risk assessment.

The relationship is direct: privacy notices must describe security practices, and the Safeguards Rule defines what those practices must be. The Privacy Rule requires the DISCLOSURE of protections; the Safeguards Rule requires the IMPLEMENTATION. Meeting one does not satisfy the other. For a detailed mapping of Safeguards Rule requirements, see the GLBA Safeguards Rule Requirements Crosswalk.

How to Simplify GLBA Privacy Rule Compliance

Privacy Rule compliance depends on knowing exactly how consumer data moves across the organization. Privacy notices are only as accurate as the data practices behind them. Isora GRC gives security teams one shared workspace to manage that visibility and keep disclosures aligned with actual data flows.

**Assessment Management.** Distribute and track privacy practice assessments across every department handling consumer financial data. Organize assessments by compliance goal — grouping privacy notice reviews, opt-out compliance checks, and data sharing practice evaluations into streamlined campaigns. Identify which units have reviewed and updated their data sharing practices, and surface gaps in notice delivery or opt-out compliance.

**Inventory Management.** Maintain connected records of vendors, assets, and data flows in a single system. Track where NPI moves across systems and third parties — the foundation of accurate privacy disclosures. When vendor relationships change or new data sharing arrangements begin, inventory records link directly to assessments and risks, ensuring privacy notices reflect current practices.

Connected Workspace. Link assessments, risks, assets, and vendors so nothing falls through the cracks. Ensure the security practices described in privacy notices align with the safeguards actually in place. When data practices change, connected records surface the impact across notices, assessments, and compliance reporting.

See how Isora GRC manages GLBA privacy compliance | For financial institutions | For higher education

GLBA Privacy Rule FAQs

What is the GLBA Privacy Rule?

The GLBA Privacy Rule (Regulation P) governs how financial institutions disclose their data collection, sharing, and protection practices to consumers. It requires institutions to deliver privacy notices, provide opt-out rights for certain data sharing, and keep disclosures aligned with actual data practices.

What is a GLBA privacy notice?

A GLBA privacy notice is a written disclosure required by the Privacy Rule that explains what nonpublic personal information (NPI) is collected, how it is shared with third parties, and how consumers can opt out of certain sharing practices.

When is a GLBA privacy notice required?

An initial privacy notice must be provided when a customer relationship is established. For consumers who are not customers, a notice is required only before sharing NPI with non-affiliated third parties. Customers must also receive an annual notice for as long as the relationship continues, unless an exception applies.

What is nonpublic personal information (NPI) under GLBA?

NPI is any personally identifiable financial information linked to a specific individual. It includes information provided directly to a financial institution (income, Social Security number, account details), information generated through financial activity (account balances, payments, loan history), and information the institution obtains from other sources (credit reports, data collected through online interactions).

If the information identifies an individual and relates to their finances, it qualifies as NPI under GLBA.

What is the difference between a consumer and a customer under GLBA?

A consumer is any individual who obtains a financial product or service from an institution, even for a one-time interaction. A customer is a consumer with an ongoing relationship, such as an account holder or mortgage borrower. The difference comes down to the relationship, not the product, and it determines whether privacy notices are required once or on an ongoing basis.

What must a GLBA privacy notice include?

A GLBA privacy notice must include six categories of disclosure: (1) types of NPI collected, (2) types of NPI disclosed to third parties, (3) categories of third parties receiving information, (4) practices regarding former customers, (5) a description of security practices, and (6) opt-out rights with a reasonable method to exercise them. The FTC provides a model privacy form that serves as a safe harbor for meeting these requirements.

Can consumers opt out of GLBA information sharing?

Yes. GLBA gives consumers the right to opt out of having their NPI shared with non-affiliated third parties. Institutions must provide a clear, conspicuous opt-out notice with a reasonable method to exercise the right.

Consumers may choose to opt out to limit how widely their financial information is shared, reduce unwanted marketing, and maintain greater control over their personal data.

Key Takeaways

The GLBA Privacy Rule requires every financial institution to align its disclosures with actual data practices across systems, teams, and third parties. But GLBA compliance can also get complex, especially as organizations scale.

Use the GLBA compliance checklist to evaluate readiness, or download the GLBA compliance checklist resource for a structured assessment tool.

Simplify GLBA compliance with Isora GRC →

This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.

GLBA Privacy Rule: Complete Guide [2026]