The Ultimate Guide to GLBA


Join our newsletter!

Receive the latest data collection news in your inbox.

Many organizations and businesses, particularly those in financial services, rely on daily and routine collection of consumer data. Because much of this information is sensitive and personal, lawmakers and other regulators have instituted guidelines and legal obligations to ensure that this data is protected.

The Gramm-Leach-Bliley Act (GLBA) is one such measure. This act, enacted in 1998, has major implications for organizations like investment banks, mortgage companies, brokerage firms, insurance companies, and others. These businesses are held to specific standards as a way to shore up data privacy and protection.

In this guide, we’ll explain what the Gramm-Leach-Bliley Act is and how it impacts your position as you collect, store, or process data. 

Table of Contents


This information is provided as-is, based on our best understanding of the information publicly available and our consultations with our legal counsel. This is not legal advice, and we cannot answer questions about your particular situation. You should consult with your own legal counsel if you have questions about your obligations under any policy, including the Gramm-Leach-Bliley Act. 

An introduction to GLBA

The Gramm-Leach-Bliley Act is a regulation under the Federal Trade Commission (FTC) that requires financial institutions, or any company that offers comparable services such as loans, to be forthcoming about information sharing practices. The GLBA also makes it mandatory for these organizations to safeguard sensitive data (including confidential information that links financial records to a specific individual).

Although the GLBA is most directly relevant to banks and other financial institutions, it also applies to any type of institution that collects, maintains, or shares customer financial data. Under the broader scope of the act, colleges and universities, automotive dealers, and other institutions must maintain compliance with this important directive.

Why is it important? 

For consumers, the GLBA is an important safeguard against the irresponsible use of private or sensitive data. It can be particularly dangerous for confidential financial information to fall into the wrong hands, and the GLBA goes to great lengths to provide peace of mind and security guarantees.

As is true with most other data privacy laws, organizations that fail to comply with the GLBA may face negative consequences like fines and loss of customer trust.

Who does GLBA apply to?

Under the GLBA, organizations that collect and process consumer financial data must meet a set of privacy regulations to ensure that customers are protected. This most directly applies to financial services companies, but the rules aren’t exclusive to this industry. Other institutions, such as universities that process student loans, are responsible for maintaining compliance. 

What new rules does the GLBA introduce?

In 2021, the FTC added a new Safeguards Rule to the existing GLBA framework. Under the Safeguards Rule, companies must have a written plan in place for the protection of consumer information within the organization. 

According to the Federal Trade Commission, “The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles.”

Furthermore, the Safeguards Rule requires that each company with obligations under the GLBA have an appointed individual or representative who is responsible for coordinating information security policies. This appointed individual must also proactively approach and mitigate potential risks. 

For a recap of GLBA privacy rules and other similar policies to protect sensitive data, check out our Data Privacy for Financial Services page. 

>> Download FormAssembly’s GLBA Checklist! <<

What does all of this mean for FormAssembly customers?

FormAssembly works with many customers that are held to GLBA standards. As a result, we’re dedicated to educating organizations and team members on how to better understand this essential financial data privacy law as it relates to the creation of new forms and the collection of consumer data.

To a certain extent, FormAssembly assists different organizations (not only financial services companies) with the creation and management of GLBA-compliant forms. Regardless, you are still responsible and liable for any specific responsibilities that are yours under FTC regulations.

Important GLBA terms

To understand how GLBA directs and guides your organization’s data privacy and usage policies, you must first be familiar with several terms that are unique to this legislation. In this section, we’ll introduce you to the ling that’s most important to the GLBA.

Non-public personal information

The GLBA protects “non-public personal information,” or NPI, which can include credit card numbers, account numbers, Social Security numbers, and any other type of personal data that is collected by applicable institutions. The law includes separate rules for data management.

Financial Privacy Rule

This rule requires financial institutions to be transparent about how customers’ data is being used and protected. Institutions must provide privacy notices with this information, and they must also explain consumers’ rights to opt out of data sharing.

