Skip to Content
Client Payment

Events In the News

State Data Privacy Law Update – Two States Limit GLBA Exemptions

on Tuesday, 26 August 2025 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

By paring back on the broad entity level GLBA exemption, Montana and Connecticut have joined California, Minnesota, and Oregon as states that do not include a broad entity level GLBA financial institution exemption within their respective consumer data privacy laws.

Montana

On May 8, Montana Governor Greg Gianforte signed Senate Bill 297 (SB 297) into law, which revises the Montana Consumer Data Privacy Act (“MCDPA”), by, among other changes, lowering the thresholds for application of the law, broadening the reach of the MCDPA for protection of the personal data of minors, removing the entity level exemption for most nonprofit entities (with the exception of those organizations established to detect and prevent insurance fraud), and significantly changing the GLBA entity level exemption.  The amendments are set to take effect on October 1, 2025.

Prior to SB 297,  the MCDPA aligned with the majority of state data privacy laws that include a wholesale exemption for a “financial institution or an affiliate of a financial institution governed by” the GLBA. SB 297 removes a significant portion of the entity level exemption, making most GLBA-covered financial institutions subject to the MDCPA.  The MCDPA does continues to include a data level exemption for “personal data collected, processed, sold, or disclosed in accordance with” the GLBA.

While SB 297 removed the exemption for GLBA financial institutions, it also added an entity-level exemption for state or federally chartered banks or credit unions and their affiliates and subsidiaries. As a result, it appears that the intent of the amendment was to bring non-depository GLBA financial institutions (e.g., fintechs and nonbank mortgage companies) under the scope of the MCDPA.

Connecticut

On June 25, 2025, Connecticut Governor Ned Lamont signed into law SB 1295, which amends to the Connecticut Data Privacy Act (“CDPA”).  SB 1295, among other changes, expands the applicability of the CDPA, changes the profiling-related disclosure requirements and consumer rights, adds to the list of ​“sensitive data” elements, and, like Montana, removes a substantial portion of the GLBA entity level exception.  The majority of the changes are set to take effect on July 1, 2026.

Prior to SB 1295, the CDPA provided a blanket, entity level exception for any “financial institution” or “data” subject to the GLBA. While the data level exemption remains as is, SB 1295 has narrowed the entity-level exemption for all financial institutions subject to GLBA as follows:

  • a bank or credit union (and any affiliate or subsidiary thereof) that (a) is only and directly engaged in financial activities as described in the Bank Holding Act; (b) is regulated and examined by the Connecticut Department of Banking or an applicable federal bank regulatory agency, and (c) has established a program to comply with all applicable requirements of the Connecticut Banking Commissioner or the applicable federal bank regulatory agency concerning personal data;
  • Certain insurers (including fraternal benefit societies, health carriers, and insurance-support organization); or
  • an agent, broker-dealer, investment adviser or investment adviser agents that are regulated by the Connecticut Department of Banking or the Securities and Exchange Commission.

Given this amendment, financial institutions that are subject to GLBA but fall outside the new definition of “financial institution” under the CDPA will need to consider the personal data they collect and process to ensure that, when not protected by GLBA, it is processed in compliance with the CDPA.

Grayson J. Derrick
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design