For years, consumer lending companies have treated state privacy laws the way a tortoise treats a rainstorm: head down, shell up, wait for it to pass. The reasoning was simple. The Gramm-Leach-Bliley Act (“GLBA”) exemption in nearly every state’s comprehensive privacy law seemed broad enough to keep regulators at bay. Why worry about California’s CPRA, Colorado’s CPA, or Texas’s TDPSA when financial institutions are “exempt”?
That logic is collapsing. State attorneys general and dedicated privacy enforcement agencies have spent the last eighteen months methodically learning that the GLBA exemption is not a force field. It is a narrow doorway, and a great deal of what consumer lenders do every day walks right past it. Lenders that fail to recognize this shift will not get a polite warning letter. They will get a press release with their name in the headline.
Here is what consumer lending companies need to understand before enforcement comes knocking.
The GLBA Exemption Is Narrower Than You Think
Most state privacy laws exempt financial institutions, financial information, or both. The structure varies. California exempts the data, not the entity. Virginia and most copycat states exempt both. But “exempt” does not mean “untouchable.” The exemption applies only to nonpublic personal information collected and processed under GLBA. It does not apply to data collected from website visitors who never become customers. It does not apply to marketing lists purchased from third parties. It does not apply to employee or applicant data. And it does not apply when the same record is used for purposes outside GLBA-permitted uses.
Lenders that treat the GLBA exemption as a categorical shield are misreading the statute. Regulators are reading it correctly.
Marketing Data Is Where the Risk Lives
Pre-screened offers, lead-generation data, retargeting audiences, and lookalike models are not GLBA records. They are marketing data, governed by state privacy law in full. When a lender uploads a hashed email list to a social platform to build a custom audience, that activity is a “sale” or “share” under California law and a targeted advertising activity under Virginia, Colorado, Connecticut, and most other similar state regimes. It triggers opt-out rights, disclosure obligations, and contractual requirements on the downstream platform.
The compliance question is not whether the activity happens. It is whether the consumer has been given the disclosures and opt-out mechanisms the statute requires.
Website Tracking Is the Easiest Case for an Enforcer to Win
Plaintiffs’ firms have already shown the playbook. The same pixels, session replay tools, and chat-widget integrations that have fueled CIPA wiretap litigation in California are sitting on lender websites across the country. State privacy regulators do not need to prove wiretapping. They only need to show that personal information was shared with a third party for cross-context behavioral advertising and that the consumer was not given the required opt-out.
A Meta Pixel firing on a loan application page, a Google Analytics tag set to share data with advertising products, or a TikTok pixel on a rate-quote landing page can each, on its own, support an enforcement action. Lenders should be auditing their tag managers right now and tying every tracker on a documented legal basis and a working opt-out signal, including Global Privacy Control.
Vendor Management Is a Compliance Function, Not a Procurement Function
Every state privacy law requires written contracts with processors or service providers. Those contracts must include specific terms: purpose limitations, confidentiality, subprocessor flow-down, audit rights, and deletion obligations. A standard master services agreement does not satisfy these requirements. Neither does a vendor’s boilerplate data processing addendum if it was drafted for a different regime.
Consumer lenders typically work with dozens of vendors that touch personal data: lead aggregators, dialer platforms, SMS providers, credit-pull services, e-signature tools, analytics vendors, and customer-relationship platforms. Each relationship needs a privacy-compliant contract, a documented risk assessment, and a process for handling consumer rights requests that pass through to the vendor.
Cross-Context Behavioral Advertising Requires Opt-Outs That Actually Work
California, Colorado, Connecticut, Texas, and a growing list of other states require lenders to honor opt-out preference signals for targeted advertising. That means a working GPC implementation, a “Do Not Sell or Share My Personal Information” link where applicable, and a back-end process that actually removes the consumer from advertising audiences across every platform the lender uses.
A privacy policy that promises an opt-out without a functioning mechanism behind it is a deceptive practice. The FTC has said so. State attorneys general have said so. Enforcement actions over the last year have made the point explicit.
Employee and Applicant Data Is No Longer a Free Zone
California’s CPRA removed the employee and applicant exemption in 2023. Other states are following. Consumer lenders process significant volumes of HR data: background checks, credit pulls on applicants, biometric timekeeping data, productivity monitoring, and increasingly, AI-driven hiring tools. Each category carries its own disclosure, consent, and assessment obligations under state law. Automated decision-making rules in California, Colorado, and other states will require formal impact assessments before deploying AI tools in hiring or workforce management.
What to Do This Quarter
Three steps should be on every consumer lender’s compliance calendar before year-end. First, map data flows and confirm which records are actually GLBA-covered and which are not. Second, audit website-tracking technologies and align them with the disclosures and opt-out mechanisms that each state requires. Third, refresh vendor contracts and risk assessments to meet the specific terms state privacy laws now demand.
