Where is the GLBA Entity-Level Exemption? Two More State Privacy Laws Now Apply to Financial Institutions

6 minute read | July.07.2025

In May, Montana enacted Senate Bill 297, which amends the Montana Consumer Data Privacy Act (MCDPA) to eliminate the broad exemption for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). Connecticut followed a similar path with Senate Bill 1295, which became a Public Act on June 11, 2025, and is awaiting the governor’s signature. Montana and Connecticut join an emerging group of states that no longer broadly exempt financial institutions subject to the GLBA from their state privacy laws.

What are the comprehensive U.S. state privacy laws?

Since 2020, beginning with California, states have started to enact comprehensive privacy laws that provide consumers with various privacy rights, including the right to know, the right to access, the right to delete, the right to correct and the right to opt-out or opt-in, among others. Currently, approximately 19 states have passed such laws, although not all of these laws have taken effect. While there are some common elements, these laws nevertheless differ in significant ways. They have different applicability thresholds, varying definitions for similar key terms, provide different rights to individuals and require unique disclosures to consumers. This patchwork of state privacy laws requires companies to perform a state-by-state analysis to determine whether and how a specific state’s privacy law may apply to their business.

What is the GLBA exemption?

The GLBA is a federal law that has been implemented by regulations issued by various federal agencies, including the CFPB, SEC and CFTC, among others. Title V of the GLBA establishes a framework of rights, rules, and disclosures to protect consumers’ nonpublic personal information (NPI) and has governed the financial services industry’s use of consumer data for over two decades.

Most states with comprehensive privacy laws generally provide two forms of exemptions under Title V of the GLBA: (1) an “Entity-Level Exemption” for Financial Institutions under the GLBA and (2) a “Data-Level Exemption” for NPI as defined by the GLBA. The scope of these two exemptions is based on how the following terms are defined under the GLBA:

Financial Institutions are defined as companies that engage in activities that are financial in nature or incidental to such financial activities as described in the Bank Holding Company Act (BHCA). The BHCA and its implementing regulations set forth a comprehensive list of activities that are either “financial in nature” or “incidental to financial activities.”
Nonpublic Personal Information is defined as personally identifiable financial information that is not publicly available and that (i) a consumer provides to a financial institution to obtain a financial product or service from the institution, (ii) results from a transaction between the consumer and the institution involving a financial product or service or (iii) a financial institution otherwise obtains about a consumer in connection with providing a financial product or service (12 C.F.R. § 1016.3(p), (q).

As a result, in states with both Entity-Level and Data-Level Exemptions in their comprehensive privacy laws, financial institutions are generally exempt from most states’ comprehensive privacy laws outright because they fall within the Entity-Level Exemption. For businesses in these states that do not qualify as financial institutions but otherwise handle NPI — such as service providers to financial institutions — the Data-Level Exemption means that NPI is exempt from state privacy laws. As such, if a consumer requests to know, access or delete their information, the business need not include NPI in responding to the consumer’s request because other federal and state privacy laws apply.

Which states do not have a broad GLBA Entity-Level Exemption?

Since it was originally enacted, and surviving through subsequent amendments, the California Consumer Privacy Act (CCPA) has never offered financial institutions a GLBA Entity-Level Exemption. Rather, the CCPA’s exemption has always been a Data-Level Exemption limited to NPI (except for the CCPA’s data breach private right of action). However, since the CCPA took effect in 2020, a handful of states have joined California and either limited or eliminated the GLBA Entity-Level

Exemptions from their state privacy laws:

Connecticut: SB 1295, effective October 1, 2025, will amend Connecticut’s comprehensive privacy laws to remove the Entity-Level Exemption for “financial institution … subject to Title V of the Gramm-Leach-Bliley Act” and adds a Data-Level Exemption limited to “data subject to Title V of the Gramm-Leach-Bliley Act, 15 USC 6801 et seq., as amended from time to time.”

Applicability: Applies to persons controlling or processing the personal data of 35,000 or more Connecticut residents annually, regardless of revenue — a reduction from the previous thresholds of 100,000 or 25,000 with over 25% revenue from data sales. Those who control or process sensitive data, as well as those that offer personal information for sale, are also subject to the Connecticut law.

