Personal Information in Data Privacy
Learn what personal information is, why it's protected, and the different ways countries around the world define it.

Create a tailored Privacy Policy, Terms & more in under 5 minutes.
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is a US law that modernized the financial industry by making two major regulatory changes:
Create a GLBA-ready privacy policy
Privacy Policy GeneratorThe purpose of the Gramm-Leach-Bliley Act (GLBA) was to allow for a more efficient and integrated financial services sector without degrading the privacy rights of consumers.
Prior to the Gramm-Leach-Bliley Act (GLBA), legislation blocked banks, insurance companies, and investment firms from merging or partnering in an effort to prevent another Great Depression. Though sensible, this legislation countered the growing consumer demand for a simpler financial services industry. It was this economic pressure paired with a landmark merger between Citicorp and Travelers Group that led to the GLBA being passed.
Giving financial service providers the freedom to consolidate their services meant also giving them freedom to consolidate the highly sensitive financial data they had been collecting from customers. This introduced several risks:
To mitigate these risks the GLBA mandated a series of rules that ensure consumers have control over their data while holding financial institutions accountable for data security.
The GLBA introduced 3 rules for financial service providers to follow.
Each rule tackles a specific aspect of collecting, disclosing, and protecting consumers’ non-public personal information.
The financial privacy rule requires all financial institutions to provide their consumers with a privacy notice (privacy policy) when they start doing business and annually thereafter. It also requires financial institutions to notify customers each time their privacy notice is updated, giving customers the right to opt out again each time the privacy notice is re-established.
The GLBA requires financial institutions to explain their information-sharing practices to their customers from within their privacy policy. To do this, their privacy policy must state:
Need a GLBA ready privacy policy? Try our Privacy Policy Generator!
The Safeguards Rule requires financial institutions to have reasonable measures in place to protect their customers’ non-public personal information through an information security program. To ensure financial institutions develop, implement, and maintain an adequate information security program, the Safeguards Rule also sets standards for financial institutions to follow.
To meet the requirements of the Safeguards Rule, financial institutions must develop an information security program that is to the standard set by the GLBA. To meet these standards, all financial institutions must:
The GLBA’s rule for pretexting protection prohibits obtaining customer information of a financial institution by false pretenses and requires organizations to implement safeguards against pretexting. Pretexting, or social engineering, refers to deceptive practices to obtain private information under false pretenses.
Under pretexting protection, financial institutions are required to:
The GLBA defines financial institutions as: “companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance”.
This includes:
GLBA compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity.
The GLBA’s rules were implemented to protect the customer information of consumers.
Customer information, or customer data, is a collection of details and data points about a company’s customers. In the context of the financial industry, the FTC defines customer information as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates”.
Nonpublic personal information (NPI) refers to private financial details about a person that are protected and aren’t publicly available such as personally identifiable financial information or lists or groupings of consumers created using private financial data.
Some examples of nonpublic personal information are:
The penalties for violating the GLBA are fines of up to $100,000 per violation for institutions and up to $10,000 per violation for individuals, such as directors or officers.