State Privacy Laws and the GLBA Safe Harbor: What Banks and Fintechs Can No Longer Assume

For years, bank compliance teams filed state privacy laws under “someone else’s problem.” You had GLBA. You had Regulation P. The state laws had carveouts. And if your institution stayed in its lane — consumer financial information, NPI, regulated data — the California Privacy Protection Agency and Oregon’s AG weren’t your audience.

That analysis is now wrong in five states, with more likely to follow.

TL;DR

• GLBA does not automatically exempt financial institutions from state privacy laws. Five states — California, Oregon, Minnesota, Montana, and Connecticut — now apply only a data-level exemption, meaning non-GLBA data collected by your institution is subject to state law.
• The distinction that matters: Entity-level exemption (your whole institution is exempt) vs. data-level exemption (only GLBA-regulated NPI is exempt).
• Three new state laws took effect January 1, 2026 (Indiana, Kentucky, Rhode Island). Connecticut’s full restrictions on previously GLBA-exempt firms kick in July 1, 2026.
• Nine states formed a coordinated enforcement consortium. California issued a $1.55 million fine for CCPA violations in July 2025. The assumption that state regulators won’t target financial institutions is now a liability.

The GLBA Safe Harbor Was Never Absolute

Here’s what the exemption was supposed to do: when states started passing consumer privacy laws starting with California’s CCPA in 2018, they included carveouts for data and entities subject to the Gramm-Leach-Bliley Act. The logic was that GLBA’s federal privacy regime — Regulation P, privacy notices, NPI protections — already covered financial institutions, so piling on with state-law obligations would create redundancy and compliance burden.

Most states obliged. Virginia, Colorado, Texas, Utah, Georgia, and others all included an entity-level GLBA exemption: if you were regulated under GLBA, you were largely out of scope for their privacy law.

The problem is that not all state legislatures agreed with that logic. And over the last three years, the trend has been moving decisively toward narrower exemptions — driven in part by a November 2024 CFPB report on carveouts for financial institutions in state data privacy laws that documented how consumer finance firms were monetizing consumer data in ways GLBA’s 1999 framework never anticipated.

Entity-Level vs. Data-Level: The Distinction That Decides Your Exposure

Every state privacy law touches GLBA in one of two ways:

Entity-level exemption: A financial institution subject to GLBA is broadly exempt from the state law, regardless of what data is involved. If your institution is GLBA-regulated, the state law largely doesn’t apply to you.

Data-level exemption: Only the specific data regulated by GLBA — nonpublic personal information (NPI) collected in connection with providing financial products or services — is exempt. If your institution collects data that GLBA doesn’t govern, that data is subject to state law regardless of who you are.

The distinction sounds technical until you realize how much data financial institutions collect that GLBA doesn’t cover. Your mortgage lead-gen pipeline. App analytics for non-account-holder visitors. The email list from your financial wellness webinar. Marketing segmentation profiles. Behavioral data from your digital advertising. If any of that involves residents of California, Oregon, Minnesota, Montana, or Connecticut — you have state law obligations the GLBA shield does not cover.

How Five States Changed the Rules

California: The Original Gap

California’s CCPA carveout exempts personal information “collected, processed, sold, or disclosed pursuant to” GLBA — but not the institution itself. A bank with California customers has always needed to think about whether its non-NPI data triggers CCPA obligations, including the right to know, deletion requests, and opt-out of sale.

The California Privacy Protection Agency has demonstrated it will pursue violations aggressively. In September 2025, the CPPA reached a $1.35 million settlement with Tractor Supply Co. — its largest fine to date. In July 2025, California issued a $1.55 million fine against Healthline Media for failure to honor opt-out requests and improper sharing of sensitive health data. Financial institutions are not invisible to the CPPA — they’re exempt for some of their data.

Oregon: Data-Level From Day One (July 1, 2024)

Oregon’s Consumer Privacy Act adopted a data-level GLBA exemption from its July 1, 2024 effective date. Any institution collecting data from Oregon residents outside the NPI context — website analytics, marketing lists, behavioral profiles — faces Oregon law obligations for that data. Oregon is also part of the nine-state enforcement consortium.

Minnesota: The Newest Data-Level State (July 31, 2025)

Minnesota’s Consumer Data Privacy Act became effective July 31, 2025, with a data-level exemption matching California’s approach. Minnesota joined the nine-state enforcement consortium at launch, and early enforcement signals suggest they will be active, not passive.

Montana: A Sudden Change (October 1, 2025)

Montana’s Senate Bill 297, enacted May 2025, amended the Montana Consumer Data Privacy Act to delete the reference to “financial institution or an affiliate of a financial institution” in the entity-level exemption. Effective October 1, 2025, only state and federally chartered banks, credit unions, and affiliates principally engaged in financial activities retain narrower protection. Other GLBA-regulated entities — fintechs, payment processors, mortgage companies, insurance affiliates — lost their broad exemption. As Orrick notes, Montana’s change caught many compliance teams off guard because it wasn’t as widely tracked as California or Connecticut.

