Navigating the CPRA as a GLBA-compliant business

The CPRA’s GLBA information exemption is not the blanket entity exemption found under other US state privacy laws. Now, certain personal information not covered by GLBA falls under the CPRA’s scope. Here's what you need to know

Robb Hiscock
Content Marketing Specialist | CIPP/E, CIPM
November 29, 2022

Close-up of woman holding an iPad and credit card

What is the GLBA?

Linda Thielova, Data Protection Officer and Head of the Privacy Center of Excellence at OneTrust, explains the GLBA and its scope below.


On-demand webinar coming soon...


On January 1, 2023, the California Privacy Rights Act (CPRA) is set to go into effect, expanding upon the rights afforded to consumers established under the California Consumer Privacy Act (CCPA). The California legislature amended the CCPA in August 2018, recognizing the conflict between the CCPA and sectoral frameworks such as the Gramm-Leach-Bliley Act (GLBA). This resulted in an exemption for personal information covered by the requirements of the GLBA being written into the CCPA.

In contrast, privacy laws passed by other states including Consumer Data Protection Act (CDPA) in Virginia, Colorado Privacy Act (CPA) in Colorado, Utah Consumer Privacy Act (UCPA) in Utah, and Connecticut Data Privacy Act (CTDPA) in Connecticut include broader entity-level exemptions for financial institutions subject to the GLBA. This means, unlike Virginia, Colorado, Utah, and Connecticut, financial institutions operating in California or collecting personal information on California residents may still be subject to the CCPA and CPRA when collecting and processing personal information in certain instances. Therefore, it is still critical for financial institutions to understand where the CCPA and CPRA apply. The main two stipulations laid out by the GLBA are explained below.


On-demand webinar coming soon...


Title V of the GLBA: What applies under the CPRA?

Title V of the GLBA governs the treatment of non-public personal information about consumers by financial institutions. Regulations within Title V do not apply to organizations covered by the CCPA and the CPRA in the situations outlined in this section.

Collecting information from website visitors

When a financial institution collects CPRA-covered personal information from “persons that do not obtain a financial product or service from a financial institution and is merely browsing the website,” the GLBA does not cover such processing.  In this instance, the organization might collect personal information from web visitors to improve site performance or deliver targeted advertising. In the context of the CPRA, this personal information would be subject to the privacy protections of the law and would need to be included in consumer rights requests. Financial institutions will therefore need to consider mechanisms to facilitate consumer opt-out requests, including those sent via the Global Privacy Control (GPC) – a universal opt-out signal that the CPRA requires businesses to honor.

Personal information collected in the context of B2B products and services

The scope of the GLBA only applies to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes. Furthermore, it “does not apply to information about companies or individuals who obtain financial products or services for business, commercial or agricultural purposes” (12 C.F.R. 216.1(b)) For example CPRA will apply in situations when a financial institution collects and processes personal information from representatives of businesses who are California residents when such personal information is used to process commercial loans, commercial checking accounts, or other B2B services.

Consequently, GLBA does not govern the collection of personal information in situations when a financial institution collects and shares with third parties, personal information about representatives of companies or individuals who obtain financial products or services for the above-mentioned purposes. In these scenarios, the requirements for facilitating the opt-out of sharing data with third parties is in-scope for CPRA, and organizations need to establish mechanisms to communicate consent signals downstream, such as the GPC, to vendors and partners with whom the information is shared.

Employee information

Another area that the GLBA does not govern is the collection of information about a business’s employees. When the CPRA takes effect on January 1, 2023, the exclusion of employees as covered individuals will expire and financial institutions will be required to extend a set of privacy rights to employees, contractors, job applicants, and former employees, similar to those afforded to consumers.

As seen under the employee inclusion under GDPR, the extension of the right to know will pose new and unique challenges for organizations that includes providing a different intake and verification method, as well as finding personal information held in different systems. This also introduces more unstructured data and a greater opportunity for personal information to be co-mingled with sensitive personal information of others or proprietary business information. Again, businesses will need to consider mechanisms to capture requests from current and former employees, applicants, and contractors, and establish processes to narrow the scope of what to include in the response without creating an undue burden on the requestor.


On-demand webinar coming soon...


How OneTrust helps organizations navigate the CPRA’s GLBA exemption

OneTrust helps financial intuitions to close the compliance gap between GLBA and CPRA and create trusted experiences with customers and employees. The OneTrust Privacy & Data Governance Cloud enables businesses to build holistic privacy programs that encompass cross-regulation frameworks and best practices to future-proof organizations against a continuously evolving US privacy landscape.

OneTrust’s automated tools can help financial institutions cover the three areas where the CPRA applies in absence of GLBA requirements including:

  • Extend opt-out of sale and share requests to unidentified web visitors
  • Establish a playbook to automate employee rights requests
  • Honoring the GPC universal opt-out signal
  • Fulfilling opt-out of sharing through the governance of sensitive personal information

Talk to an expert today and request a demo to see how the OneTrust Privacy & Data Governance Cloud can help your organizations fulfill its obligations under the GLBA and CPRA.

You may also like


Privacy & Data Governance

Common CPRA compliance questions answered

Attend OneTrust DataGuidance’s webinar to learn from experts about the CCPA, as amended, and its most pressing compliance questions.

March 21, 2023

Learn more


Privacy Management

Data Privacy Day: Protiviti & OneTrust

Join industry experts at OneTrust & Protiviti for an operational deep dive and interactive Q&A on the upcoming US State laws set to go into effect in 2023.

January 26, 2023

Learn more


Privacy Management

7 steps to CPRA compliance

Download this checklist to make sure your organization follows the right steps to implement processes that achieve California Privacy Rights Act compliance.

January 24, 2023

Learn more