In May, Montana enacted Senate Bill 297, which amends the Montana Consumer Data Privacy Act (MCDPA) to eliminate the broad exemption for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). Connecticut followed a similar path with Senate Bill 1295, which became a Public Act on June 11, 2025, and is awaiting the governor’s signature. Montana and Connecticut join an emerging group of states that no longer broadly exempt financial institutions subject to the GLBA from their state privacy laws.
What are the comprehensive U.S. state privacy laws?
Since 2020, beginning with California, states have started to enact comprehensive privacy laws that provide consumers with various privacy rights, including the right to know, the right to access, the right to delete, the right to correct and the right to opt-out or opt-in, among others. Currently, approximately 19 states have passed such laws, although not all of these laws have taken effect. While there are some common elements, these laws nevertheless differ in significant ways. They have different applicability thresholds, varying definitions for similar key terms, provide different rights to individuals and require unique disclosures to consumers. This patchwork of state privacy laws requires companies to perform a state-by-state analysis to determine whether and how a specific state’s privacy law may apply to their business.
What is the GLBA exemption?
The GLBA is a federal law that has been implemented by regulations issued by various federal agencies, including the CFPB, SEC and CFTC, among others. Title V of the GLBA establishes a framework of rights, rules, and disclosures to protect consumers’ nonpublic personal information (NPI) and has governed the financial services industry’s use of consumer data for over two decades.
Most states with comprehensive privacy laws generally provide two forms of exemptions under Title V of the GLBA: (1) an “Entity-Level Exemption” for Financial Institutions under the GLBA and (2) a “Data-Level Exemption” for NPI as defined by the GLBA. The scope of these two exemptions is based on how the following terms are defined under the GLBA:
- Financial Institutions are defined as companies that engage in activities that are financial in nature or incidental to such financial activities as described in the Bank Holding Company Act (BHCA). The BHCA and its implementing regulations set forth a comprehensive list of activities that are either “financial in nature” or “incidental to financial activities.”
- Nonpublic Personal Information is defined as personally identifiable financial information that is not publicly available and that (i) a consumer provides to a financial institution to obtain a financial product or service from the institution, (ii) results from a transaction between the consumer and the institution involving a financial product or service or (iii) a financial institution otherwise obtains about a consumer in connection with providing a financial product or service (12 C.F.R. § 1016.3(p), (q).
As a result, in states with both Entity-Level and Data-Level Exemptions in their comprehensive privacy laws, financial institutions are generally exempt from most states’ comprehensive privacy laws outright because they fall within the Entity-Level Exemption. For businesses in these states that do not qualify as financial institutions but otherwise handle NPI — such as service providers to financial institutions — the Data-Level Exemption means that NPI is exempt from state privacy laws. As such, if a consumer requests to know, access or delete their information, the business need not include NPI in responding to the consumer’s request because other federal and state privacy laws apply.
Which states do not have a broad GLBA Entity-Level Exemption?
Since it was originally enacted, and surviving through subsequent amendments, the California Consumer Privacy Act (CCPA) has never offered financial institutions a GLBA Entity-Level Exemption. Rather, the CCPA’s exemption has always been a Data-Level Exemption limited to NPI (except for the CCPA’s data breach private right of action). However, since the CCPA took effect in 2020, a handful of states have joined California and either limited or eliminated the GLBA Entity-Level
Exemptions from their state privacy laws:
- Connecticut: SB 1295, effective October 1, 2025, will amend Connecticut’s comprehensive privacy laws to remove the Entity-Level Exemption for “financial institution … subject to Title V of the Gramm-Leach-Bliley Act” and adds a Data-Level Exemption limited to “data subject to Title V of the Gramm-Leach-Bliley Act, 15 USC 6801 et seq., as amended from time to time.”
- Applicability: Applies to persons controlling or processing the personal data of 35,000 or more Connecticut residents annually, regardless of revenue — a reduction from the previous thresholds of 100,000 or 25,000 with over 25% revenue from data sales. Those who control or process sensitive data, as well as those that offer personal information for sale, are also subject to the Connecticut law.
