Why Consumer Lenders Are the Next Target for State Privacy Enforc
Why Consumer Lenders Are the Next Target for State Privacy Enforc
Publish Date: 2026-05-20 11:14:00
Source Domain: natlawreview.com
For years, consumer lending companies have treated state privacy laws the way a tortoise treats a rainstorm: head down, shell up, wait for it to pass. The reasoning was simple. The Gramm-Leach-Bliley Act (“GLBA”) exemption in nearly every state’s comprehensive privacy law seemed broad enough to keep regulators at bay. Why worry about California’s CPRA, Colorado’s CPA, or Texas’s TDPSA when financial institutions are “exempt”?
That logic is collapsing. State attorneys general and dedicated privacy enforcement agencies have spent the last eighteen months methodically learning that the GLBA exemption is not a force field. It is a narrow doorway, and a great deal of what consumer lenders do every day walks right past it. Lenders that fail to recognize this shift will not get a polite warning letter. They will get a press release with their name in the headline.
Here is what consumer lending companies need to understand before enforcement comes knocking.
The GLBA Exemption Is Narrower Than You Think
Most state privacy laws exempt financial institutions, financial information, or both. The structure varies. California exempts the data, not the entity. Virginia and most copycat states exempt both. But “exempt” does not mean “untouchable.” The exemption applies only to nonpublic personal information collected and processed under GLBA. It does not apply to data collected from website visitors who never become customers. It does not apply to marketing lists purchased from third parties. It does not apply to employee or applicant data. And it does not apply when the same record is used for purposes outside GLBA-permitted uses.
Lenders that treat the GLBA exemption as a categorical shield are misreading the statute. Regulators are reading it correctly.
Marketing Data Is Where the Risk Lives
Pre-screened offers, lead-generation data, retargeting audiences, and lookalike models are not GLBA records. They are marketing data, governed by state privacy…