Minnesota: Minnesota’s Consumer Data Privacy Act, effective July 31, 2025, will contain a Data-Level Exemption for NPI that is similar to California’s and Connecticut’s exemptions. However, Minnesota has a unique Entity-Level Exemption specific to certain Minnesota-regulated financial institutions as well as certain Minnesota-licensed financial institutions. This unique exemption extends the GLBA’s Data-Level Exemption to data originated, or intermingled, with NPI of a licensed residential mortgage originator, a licensed residential mortgage servicer, and certain state-regulated financial institutions identified in Minnesota’s Customer Information Data Security chapter — e.g., trust companies, money transmitters, sales finance companies, student loan servicers and others regulated under Minnesota law.

Applicability: Applies to legal entities that control or process the personal data of 100,000 Minnesota residents or more during a calendar year or derive over 25% of gross revenue from the sale of personal data and control or process personal data of 25,000 Minnesota residents or more.

Montana: Until recently, Montana had both a GLBA Data-Level Exemption and a broad GLBA Entity-Level Exemption for a “financial institution or an affiliate of a financial institution” governed by the GLBA. However, SB 297 will amend Montana’s Consumer Data Privacy Act to delete the reference “financial institution or an affiliate of a financial institution.” As such, effective October 1, 2025, Montana’s law will only have a GLBA Data-Level Exemption.

Applicability: Applies to entities that control or process data of 25,000 Montana residents (down from 50,000), with some exceptions, or 15,000 if the entity derives more than 25% of gross revenue from the sale of personal data.

Oregon: Similar to Minnesota, Oregon’s Consumer Privacy law, effective July 1, 2024, exempts NPI as well as data that originated from or intermingled with “so as to be indistinguishable from” NPI for financial institutions licensed under the Oregon Consumer Finance Act. In addition, Oregon has a limited Entity-Level Exemption that is only available to banks insured by the FDIC, credit unions insured by the NCUA and extranational banks, among others.

Applicability: Applies to persons that control or process the personal data of 100,000 or more Oregon residents, with some exceptions, or the personal data of 25,000 or more Oregon residents while deriving 25% or more of the person’s annual gross revenue from selling personal data.

What can financial institutions do to prepare?

With four more states joining California — and the possibility that other states may limit or eliminate their Entity-Level Exemptions in the coming years — financial institutions should understand the scope of these state laws and remain vigilant for additional changes. Fortunately, financial institutions may be able to leverage their CCPA plans to address these state law developments:

When the CCPA passed, many financial institutions invested significant time and effort in developing plans to comply with the CCPA. The first step for most institutions was to engage in “data mapping” to determine the various types of data these institutions held and how the data related to the financial products offered by the institution.
Second, institutions reviewed the results of the data mapping to determine whether the personal information in their possession arose from providing a financial product or service, and thus fell within the GLBA Data-Level Exemption, or was derived from other sources, and thus may be subject to the CCPA if another exemption did not apply.
Third, once this data mapping was complete, financial institutions spent significant resources developing a framework to provide California consumers with the rights and protections required by the CCPA.

Financial institutions may be able to use this same playbook for these four states that are paring back their GLBA Entity-Level Exemptions. While the exact scope of the state GLBA Data-Level Exemptions vary by state, and the rights afforded to consumers differ, financial institutions may benefit from using the same strategic approach of (1) understanding the full scope of data a financial institution holds, (2) classifying the data as being subject to the GLBA or coming from other sources and (3) studying these state laws and creating processes to provide state privacy law rights to consumers.

Authors

Sulina Gabale Partner, Cyber, Privacy & Data Innovation, Internet of Things

Washington, D.C.

See my bio

D:+1 202 339 8420
E: sgabale@orrick.com

Practice:

Cyber, Privacy & Data Innovation
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Sulina Gabale Partner

Washington, D.C.

As innovation pushes the limits of technology, those ideas challenge the boundaries of what is considered “personally identifiable information.” Sulina answers the question - how can we create tomorrow’s technology with yesterday’s privacy and consumer protection laws? Sulina works closely with innovators at all levels of a business – executives, engineers, marketing and product, HR and customer service teams – to gain a true understanding of their goals and the data they’re collecting, using and sharing. She places herself in her client’s shoes as well as in consumers’ mindset to devise creative privacy-by-design solutions, ensuring her client’s business and data innovation strategies withstand multi-national rules, government regulations, industry standards and consumer scrutiny.