Safeguards Rule

This newer rule details how sensitive data and personal information should be protected by financial organizations, with specific requirements focused on data security programs and administrative procedures.

Understanding obligations under GLBA

In order to remain in GLBA compliance, financial institutions (and any other businesses that collect or manage non-public information) must pay special attention to employee management and training, information systems, and procedural security management. 

Companies that fail to comply can incur up to $100,000 in fines per violation. Individuals who fail to comply with GLBA mandates may face up to $10,000 in fines per violation plus prison time. 

Maintaining obligations under the GLBA means that your organization will be able to avoid these sizable fines while moving to a place of customer trust, loyalty, and retention. 

Step-by-step guide to creating GLBA-compliant forms

As an all-in-one data collection platform, FormAssembly helps organizations in all industries steward their data more responsibly. Our platform offers encryption at rest and is compliant with many major policy regulations (both domestic and international) including GDPR, CCPA, HIPAA, GLBA, PCI DSS level 1, and more.

FormAssembly’s Compliance Cloud plan features advanced security and privacy controls, plus personalized data security training and other privacy features. To maximize our platform’s compliance with GLBA and other protocols, here are a few tips that can help you be successful.

  1. Determine if (and how) the rule applies to you. GLBA can apply to any organization from banks, to insurance appraisers, to college financial aid departments. The first step in creating compliant forms is ensuring that your creation process matches your obligations. This is the foundation to your compliance success. 
  1. Provide a method for distributing policy notices. The GLBA’s Financial Privacy Rule requires financial institutions to provide privacy notices for each consumer as soon as they start working with them, including details about how their information is used, collected, and protected. Make sure this information is available to any form respondent.
  1. Use GLBA-compliant vendors. When it comes to legislation like GLBA, accountability is also about who you trust when it comes to delegation, support, and task management. As a third-party data collection platform, FormAssembly works with financial organizations and others (including higher ed customers) to manage data in a secure, streamlined, and modern way.
  1. Mark personal data as PII or sensitive. As a form creator, you must take responsibility for marking personal data as sensitive. FormAssembly can help alleviate extra work through sensitive data features that allow you to indicate additional sources of data as needed. 

Overview of best practices for your entire organization

In addition to designing forms that are in the best interests of both your organization and your customers or end-users, remember that everyone on your team plays an important role in compliance with financial policies. 

Build a GLBA-friendly operation by following these tips:

  • Develop written security and data privacy policies 
  • Appoint the right individuals to key data roles, both internally and externally 
  • Offer ongoing training and GLBA education to all employees
  • Choose compliant third party services for processing data
  • Seek appropriate legal counsel for any clarifying questions

GLBA compliance checklist 

>> Download our free GLBA Compliance Checklist to grow in your knowledge of this important regulation and to quickly audit your organization’s adherence. << 

How FormAssembly can help with GLBA compliance

In addition to helping you create web forms that comply with GLBA policies and procedures, FormAssembly is committed to helping your organization or business stay on top of new data regulations and security trends. 

Because of our commitment to responsible data stewardship, we regularly create and publish helpful resources that allow our customers to focus on what matters most. While we want every customer to remain an active partner in compliance, we do our best to make this process easier.

Content resources

The FormAssembly blog is full of up-to-date content that will equip you to apply new policies wherever you are. Explore some of our top GLBA blog posts for clarification on this and other data privacy policies:


FormAssembly has a regular calendar of webinars that focus on topics our customers want to know about most. Many GLBA-compliant businesses also have a vested interest in protecting their organizations against cybersecurity and other data threats. Check out the links below to enjoy some of our webinars. 

FAQ page

For a general look at some of our most popular customer questions, simply head over to our FAQ page where we offer in-depth answers to questions about form creation, publication, data privacy, and more.

Knowledge Center

FormAssembly’s extensive help documentation highlights everything you need to know about regulatory guidelines and the creation of compliant web forms. Head over to our comprehensive Resource Center for in-depth guides, videos, tutorials, and more.

Take the next steps toward GLBA compliance

Move towards GLBA compliance with our handy, user-friendly checklist! 

Don’t just collect data
— leverage it