- Minnesota: Minnesota’s Consumer Data Privacy Act, effective July 31, 2025, will contain a Data-Level Exemption for NPI that is similar to California’s and Connecticut’s exemptions. However, Minnesota has a unique Entity-Level Exemption specific to certain Minnesota-regulated financial institutions as well as certain Minnesota-licensed financial institutions. This unique exemption extends the GLBA’s Data-Level Exemption to data originated, or intermingled, with NPI of a licensed residential mortgage originator, a licensed residential mortgage servicer, and certain state-regulated financial institutions identified in Minnesota’s Customer Information Data Security chapter — e.g., trust companies, money transmitters, sales finance companies, student loan servicers and others regulated under Minnesota law.
- Applicability: Applies to legal entities that control or process the personal data of 100,000 Minnesota residents or more during a calendar year or derive over 25% of gross revenue from the sale of personal data and control or process personal data of 25,000 Minnesota residents or more.
-
Montana: Until recently, Montana had both a GLBA Data-Level Exemption and a broad GLBA Entity-Level Exemption for a “financial institution or an affiliate of a financial institution” governed by the GLBA. However, SB 297 will amend Montana’s Consumer Data Privacy Act to delete the reference “financial institution or an affiliate of a financial institution.” As such, effective October 1, 2025, Montana’s law will only have a GLBA Data-Level Exemption.
- Applicability: Applies to entities that control or process data of 25,000 Montana residents (down from 50,000), with some exceptions, or 15,000 if the entity derives more than 25% of gross revenue from the sale of personal data.
- Oregon: Similar to Minnesota, Oregon’s Consumer Privacy law, effective July 1, 2024, exempts NPI as well as data that originated from or intermingled with “so as to be indistinguishable from” NPI for financial institutions licensed under the Oregon Consumer Finance Act. In addition, Oregon has a limited Entity-Level Exemption that is only available to banks insured by the FDIC, credit unions insured by the NCUA and extranational banks, among others.
What can financial institutions do to prepare?
With four more states joining California — and the possibility that other states may limit or eliminate their Entity-Level Exemptions in the coming years — financial institutions should understand the scope of these state laws and remain vigilant for additional changes. Fortunately, financial institutions may be able to leverage their CCPA plans to address these state law developments:
Financial institutions may be able to use this same playbook for these four states that are paring back their GLBA Entity-Level Exemptions. While the exact scope of the state GLBA Data-Level Exemptions vary by state, and the rights afforded to consumers differ, financial institutions may benefit from using the same strategic approach of (1) understanding the full scope of data a financial institution holds, (2) classifying the data as being subject to the GLBA or coming from other sources and (3) studying these state laws and creating processes to provide state privacy law rights to consumers.
- Applicability: Applies to persons that control or process the personal data of 100,000 or more Oregon residents, with some exceptions, or the personal data of 25,000 or more Oregon residents while deriving 25% or more of the person’s annual gross revenue from selling personal data.
- When the CCPA passed, many financial institutions invested significant time and effort in developing plans to comply with the CCPA. The first step for most institutions was to engage in “data mapping” to determine the various types of data these institutions held and how the data related to the financial products offered by the institution.
- Second, institutions reviewed the results of the data mapping to determine whether the personal information in their possession arose from providing a financial product or service, and thus fell within the GLBA Data-Level Exemption, or was derived from other sources, and thus may be subject to the CCPA if another exemption did not apply.
- Third, once this data mapping was complete, financial institutions spent significant resources developing a framework to provide California consumers with the rights and protections required by the CCPA.
Financial institutions may be able to use this same playbook for these four states that are paring back their GLBA Entity-Level Exemptions. While the exact scope of the state GLBA Data-Level Exemptions vary by state, and the rights afforded to consumers differ, financial institutions may benefit from using the same strategic approach of (1) understanding the full scope of data a financial institution holds, (2) classifying the data as being subject to the GLBA or coming from other sources and (3) studying these state laws and creating processes to provide state privacy law rights to consumers.
[View source.]