With experience in both data privacy and consumer protection, Sulina utilizes a comprehensive approach to counsel clients on a myriad of issues affecting consumers and businesses. She routinely guides companies of all sizes through the existing patchwork of laws, self-regulatory standards and industry practice impacting data privacy and security. She advises clients subject to regulatory investigations and litigation involving a spectrum of federal and state laws, including:

California Online Privacy Protection Act (CalOPPA)
Children’s Online Privacy Protection Act (COPPA)
Family Educational Rights and Privacy Act (FERPA) and related state student data privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Section 5 of the Federal Trade Commission Act (FTC Act)
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Sulina advises companies of all sizes on the development and deployment of cutting-edge technologies and services, including ad-tech, AI and machine learning, biometric tools, social media, robotics and IoT devices, marketing and promotions and more. Sulina began her legal career focusing on consumer protection. She continues to counsel clients on marketing and promotional issues, including interest-based ads; sweepstakes and promotions; automatic renewal and subscriptions; advertising substantiation; influencer programs and social media; SMS text messaging and telemarketing (including matters involving the Telemarketing Sales Rule (TSR), the Telephone Consumer Protection Act (TCPA)); and other state and federal consumer protection laws.

Sulina’s practice is industry-agnostic. She has represented clients ranging from start-ups to Fortune 500s, non-profits, academic institutions and city governments across a range of industries from fashion and ecommerce, financial services, retail, food and beverage and technology services. Prior to law school, Sulina worked in the highly interactive fields of journalism, entertainment and digital media. This well-rounded background helps her connect with clients on a personal level, and ensure her advice integrates legal solutions with business practicality.

Before joining Orrick, Sulina was a member of the Privacy & Data Security Group; Entertainment & Media Group; and IP, Information & Innovation Group at Reed Smith, LLP in New York and Washington, D.C.

Amanda Lawrence Partner, Fintech, Financial & Fintech Advisory

Washington, D.C.

See my bio

D:+1 202 349 8089
E: alawrence@orrick.com

Practice:

Fintech
Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Finance
Complex Litigation & Dispute Resolution
Internal Investigations
Class Action Defense

vCard

See full bio

Amanda Lawrence Partner

Washington, D.C.

She is a trusted adviser to and first call in high-stakes litigation and enforcement matters, including government investigations, regulatory examinations, class action and complex litigation, and internal investigations. Her matters include investigations, examinations, and enforcement actions before the CFPB, FTC, federal and state bank regulators and state attorneys general, including defending a leading bank in one of the CFPB’s first enforcement actions—a joint investigation and enforcement action with the FDIC.

Amanda also represents clients in bet the company litigation, including financial institutions and lenders in residential mortgage-backed securities (RMBS) matters, consumer class actions and other complex civil litigation matters.

Amanda is well versed in all aspects of her clients’ business and is known for providing thoughtful and practical advice. She leverages her experience with litigation and enforcement agencies to stay ahead of regulatory trends impacting the finance and fintech industries. Key among these is data monetization and regulators’ heightened focus on how data is collected, used, stored and transferred. Amanda’s practice started in the cyber and privacy spheres, and today she helps clients manage compliance with the Gramm-Leach-Bliley Act (GLBA) and Regulation P, the Safeguards Rule, the Fair Credit Reporting Act (FCRA), the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Amanda formerly served as a member of Orrick's Management Committee. Prior to joining Orrick, Amanda was a partner at Buckley LLP, where she was a member of the partner board. She also has an active pro bono practice.

Sasha Leonhardt Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 7971
E: sleonhardt@orrick.com

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Cyber, Privacy & Data Innovation
Fintech
Government Investigations and Enforcement Actions

vCard

See full bio

Sasha Leonhardt Partner

Washington, D.C.

Sasha also has substantial experience advising clients on the Servicemembers Civil Relief Act (SCRA), Military Lending Act (MLA), Consumer Financial Protection Act (CFPA), Truth in Lending Act (TILA), Real Estate Settlement Procedures Act (RESPA), Equal Credit Opportunity Act (ECOA), Fair Housing Act (FHA), and Fair Debt Collection Practices Act (FDCPA). He advises companies, non-profits and industry associations with consumer privacy issues arising from the Gramm-Leach-Bliley Act (GLBA) and Regulation P, the Fair Credit Reporting Act (FCRA) and its Affiliate Marketing Rule and state and federal laws that address data privacy and information security.

In addition to representing clients, Sasha has published numerous articles on various aspects of consumer financial services law and practice, including data privacy, class action litigation, white collar litigation, whistleblower lawsuits and recent trends in regulation and enforcement. He also maintains an active pro bono practice and serves as a member of the Legal Counsel for the Elderly’s Young Lawyers Alliance. A frequent speaker on a variety of legal topics, Sasha has taught at Duke University School of Law and American University Washington College of Law, and was previously a Professorial Lecturer in Law at the George Washington University Law School.

