The Gramm–Leach–Bliley Act’s Online Privacy Provisions

safe harbor certificationIn 1999, Congress passed The Gramm-Leach-Bliley Act (a.k.a., the Financial Modernization Act). The law repealed the Glass-Steagall Act, a Great Depression era statute mandating the separation of certain banking categories.

History of the GLBA

In the 1930s, politicians passed a series of laws that restricted mergers of certain financial institutions. The protective measures ultimately separated commercial banks from investment banks.

In the 80’s and 90’s, interested parties fiercely lobbied to erase depression era finance regulations. During that time, in part due to the advent of digital technology, questions arose about the intersection of deregulation and financial privacy. After all, if politicians struck down the old statutes, huge conglomerates would have unprecedented access to valuable personal information, from which they could profit enormously.

Eventually, in 1999, federal representatives ratified the GLBA — which lifted the overwhelming majority of mid-20th-century banking regulations. However, the bill included stipulations about digital financial privacy and the responsibilities of monetary institutions.

Financial Privacy Rule

The GLBA is the Financial Privacy Rule applies to all financial institutions, including banks, insurance companies, and mortgage lenders. Per the law, obligated parties must provide a privacy notice at the commencement of a consumer relationship, and then on an annual basis. These privacy notices must clearly explain the company’s information-sharing practices, and customers must be able to opt-out of sharing information.

Even if a company doesn’t give away information, when finances are involved, companies must provide clients with privacy practices and policies. Moreover, the notice cannot be delivered orally, by email, or other electronic means. Rather, the notice must be presented in writing.

Safeguards Rule

The GLBA Safeguards Rule requires collectors to protect personal information and create appropriately sized data security systems. In other words, large national banks, such as Citibank and Chase, need more elaborate safeguards than, say, a neighborhood credit union.

The rule also requires businesses to test regularly. Moreover, they must implement security measures in their day-to-day operations, such as running employee background checks and establishing breach action plans, in case of attack.


Pretexting refers to someone gaining improper access to non-public information. The term is often associated with “social engineering” hacks, like when someone passes themselves off as a manager or law enforcement agent, to get information. Phishing scams, which sometimes involve setting up phony websites that fool people into forking over private information, are another example of pretexting.

The GLBA essentially illegalizes pretexting; it also requires financial institutions to establish measures that prevent pretexting as part of their security plans, including employee training.