A.5 Consumer Protection Laws | Certified Financial Planner (CFP) | Free Exam Prep

Certified Financial Planner

A.1 Code of Ethics and Standards of Conduct A.1.1 The Six Ethical Principles A.2 Procedural Rules and Discipline A.2.1 Fitness Standards for Candidates A.3 Financial Institutions Overview A.3.1 Broker-Dealers vs. RIAs A.4 SEC and Securities Regulation A.4.1 FINRA and Broker-Dealer Regulation A.4.2 State Securities Regulation A.5 Consumer Protection Laws A.5.1 Privacy and Confidentiality Requirements A.6 Fiduciary Duty and Application

B.7 The Financial Planning Process B.7.1 Establishing the Client Relationship B.7.2 Gathering Client Data and Goals B.8 Personal Financial Statements B.8.1 Key Financial Ratios B.9 Cash Flow Management B.9.1 Emergency Fund Planning B.10 Debt Management Strategies B.10.1 Mortgage and Home Financing B.11 Economic Concepts B.11.1 Planning for Inflation B.12 Time Value of Money Concepts B.12.1 TVM Calculations and Applications B.12.2 Loan Amortization B.13 Education Needs Analysis B.14 Education Savings Vehicles B.14.1 529 Plans In-Depth B.15 Education Funding Strategies B.16 Gift/Income Tax Strategies

C.17 Principles of Risk and Insurance C.17.1 Risk Management Process C.18 Analysis of Risk Exposures C.19 Health Insurance Fundamentals C.19.1 Types of Health Insurance Plans C.20 Disability Income Insurance C.20.1 Disability Policy Features C.21 Long-Term Care Insurance C.22 Annuities Overview C.22.1 Fixed vs. Variable Annuities C.23 Life Insurance Fundamentals C.23.1 Types of Life Insurance C.24 Business Owner Insurance Solutions C.25 Insurance Needs Analysis C.26 Insurance Policy and Company Selection

D.27 Equity Securities D.27.1 Fixed Income Securities D.27.2 Mutual Funds and ETFs D.27.3 Taxation of Investment Vehicles D.28 Systematic Risk D.28.1 Unsystematic Risk D.29 Economic and Market Cycles D.30 Measures of Risk and Return D.30.1 Investment Performance Measures D.31 Asset Allocation Strategies D.31.1 Portfolio Diversification D.32 Bond and Stock Valuation D.32.1 Stock Valuation Models D.33 Investment Policy Statement D.33.1 Modern Portfolio Theory D.34 Active vs. Passive Investing D.34.1 Common Investment Strategies D.35 Alternative Investments D.35.1 Options and Derivatives

E.36 Income Tax Fundamentals E.36.1 Filing Status and Tax Brackets E.37 Types of Income E.37.1 Deductions and Credits E.37.2 Capital Gains and Losses E.38 Business Entity Taxation E.38.1 Self-Employment Tax E.39 Taxation of Trusts and Estates E.40 Tax Reduction Strategies E.40.1 Retirement Account Tax Strategies E.41 Property Transactions E.41.1 Basis Rules for Acquired Property E.42 AMT and NIIT E.42.1 Special Tax Situations E.43 Charitable Giving Strategies

G.54 Property Titling and Beneficiary Designations G.54.1 Beneficiary Designations G.55 Strategies to Transfer Property G.55.1 Lifetime Gifting Strategies G.56 Wills and Estate Documents G.56.1 Powers of Attorney G.56.2 Advance Directives and Healthcare Documents G.57 Federal Gift Tax G.57.1 Federal Estate Tax G.57.2 Generation-Skipping Transfer Tax G.58 Sources for Estate Liquidity G.58.1 Life Insurance for Estate Liquidity G.59 Trust Fundamentals G.59.1 Revocable Living Trusts G.59.2 Irrevocable Trusts G.59.3 Trust Income Taxation G.60 Marital Deduction Planning G.60.1 QTIP Trusts G.60.2 Portability of Estate Tax Exemption G.61 Intra-family and Business Transfer Techniques G.61.1 Family Limited Partnerships G.61.2 GRATs and IDGTs G.62 Postmortem Estate Planning Techniques G.62.1 Disclaimer Planning G.62.2 Estate Tax Elections G.63 Planning for Divorce and Unmarried Couples G.63.1 Estate Planning for Unmarried Couples G.63.2 Planning for Blended Families G.64 Planning for Special Needs and Circumstances G.64.1 Special Needs Trusts G.64.2 ABLE Accounts

