LogoInsurAItools
  • Reviews
  • Free Tools
  • Solutions
  • Categories
  • Compare
  • Glossary
  • Blog
  • Pricing
LogoInsurAItools
← Back to Glossary

Gramm-Leach-Bliley Act (GLBA)

Federal law requiring financial institutions, including insurers, to protect consumer financial information privacy and disclose their data-sharing practices.

industryPublished 2026/06/07Last verified 2026/06/07

FAQs

Does GLBA apply to independent insurance agents as well as carriers?
Yes. GLBA applies to all 'financial institutions,' a broadly defined category that includes entities significantly engaged in financial activities. Independent insurance agencies that handle consumer financial information—which includes virtually all personal lines and many commercial lines agencies—are covered by GLBA and must provide privacy notices, honor opt-out requests, and implement information security programs.
What is 'non-public personal information' under GLBA?
NPI under GLBA is any personally identifiable financial information that a consumer provides, that results from a transaction with the financial institution, or that the institution otherwise obtains in connection with providing a product or service. This includes insurance applications, claims information, financial account details, Social Security numbers, and data derived from combining public information with non-public information.
How does GLBA interact with state insurance privacy laws?
GLBA explicitly preserves states' authority to impose stricter privacy protections for insurance consumers. The NAIC's Privacy of Consumer Financial and Health Information Model Regulation implements GLBA requirements for insurance through state law, often with additions specific to the insurance context. California, Vermont, and several other states have privacy laws more restrictive than the GLBA baseline. Insurance companies must comply with the most stringent applicable law.

Related Terms

  • Data Breach Notification

    Legal requirements obligating organizations—including insurers and agencies—to notify individuals and regulators when personal data is compromised.

  • State Insurance Department

    The state regulatory body with primary authority over insurance regulation—licensing insurers, reviewing rates and forms, and enforcing insurance laws.

  • Record Retention

    Regulatory and legal requirements specifying how long insurers and agents must retain insurance records—policies, claims files, and communications.

  • AI Model Governance

    The policies, procedures, and controls an insurer implements to ensure AI and ML models are accurate, fair, explainable, and regulatory-compliant.

LogoInsurAItools

Independent AI tool reviews for insurance agents and brokers

Product
  • Reviews
  • Free Tools
  • Solutions
  • Categories
  • Compare
Resources
  • Glossary
  • Blog
  • Pricing
  • Search
  • Collection
  • Tag
Company
  • About Us
  • Privacy Policy
  • Terms of Service
  • Sitemap
Copyright © 2026 All Rights Reserved.

The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, is a federal law that governs the collection, use, and disclosure of personal financial information by financial institutions—a category that includes insurance companies, banks, securities firms, and other entities engaged in financial activities. GLBA imposes three primary obligations on insurance companies: a privacy notice requirement, an opt-out right for consumers, and a data security (Safeguards Rule) requirement.

How It Works / Why It Matters

GLBA's privacy provisions were motivated by the increasing aggregation of financial data across formerly separate banking, securities, and insurance industries. Congress was concerned that financial holding companies formed after GLBA's deregulation of these sectors would use consumer data across product lines in ways consumers had not consented to and did not expect.

Privacy notice requirement: Insurance companies must provide clear, conspicuous notice to consumers describing what non-public personal information (NPI) they collect, how it is used, and with whom it is shared. Initial notices must be provided at the time of customer relationship establishment; the FAST Act of 2015 eliminated the annual notice requirement for companies that haven't changed their privacy practices.

Opt-out right: Consumers have the right to opt out of certain information-sharing arrangements—specifically, sharing NPI with unaffiliated third parties. Insurers must provide a reasonable opt-out mechanism and honor opt-out requests within 30 days.

Safeguards Rule: GLBA requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect the security, confidentiality, and integrity of customer information. The FTC's Safeguards Rule was substantially updated in 2023 to impose specific technical and administrative security controls.

In Practice

State insurance department enforcement: GLBA provides that state insurance regulators are the primary enforcers of privacy requirements for insurance companies—not the FTC. States have adopted implementing regulations, typically based on NAIC model privacy regulations that parallel GLBA requirements. State enforcement of insurance privacy is conducted through market-conduct-examinations and complaint investigations.

Safeguards Rule (2023 update): The FTC's amended Safeguards Rule requires covered financial institutions to implement specific controls including: encryption of customer information in transit and at rest, multi-factor authentication for any individual accessing customer information, access controls limiting customer information access to employees who need it, periodic penetration testing, employee security training, an incident response plan, and annual reporting to the board on the information security program.

Data breach implications: GLBA's Safeguards Rule requires covered institutions to notify the FTC within 30 days of discovering a security breach involving customer information—a notification obligation that intersects with state data-breach-notification laws.

AI tools that process customer data in insurance workflows must be designed with GLBA compliance in mind. Customer financial information used to train AI models or generate recommendations is NPI subject to GLBA use restrictions.

Related Concepts

GLBA is the federal foundation of insurance privacy compliance, intersecting with data-breach-notification requirements, state-insurance-department enforcement, bancassurance (where bank-insurance data sharing creates GLBA complexity), and record-retention (which must account for NPI handling requirements).