CCPA Security FAQs: Does the CCPA open financial institutions to increased litigation?


While the CCPA provides a partial exemption for information collected by financial institutions that is subject to the Gramm Leach Bliley Act (e.g., information about individuals who have obtained personal financial products from the institution), that exemption does not apply to Section 1798.150 of the CCPA which confers a private right of action on consumers to seek statutory damages against a business following a data security breach.1  It is worth noting that the relatively narrow scope of the financial institution exemption within the CCPA contrasts with broader exemptions provided to financial institutions by other states.  For example, the following compares the financial institution exemption provided in the CCPA with the broader exemption provided in Nevada’s online privacy statute:

CCPA Nevada Online Privacy Notice Statute
Statute does not apply to “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations . . . .  This subdivision shall not apply to Section 1798.150 [of the CCPA].2 Statute does not apply to “A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., and the regulations adopted pursuant thereto.3