Yes.

While the CCPA provides a partial exemption for information collected by financial institutions that is subject to the Gramm Leach Bliley Act (e.g., information about individuals who have obtained personal financial products from the institution), that exemption does not apply to Section 1798.150 of the CCPA which confers a private right of action on consumers to seek statutory damages against a business following a data security breach.1 It is worth noting that the relatively narrow scope of the financial institution exemption within the CCPA contrasts with broader exemptions provided to financial institutions by other states. For example, the following compares the financial institution exemption provided in the CCPA with the broader exemption provided in Nevada’s online privacy statute: