GLBA Scope, NPI and Enforcement - CIPP/US Study Guide

GLBA covers financial institutions significantly engaged in financial activities and regulates nonpublic personal information (NPI). Enforcement runs through federal banking regulators, the SEC, the FTC and now the CFPB; there is no private right of action, and stricter state laws are not preempted.

A financial institution is any U.S. company significantly engaged in financial activities (banks, insurers, securities firms, payment services, check cashers, credit counselors, mortgage lenders). Nonpublic personal information (NPI) is broad: even a customer's name is NPI because it signals a financial relationship.

Consumer vs customer

GLBA protects consumers (those obtaining products for personal/family/household use), but many requirements (like annual notice) apply only to customers with an ongoing relationship.

Penalties: up to $100,000 per violation for institutions; up to $10,000 per violation for officers/directors; criminal penalties for intentional violations. FIRREA adds further penalties. No private right of action exists, though notice failures may be deceptive trade practices, and stricter state laws are not preempted.

Key terms - quick answers

What is “Nonpublic personal information (NPI)”?

Personally identifiable financial information a consumer provides to, or that results from transactions with, or is otherwise obtained by a financial institution; excludes publicly available information and lists derived without using such information.

What is “Customer (GLBA)”?

A consumer with an ongoing relationship with a financial institution; many GLBA notice requirements apply specifically to customers.