CCPA Security FAQs: Does the CCPA open insurance companies to increased litigation?


The CCPA provides a partial exemption for information collected by financial institutions that are subject to the Gramm Leach Bliley Act (e.g., information about individuals who have obtained personal financial products from the institution).  Insurance companies are generally considered “financial institutions” subject to the Gramm Leach Bliley Act, as well as any regulations imposed by state insurance commissioners pursuant to the Act.  While the CCPA’s financial institution exemption provides some protection to insurers, that exemption does not apply to Section 1798.150 of the CCPA, which confers a private right of action on consumers to seek statutory damages against a business following a data security breach.1  It is worth noting that the relatively narrow scope of the financial institution exemption within the CCPA contrasts with broader exemptions provided to financial institutions by other states.  For example, the following compares the financial institution exemption provided in the CCPA with the broader exemption provided in Nevada’s online privacy statute:

CCPA Nevada Online Privacy Notice Statute
Statute does not apply to “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations . . . .  This subdivision shall not apply to Section 1798.150 [the data breach right of action of the CCPA].2 Statute does not apply to “A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., and the regulations adopted pursuant thereto.3