Prior to joining Orrick, Sasha was a partner at Buckley LLP. He also previously served as Deputy Press Secretary to Maryland Governor Martin O’Malley. He is accredited as a Privacy Law Specialist, a Fellow of Information Privacy, a Certified Information Privacy Manager (CIPM/US), and a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals.

Elizabeth McGinn Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.; New York

See my bio

D:+1 202 349 7968
E: emcginn@orrick.com

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Elizabeth McGinn Partner

Washington, D.C.; New York

In conjunction with this work, she develops policies and procedures, records retention schedules and training materials. A significant part of her practice involves addressing data security breaches, working proactively with clients to prevent such breaches from occurring, and advising clients in responding to regulatory inquiries, investigations and enforcement actions related to privacy, information security and cybersecurity issues. She also assists numerous professional sports teams comply with data privacy concerns, consumer financing laws and payment system issues.

Beth also represents financial institutions, corporations and individuals in a wide range of matters. She advises clients in investigations, examinations and litigation initiated by the Consumer Financial Protection Bureau (CFPB), the New York Department of Financial Services (NYDFS), the Department of Justice (DOJ), the Federal Trade Commission (FTC), state attorneys general and bank regulatory agencies. She has represented financial institutions in class action litigation concerning federal and state fair lending laws, mortgage fraud, unfair and deceptive trade practices statutes, consumer fraud statutes and consumer privacy laws. She has extensive experience counseling clients in response to federal and state subpoenas and handling all aspects of e-discovery.

Over the course of her career, Beth has represented clients in matters involving simultaneous criminal, civil administrative and congressional proceedings. She has defended clients in matters relating to money laundering compliance issues and investigations and litigation by the U.S. Attorney’s Office for the Southern District of New York (SDNY), the Manhattan District Attorney’s Office, the Department of Treasury, the Securities and Exchange Commission (SEC), and various congressional committees, including the U.S. Committee on Homeland Security and Government Affairs Permanent Subcommittee on Investigations, the U.S. House Financial Services Committee and the U.S. House Committee on Oversight and Government Reform.

Beth has published and spoken on a variety of topics, including privacy, cybersecurity, electronic discovery, vendor management and consumer financial services litigation. She authored the chapter on “Oversight of Compliance and Control Responsibilities” for Navigating the Digital Age – The Definitive Cybersecurity Guide for Directors and Officers. She has been recognized for her work in Cyber Law (Data Protection and Privacy) by Legal 500 since 2013, which describes her as “outstanding on privacy and e-discovery issues,” “able to advise both on the regulatory and litigation sides of problems,” an attorney who "exceeds expectations on response and turnaround times,” “has strong industry knowledge in data security and privacy, and is able to walk the fine line between operational efficiency and regulatory compliance' when developing IT policies.” It also described her as “top notch, incredibly responsive, thoughtful, and provides advice that is both practical and efficient.”

Prior to joining Orrick, Beth was a partner at Buckley LLP where she was Co-chair of the firm’s Privacy, Cyber Risk & Data Security practice and E-discovery Committee. Previously she was an associate at Skadden, Arps, Slate, Meagher & Flom. She clerked for Federal Magistrate Judge P. Trevor Sharp of the United States District Court for the Middle District of North Carolina after law school. Beth is a Certified Information Privacy Professional (CIPP/US).

Sherry-Maria Safchuk Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Santa Monica

See my bio

D:+1 310 424 3917
E: ssafchuk@orrick.com

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech
Cyber, Privacy & Data Innovation

vCard

See full bio

Sherry-Maria Safchuk Partner

Santa Monica

Sherry’s clients include banks, mortgage originators and servicers, mortgage brokers, commercial lenders, bank holding companies, private equity firms, investment advisors, investment managers, finance companies, fintechs, consumer reporting agencies, data brokers, debt collection companies and related service providers.

She is a Certified Information Privacy Professional (CIPP/US), and was a member of the Mortgage Bankers Association’s 2016 class of Future Leaders and the California Mortgage Bankers Association’s 2014 class of Future Leaders.

Prior to joining Orrick, Sherry was a partner at Buckley LLP. She has been an associate in private practice. She also clerked for the Honorable Jeanette J. Clark in the Superior Court of the District of Columbia.