Key Takeaways

The Gramm-Leach-Bliley Act (GLBA) establishes the primary federal framework for financial privacy protection
Regulation S-P implements GLBA requirements for SEC-registered broker-dealers and investment advisers
Financial institutions must provide initial and annual privacy notices explaining information-sharing practices
Consumers have the right to opt out of having their nonpublic personal information shared with nonaffiliated third parties

Last updated: January 2026

Consumer Protection Laws

Financial privacy is a fundamental concern for clients, and CFP professionals must understand the legal framework that protects client information. The primary federal privacy law affecting financial services is the Gramm-Leach-Bliley Act (GLBA), which establishes requirements for how financial institutions collect, use, and share consumer information. For SEC-registered entities, Regulation S-P implements these requirements with specific compliance obligations.

The Gramm-Leach-Bliley Act (GLBA)

Congress enacted the Gramm-Leach-Bliley Act in 1999 to modernize the financial services industry by allowing banks, securities firms, and insurance companies to affiliate. Along with this deregulation came new privacy requirements to protect consumers.

GLBA's Three Key Components:

Component	Purpose	Enforced By
Financial Privacy Rule	Requires privacy notices and limits information sharing	FTC, SEC, banking regulators
Safeguards Rule	Requires security programs to protect customer data	FTC (for non-bank financial institutions)
Pretexting Provisions	Prohibits obtaining customer information through false pretenses	FTC, state attorneys general

The GLBA applies broadly to "financial institutions," defined as any company significantly engaged in financial activities. This includes not only banks and securities firms but also:

Mortgage lenders and brokers
Tax preparation firms
Financial advisers and planners
Check cashing services
Wire transfer services
Collection agencies
Credit counselors

What Is Nonpublic Personal Information (NPI)?

GLBA protections center on Nonpublic Personal Information (NPI)—personally identifiable financial information that a consumer provides to obtain a financial product or service. NPI includes:

Information provided by the consumer: Account applications, income data, Social Security numbers
Information from transactions: Account balances, payment history, credit card purchases
Information obtained from providing services: Data gathered through serving the client's account

NPI does not include publicly available information such as telephone numbers listed in public directories, information from public government records, or information widely distributed through media.

The Privacy Notice Framework

GLBA requires financial institutions to provide clear, conspicuous notices explaining their information-sharing practices. The framework includes two types of notices:

Initial Privacy Notice:

Financial institutions must provide an initial privacy notice at the time a customer relationship is established. This notice must describe:

Categories of NPI collected
Categories of NPI disclosed to third parties
Categories of affiliates and nonaffiliates with whom information is shared
The institution's policies regarding former customers
How the institution protects NPI confidentiality and security
The consumer's right to opt out of certain disclosures

Annual Privacy Notice:

Historically, institutions were required to provide annual privacy notices to customers. However, the FAST Act of 2015 created an exception: institutions that meet specific conditions do not need to provide annual notices if:

They share NPI only in ways that don't require opt-out rights
Their privacy policies have not changed since the last notice
They post their privacy notice on their website (if they maintain one)

Exam Tip: The annual notice requirement was modified in 2015. Know that institutions meeting certain conditions (no changes to privacy policy, no opt-out-triggering sharing) may qualify for the annual notice exception.

Opt-Out Rights

One of GLBA's most important consumer protections is the right to opt out of having NPI shared with nonaffiliated third parties. When an institution wants to share information beyond what's permitted by GLBA exceptions, it must:

Clearly describe the categories of information that may be disclosed
Describe the categories of third parties to whom disclosure may be made
Provide a reasonable means for the consumer to opt out
Wait a reasonable period (typically 30 days) before sharing information

Opt-Out Methods Must Be Reasonable:

Toll-free telephone number
Return mail form
Electronic opt-out (for customers who conduct business electronically)

Institutions cannot require consumers to write their own letter or take unreasonable steps to exercise opt-out rights.

