6 minute read | July.07.2025
In May, Montana enacted Senate Bill 297, which amends the Montana Consumer Data Privacy Act (MCDPA) to eliminate the broad exemption for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). Connecticut followed a similar path with Senate Bill 1295, which became a Public Act on June 11, 2025, and is awaiting the governor’s signature. Montana and Connecticut join an emerging group of states that no longer broadly exempt financial institutions subject to the GLBA from their state privacy laws.
Since 2020, beginning with California, states have started to enact comprehensive privacy laws that provide consumers with various privacy rights, including the right to know, the right to access, the right to delete, the right to correct and the right to opt-out or opt-in, among others. Currently, approximately 19 states have passed such laws, although not all of these laws have taken effect. While there are some common elements, these laws nevertheless differ in significant ways. They have different applicability thresholds, varying definitions for similar key terms, provide different rights to individuals and require unique disclosures to consumers. This patchwork of state privacy laws requires companies to perform a state-by-state analysis to determine whether and how a specific state’s privacy law may apply to their business.
The GLBA is a federal law that has been implemented by regulations issued by various federal agencies, including the CFPB, SEC and CFTC, among others. Title V of the GLBA establishes a framework of rights, rules, and disclosures to protect consumers’ nonpublic personal information (NPI) and has governed the financial services industry’s use of consumer data for over two decades.
Most states with comprehensive privacy laws generally provide two forms of exemptions under Title V of the GLBA: (1) an “Entity-Level Exemption” for Financial Institutions under the GLBA and (2) a “Data-Level Exemption” for NPI as defined by the GLBA. The scope of these two exemptions is based on how the following terms are defined under the GLBA:
As a result, in states with both Entity-Level and Data-Level Exemptions in their comprehensive privacy laws, financial institutions are generally exempt from most states’ comprehensive privacy laws outright because they fall within the Entity-Level Exemption. For businesses in these states that do not qualify as financial institutions but otherwise handle NPI — such as service providers to financial institutions — the Data-Level Exemption means that NPI is exempt from state privacy laws. As such, if a consumer requests to know, access or delete their information, the business need not include NPI in responding to the consumer’s request because other federal and state privacy laws apply.
Since it was originally enacted, and surviving through subsequent amendments, the California Consumer Privacy Act (CCPA) has never offered financial institutions a GLBA Entity-Level Exemption. Rather, the CCPA’s exemption has always been a Data-Level Exemption limited to NPI (except for the CCPA’s data breach private right of action). However, since the CCPA took effect in 2020, a handful of states have joined California and either limited or eliminated the GLBA Entity-Level
Montana: Until recently, Montana had both a GLBA Data-Level Exemption and a broad GLBA Entity-Level Exemption for a “financial institution or an affiliate of a financial institution” governed by the GLBA. However, SB 297 will amend Montana’s Consumer Data Privacy Act to delete the reference “financial institution or an affiliate of a financial institution.” As such, effective October 1, 2025, Montana’s law will only have a GLBA Data-Level Exemption.
With four more states joining California — and the possibility that other states may limit or eliminate their Entity-Level Exemptions in the coming years — financial institutions should understand the scope of these state laws and remain vigilant for additional changes. Fortunately, financial institutions may be able to leverage their CCPA plans to address these state law developments:
Financial institutions may be able to use this same playbook for these four states that are paring back their GLBA Entity-Level Exemptions. While the exact scope of the state GLBA Data-Level Exemptions vary by state, and the rights afforded to consumers differ, financial institutions may benefit from using the same strategic approach of (1) understanding the full scope of data a financial institution holds, (2) classifying the data as being subject to the GLBA or coming from other sources and (3) studying these state laws and creating processes to provide state privacy law rights to consumers.