Connecticut: The Most Sweeping Revision (October 2025 / July 2026)

Connecticut Senate Bill 1295, signed June 25, 2025, is the most detailed reshaping of the GLBA exemption to date. The broad entity-level exemption for all GLBA-regulated financial institutions was replaced with a narrower provision covering only banks and credit unions (and their affiliates) that satisfy three conditions: (1) exclusively engaged in financial activities under the Bank Holding Act, 12 U.S.C. § 1843(k); (2) regulated and examined by the Connecticut Department of Banking or a federal bank regulatory agency; and (3) maintaining a compliance program for Connecticut Banking Commissioner or applicable federal bank regulator requirements on personal data.

Perkins Coie analyzed this as effectively “piercing the GLBA veil” for fintechs and non-bank financial entities that previously benefited from the umbrella exemption. A fintech with Connecticut customers, even if GLBA-regulated, must now assess whether it meets those three conditions. The initial provisions took effect October 1, 2025; the full regulation applies July 1, 2026.

The GLBA Baseline: What Regulation P Actually Requires

Before addressing state law gaps, make sure your GLBA foundation is solid. Regulation P requires:

• Initial privacy notice at the time the customer relationship is established
• Annual privacy notice to customers — but the FAST Act of 2015 created an exception: if you share NPI only in GLBA-permitted ways and have made no material changes to your policies, you may skip the annual notice
• Opt-out rights before sharing NPI with nonaffiliated third parties outside the enumerated GLBA exceptions (customers need a reasonable opportunity — typically 30 days — to opt out before sharing begins)
• Affiliate marketing opt-out under the Fair Credit Reporting Act (separate from, but included in, your Reg P notice) if you use affiliate-shared consumer report information for marketing

Common examination findings on Regulation P: privacy notices that aren’t “clear and conspicuous,” opt-out mechanisms that exist but are functionally difficult to use, failure to provide initial notices before sharing, and annual notices not reaching all customers (particularly inactive accounts).

The FTC’s compliance guide for the GLBA Privacy Rule is the clearest practical resource for what the Privacy Rule requires. Timing these obligations properly feeds your compliance calendar — annual notices have delivery windows that create calendar entries you can’t miss.

The Nine-State Privacy Enforcement Consortium

In 2025, privacy regulators from California, Colorado, Connecticut, Delaware, Indiana, Minnesota, New Hampshire, New Jersey, and Oregon formed a formal coordination consortium. They share investigation leads, compare enforcement approaches, and amplify each other’s capacity across state lines.

The practical implication: an enforcement action that starts in one consortium state can develop into coordinated scrutiny across all nine. If your institution has customers in multiple consortium states and your data practices have gaps, you’re exposed to multiplied regulatory attention, not just one state AG.

The consortium’s announced priorities for 2026 include online tracking technology and pixel-based data sharing, data broker registration and opt-out compliance, children’s and teen privacy protections, and risk assessments and data minimization requirements. Financial institutions running digital marketing campaigns with third-party analytics SDKs or advertising pixels should audit whether that activity touches non-GLBA data subject to state law.

So What? A Practical Compliance Checklist

Whether your institution is federally chartered, state-chartered, or a fintech with GLBA obligations, these six steps close the most common gaps:

1. Map data outside your NPI perimeter. Build a data inventory that identifies what you collect from residents of California, Oregon, Minnesota, Montana, and Connecticut that falls outside the GLBA NPI definition — behavioral data, marketing lists, website analytics, non-financial-product data. If it exists, you likely have state law obligations.

2. Assess your Connecticut and Montana exposure now. Both state changes were effective October 1, 2025. If you have customers in either state and relied on the prior entity-level exemption, you are currently out of compliance with those states unless you fit the new narrower conditions.

3. Audit your Regulation P notices. Even if you qualify for the FAST Act annual notice exception, your underlying privacy notices must be current and accurate. If you’ve changed any sharing practices or data use policies in any material way, you owe updated notices.

4. Review your tech stack for non-NPI data flows. Marketing pixels, session replay tools, behavioral analytics SDKs, and ad networks may constitute data “sales” or sharing under California, Oregon, and Minnesota law. This is a common gap: the GLBA compliance team manages NPI flows, but the marketing team’s pixel integrations sit outside that review process.

5. Document your exemption analysis. For every state where customers reside, document your position: entity-level exempt, data-level with gap analysis, or fully subject to the state law. If a state regulator asks why you didn’t respond to consumer rights requests, “we assumed GLBA covered us” is not a defensible answer.

6. Track the 2026 wave. Indiana, Kentucky, and Rhode Island went live January 1, 2026. Check their specific exemption structures and applicability thresholds. Connecticut’s full CDPA changes are July 1, 2026. Add these to your compliance calendar.

For multi-state privacy compliance documentation, the Data Privacy Compliance Kit includes templates built around the current 19+ state law requirements, pre-mapped against GLBA and CCPA baselines — substantially reducing the gap analysis workload for teams dealing with multiple state exposures.

For the GLBA Safeguards Rule side of compliance (data security controls rather than privacy notices and consumer rights), see the FTC Safeguards Rule requirements for nonbank financial institutions. For a track record of what CCPA enforcement looks like in practice, the CCPA and CPRA enforcement tracker covers the CPPA’s fines, priorities, and the types of violations that drew scrutiny.

The CFPB’s 2024 warning to state legislatures was a preview, not an endpoint. More states are likely to narrow their GLBA exemptions in 2026 and 2027. The compliance teams that map their actual state law exposure now — rather than after an enforcement action — will be the ones who can answer the question when a regulator asks.