Exceptions to Opt-Out Requirements

GLBA provides several exceptions where institutions may share NPI without offering opt-out rights:

Exception	Example
Processing transactions	Sharing with service providers to execute a trade
Servicing accounts	Sharing with custodians or clearing firms
Protecting against fraud	Sharing with fraud detection services
Legal compliance	Responding to court orders or regulatory examinations
Joint marketing agreements	Sharing with partners under written agreements with confidentiality restrictions

The joint marketing exception is particularly important for financial services. Institutions may share NPI with nonaffiliated third parties under a joint marketing agreement if the agreement includes restrictions on the third party's use and disclosure of the information.

GLBA Enforcement and State Law Developments

GLBA is enforced by multiple regulators depending on the type of institution:

Institution Type	Primary Regulator
Banks	OCC, Federal Reserve, FDIC
Credit unions	NCUA
Broker-dealers	SEC
Investment advisers	SEC or state regulators
Other financial institutions	FTC

2025 State Law Developments:

The relationship between GLBA and state privacy laws is evolving. In 2025, Montana and Connecticut amended their state privacy laws to remove broad exemptions for GLBA-covered financial institutions. This means financial institutions in those states must now comply with both federal GLBA requirements and additional state privacy obligations for data not covered by GLBA.

California's Consumer Privacy Act (CCPA) has always applied a narrower "data-level" exemption—only GLBA-covered data is exempt, not the entire institution. This trend suggests financial institutions should prepare for overlapping federal and state privacy compliance.

GLBA Modernization Discussions

Congress and the CFPB are examining whether GLBA's privacy framework needs updating for the digital age. In early 2025, the CFPB sought public comment on potential modernization of the Privacy Rule (Regulation P), including:

Strengthening opt-out rights (potentially a "global" one-click opt-out)
Clarifying exceptions for joint marketing and service provider sharing
Extending protections to digital wallet and fintech payment platforms
Considering opt-in requirements for sensitive data

CFP professionals should monitor these developments as changes could significantly affect how financial planning firms handle client information.

For CFP Professionals

Understanding consumer protection laws helps CFP professionals:

Maintain compliance with privacy notice and opt-out requirements
Protect client trust by properly safeguarding personal information
Recognize disclosure obligations before sharing client data with third parties
Navigate dual-registration requirements as state privacy laws evolve
Prepare for regulatory changes as GLBA modernization discussions continue

Test Your Knowledge

Under the Gramm-Leach-Bliley Act (GLBA), which type of information is NOT considered Nonpublic Personal Information (NPI)?

Account balances and transaction history

Social Security numbers provided on account applications

Telephone numbers listed in public directories

Income information provided to obtain a loan

Test Your Knowledge

A financial institution wants to share client information with a nonaffiliated third party for joint marketing purposes. Under GLBA, what must the institution do?

Always obtain prior written consent from the client

Provide opt-out notice and wait a reasonable period before sharing

Enter into a joint marketing agreement with confidentiality restrictions

Report the sharing arrangement to the SEC within 30 days

Test Your Knowledge

Which federal law enacted in 2015 created an exception allowing certain financial institutions to avoid providing annual privacy notices?

Dodd-Frank Act

FAST Act

Sarbanes-Oxley Act

Gramm-Leach-Bliley Act amendment

Up Next

A.5.1 Privacy and Confidentiality Requirements

Continue learning

Certified Financial Planner

1A. Professional Conduct and Regulation

2B. General Principles of Financial Planning

3C. Risk Management and Insurance Planning

4D. Investment Planning

5E. Tax Planning

6F. Retirement Savings and Income Planning

7G. Estate Planning

8H. Psychology of Financial Planning

Key Takeaways

Consumer Protection Laws

The Gramm-Leach-Bliley Act (GLBA)

What Is Nonpublic Personal Information (NPI)?

The Privacy Notice Framework

Opt-Out Rights

Exceptions to Opt-Out Requirements

GLBA Enforcement and State Law Developments

GLBA Modernization Discussions

For CFP Professionals