Montana became the first state to amend its comprehensive privacy law to remove a broad, entity-level exemption for financial institutions subject to the Gramm-Leach-Bliley Act, and Connecticut made a similar amendment in late June. These decisions to replace the exemption with more targeted carve-outs mark a significant shift in the evolving patchwork of state privacy laws and could reshape how financial institutions approach data compliance.
Set against a backdrop of reduced federal regulatory enforcement, the Montana and Connecticut amendments could signal what’s to come for financial institutions that have historically operated under a largely unified federal privacy framework.
Non-GLBA Data
The GLBA, enacted in 1999, established foundational privacy protections for nonpublic personal financial information collected in connection with the provision of financial products and services.
However, with the proliferation of mobile apps, digital wallets, and web-based services, financial institutions now routinely collect many types of digital data that may not fall within the GLBA’s scope, including device information, identifiers, and geolocation data, as well as marketing data and behavioral insights derived from online interactions.
Some of this data is hard to categorize within the existing regulatory framework. For example, data generated by a mobile banking app that tracks user activity to personalize services may not be considered data from the provision of a financial product or service, potentially putting it outside of the scope of GLBA. State privacy laws, however, typically classify that same data as personal data, regardless of how it was collected or whether it relates directly to a financial product or service.
Recognizing these challenges, the Consumer Financial Protection Bureau issued a call to action in 2024, criticizing federal financial data protections as outdated and inconsistent with privacy rights available to consumers in other sectors. The CFPB urged states to reconsider whether their laws adequately protect consumer financial information.
Montana and Connecticut have done so, and these amendments highlight growing recognition that financial institutions may hold substantial amounts of consumer data not covered by the GLBA.
When financial institutions operate in the gap between GLBA-covered data and applicable state privacy laws, they may become subject to additional obligations under state law. This can include obtaining opt-in consent to collect, use, or share sensitive data; responding to consumer requests to access, delete, or correct information; and publishing a separate, significantly more detailed privacy notice.
Level Exemptions
To date, 20 US states have enacted comprehensive privacy laws. Of these, 15 include broad, entity-level exemptions for financial institutions subject to the GLBA. These exemptions allow the entire financial institution to operate outside the scope of the state privacy law, regardless of the type of data in question.
Montana and Connecticut join California, Oregon, and Minnesota in limiting statutory GLBA exemptions to data covered by that law, rather than exempting all of the GLBA-covered financial institution’s data processing activities.
But unlike California, Oregon, and Minnesota, whose privacy laws never included broad, entity-level GLBA exemptions, Montana was the first state to retract one, quickly followed by Connecticut.
The Montana and Connecticut privacy laws now generally align with the approaches taken by Oregon and Minnesota: Each state uses its own statutory definitions to craft entity-level exemptions for certain insurers and insurance-related entities, while relying on federal banking law definitions for exempting certain chartered banks and credit unions engaged in financial activity.
The California Consumer Privacy Act remains unique in offering no entity-level exemption at all. If the financial institution otherwise meets CCPA’s applicability thresholds, any non-GLBA personal data it collects from California residents is subject to that law’s full range of requirements.
For financial institutions operating across jurisdictions, these variations introduce the possibility of dual or overlapping compliance burdens. Financial institutions processing consumer data from residents of California, Oregon, Minnesota—and now Montana and Connecticut—may be subject to state-level privacy requirements, depending on how each applicable state privacy law defines exempt entities and activities. Yet these institutions must still comply with GLBA for nonpublic personal information processed in provision of financial products or services.
Financial institutions operating in these states must continue to comply with GLBA for nonpublic personal information collected in connection with financial products and services while simultaneously complying with state privacy laws for other personal data, such as website analytics, mobile app behavior, or customer service interactions. And if more states revisit GLBA exemptions, the compliance landscape may become more fragmented, forcing financial institutions to manage state-by-state obligations in addition to federal rules.
As a practical matter, much of the personal information that is protected by state privacy laws can be difficult to fully disclose and account for in the structured GLBA privacy notice form used by financial institutions. While state privacy laws have detailed requirements for privacy notices, the format is more flexible and better suited to the types of data used in many of the mobile apps and websites that offer a combination of services.
Evolving Privacy Environment
As state privacy laws continue to evolve and expand, financial institutions will need to align their data practices with both federal and state law. The first step is to map all collected consumer data to determine whether it falls under GLBA, a state privacy law, or both.
Next, institutions should ensure that all privacy notices are clear, comprehensive, and compliant with both GLBA and applicable state laws. In some cases, institutions will need to implement or refine systems for processing consumer requests.
It’s important that institutions invest in scalable compliance infrastructure that can flex across jurisdictions to adjust to changing laws. The growth of agentic AI, which can automate financial and purchasing decisions, may further complicate privacy notices. Financial institutions will need to consider the effect of the potential repeal of the CFPB’s Section 1033 Open Banking Rule on their privacy notices.
Like Montana and Connecticut, other states may act on CFPB recommendations even as the agency is scaled back. Financial institutions will need to track state privacy developments that could change their compliance obligations.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.
Author Information
Stephen Cosentino is partner at Stinson, focused on technology transactions, data privacy compliance, and complex intellectual property matters.
Michal Whitney is an attorney at Stinson, focused on data privacy, cybersecurity, and technology transactions with an emphasis on navigating complex regulatory issues.
Write for Us: Author Guidelines
To contact the editors responsible for this story: