Client Alert: Amended Data Privacy Laws Impact Fintechs, Nonbank Mortgage Companies, and Other Nonbank Financial Services Companies
Nonbank mortgage companies, fintechs, online lenders, and many other non-depository GLBA financial institutions will soon be subject to comprehensive data privacy laws in Montana and Connecticut that previously exempted them. Over the past few months, both states have amended their data privacy regimes to remove GLBA entity-level exemptions, while leaving in place GLBA data-level exemptions and entity-exemptions for banks – a move bringing more state-level data privacy regulations in line with those found in California, Minnesota, and Oregon. As a result, impacted entities will need to understand what personal data they collect from residents of these states that is outside the scope of GLBA’s coverage and ascertain whether they trigger relevant thresholds for additional disclosures and obligations.
Montana’s Consumer Data Privacy Act
On May 8, 2025, the Montana governor signed S.B. 297 into law, amending significantly and broadening the applicability of the Montana Consumer Data Privacy Act (“MCDPA”).
Change in Scope. Specifically, these amendments narrow the exemption for entities covered by the Gramm-Leach-Bliley Act (“GLBA”) to exempt only GLBA-covered data and chartered depository institutions. As a result, fintechs and nonbank mortgage companies are among the nonbank financial services companies that will be subject to the MCDPA to the extent that they collect or share any non-GLBA consumer personal information from Montanans.
Thresholds. Montana has reduced the MCDPA’s applicable trigger thresholds; as a result, entities will be subject to data privacy obligations in Montana if they (1) control or process the data of at least 25,000 Montanans, or (2) control or process the personal data of at least 15,000 Montantans and make 25% of their gross annual revenue from selling personal data.
New Obligations. Financial services companies subject to the MCDPA will be required to provide privacy notices related to their covered data and to effectuate consumer rights for Montana customers, including the right to access, correct, and delete their personal information; the right to opt out of sharing their personal data for targeted advertising or otherwise selling their data; and the right to opt out of profiling through their data.
Timing. The amendments to the MCDPA take effect on October 1, 2025.
Connecticut’s Data Privacy Act
On June 25, 2025, Connecticut’s governor signed S.B. 1295 into law, amending the Connecticut Data Privacy Act (“CDPA”).
Change in Scope. After the amendments take effect, fintechs and nonbank mortgage companies will be among the nonbank financial services companies that may be subject to the CDPA to the extent that they collect or share non-GLBA consumer personal information from Connecticut residents. An entity-level exemption will remain in place for insurers, banks, and investment advisors under the GLBA.
Thresholds. Connecticut has lowered the applicable trigger thresholds for coverage under the CDPA to apply to companies that process the sensitive data of at least 35,000 state residents. The CDPA amendments, however, also eliminate the coverage trigger for companies that process the data of at least 25,000 state residents and make 25% of their gross annual revenue from selling personal data.
New Obligations. The CDPA will expand the definition of “sensitive data” to include, among other items, financial details (including financial account numbers, credit or debit card information) and government-issued identification numbers (including driver’s license numbers and Social Security numbers). Financial services companies and nonbank mortgage companies would be limited to collect only what is “reasonably necessary and proportionate” to their disclosed purposes. Connecticut will also require controllers to assess whether consent is needed for a new processing purpose using different enumerated factors, including the use of safeguards (like data encryption), consumer’s expectations, controller’s relationship with the consumer, and the relationship between the new purpose and what was disclosed to the consumer.
Timing. The CDPA amendments take effect on July 1, 2026.
Getting Prepared
Companies should take measures to understand whether and how the MCDPA and the CDPA apply before the amendments take effect, including:
Understanding whether they meet applicable thresholds.
Assessing whether they qualify for any exemptions.
Identifying the types of personal information that they collect and identifying any GLBA-covered data exempt from state-level obligations.
Reviewing and assessing privacy notices and disclosures to determine compliance.
For questions please do not hesitate to contact Chris Napier and Shelby Schwartz.
Download a PDF of this article here.
About The Authors
Chris Napier is a Partner at Mitchell Sandler. His practice focuses on providing regulatory counseling, strategic advice and representation during government enforcement matters, including matters involving commercial, consumer and alternative credit products; money transmission and payments; deposit issues; and partnerships between fintech companies, depository institutions, and lenders.
Shelby Schwartz is Counsel at Mitchell Sandler. Her practice focuses on financial regulatory and compliance matters, with a concentration on deposit accounts, financial data privacy, and state lending laws. She advises a wide variety of financial services providers, from banks to financial technology companies. Shelby has successfully assisted clients in responding to regulatory inquiries and enforcement matters, including those brought by the Consumer Financial Protection Bureau, the Department of Justice, and various state regulators. She regularly assists clients in assessing their deposit account fee structures and deposit account agreements, analyzing data breach obligations, developing privacy policies, and developing financial products and services within appropriate regulatory models.
SIGN UP FOR UPDATES
Never miss our news, insights or events.
FEATURED NEWS
