CCPA exemptions: What to include in your compliance strategy

Do you know whether the personal information you gather requires protection under the California Consumer Privacy Act? Many businesses are unclear about exempt and regulated data types.

The CCPA is a complex regulation with strict requirements and exemptions for many forms of data. Knowing how to classify data is a critical part of CCPA compliance, but it is not always simple.

This article explains CCPA exemptions. We will discuss the types of organizations covered by the regulations, what data types are exempt from the CCPA, and help you design an effective CCPA compliance strategy.

What are CCPA exemptions?

The California Consumer Privacy Act aims to be comprehensive, but it does not cover every business in the State of California. Some forms of data processing are exempt from the CCPA, while others are tightly regulated.

CCPA compliance can be expensive, so it makes sense to understand CCPA exemptions before amending your privacy and data security systems.

One critical starting point is that CCPA exemptions do not apply to the data breach liability rule. Companies that fail to implement reasonable data security controls will likely face penalties, regardless of how they gather or use personal information.

CCPA exemptions relate to how companies collect, store, and use personal information. These exemptions generally cover areas already regulated by other legislation. They do not grant freedom to use consumer data however companies desire.

Who is exempt from CCPA?

Firstly, it's essential to establish whether your business falls under CCPA compliance regulations. CCPA applies to companies active in California that:

  • Earn gross annual revenues exceeding $25 million.
  • Process the personal information of over 100,000 California residents, devices, or households (not just individuals).
  • Earn over 50% of their income by processing or selling the personal information of California residents.

If your business does not meet those thresholds, you do not currently need to comply with CCPA. The regulations also exempt certain types of organizations, including:

  • Government agencies: CCPA does not require government bodies to meet consumer requests or guarantee consumer privacy. However, businesses may need to disclose if they have data-sharing or gathering arrangements with government agencies.
  • Nonprofits: Charities and other not-for-profit organizations are exempt from the CCPA. The regulations generally cover for-profit businesses. However, nonprofits may need to comply if they routinely share personal information or branding with businesses. For example, charities run by corporations should comply.
  • Insurers: Insurance providers already regulated under the Insurance Information and Privacy Protection Act (IIPPA) are exempt from CCPA.

Some economic sectors have partial exemptions. For example, healthcare providers and insurers are already regulated by the Health Insurance Portability and Accountability Act (HIPAA). Safeguarding protected health information falls under HIPAA, but CCPA still applies to other forms of customer data.

Data types that are exempt from CCPA

Grey areas like healthcare make it vital to know data types that are exempt. Companies must understand what data they collect. This makes it possible to determine whether that information applies to CCPA compliance, falls under other regulations, or is not subject to privacy laws.

Data exempt from the CCPA falls into several categories, including:

Data collected "wholly outside" California

Data relating to individuals, devices, or households outside California's boundaries is not covered by CCPA. Personal information is deemed "wholly outside" CCPA requirements if it meets three criteria:

  • Data collection occurs outside of California
  • Data is not sold inside the state of California
  • Data collected while the individual is in California is not sold or shared

Compliance requires systems that detect each customer's location and implement privacy controls if they cross state boundaries.

Data relating to business relationships

Under CCPA requirements, contact information used in B2B relationships is partially exempt. Data shared during B2B communications is exempt from requirements to access, delete, and opt out of data sharing, provided that personal information is used during due diligence and for legitimate business purposes.

For instance, companies routinely share the personal information of local salespeople or support partners. The contact details of these professionals would not fall under CCPA protection. Data breaches involving their personal data are covered though.

Information about employees

Data shared during business-to-employee (or employer-to-employee) relationships is exempt from the CCPA. For example, the act does not regulate information about job applications and hiring processes. Information about employees and business contractors is also exempt.

However, employers must inform employees when they collect personal information. Employees can also take legal action against employers when data breaches occur.

Data types that are exempt from CCPA

Healthcare exemptions

As mentioned earlier, data regulated by HIPAA is exempt from the CCA but is covered by federal laws. The CCPA does not directly safeguard the PHI of California residents. However, covered entities must protect any other personal information collected about customers. A solid understanding of what constitutes protected health information is critical.

Warranties and product recalls

The CCPA exempts most personal information relating to product warranties and recalls. If data is part of managing warranties or recalling hazardous products, privacy requirements do not apply. However, CCPA does apply if companies share or sell warranty data with third parties. Businesses must be careful when storing and using customer records to avoid breaching this rule.

Gramm-Leach-Bliley Act (GLBA) exemptions

GLBA safeguards the privacy of customers who use financial institutions. As with HIPAA-covered entities, financial institutions are exempt from some CCPA privacy requirements.

Any personally identifiable information regulated by GLBA is exempt from CCPA. The flip side of this exemption is that all other customer data gathered by financial institutions is subject to CCPA and requires protection.

Fair Credit Reporting Act (FCRA) exemptions

The Fair Credit Reporting Act regulates the privacy of customers of consumer reporting agencies like Equifax or Experian. As with other regulations, personal information protected under FCRA enjoys exemption under California law.

FCRA handles critical issues like resolving disputes and accessing or deleting data. However, consumer reporting agencies must inform California residents if they collect and share personal information.

Clinical trials

CCPA seeks to protect consumer privacy while enabling the collection and scientific use of medical information.

Section 164.501 of the CCPA Common Rule exempts medical information used in trials. This data falls under HIPAA or the Federal Policy for the Protection of Human Subjects. However, organizations in California must obtain written testimony that research activities meet the requirements of these laws.

Information about drivers

Some classes of driver information are also exempt under CCPA, provided they are covered by alternative Federal laws. For instance, data regulated by the Driver’s Privacy Protection Act (DPPA) is exempt from CCPA. This includes driver's license and vehicle registration data.

Completing transactions

Exemptions apply in the special case when customers complete transactions with businesses.

For example, delivery services with standing orders for weekly shipments do not need to remove payment or identification data. As long as the contract lasts, the company has a "reasonable anticipation" that data is essential to complete an ongoing contract and meet its legal obligations.

Conclusion: Assess CCPA exemptions to ensure compliance

There are many CCPA exemptions affecting sectors as diverse as finance, healthcare, academic research, and even secondhand vehicle sales. Companies must determine which data falls under federal laws and what requires protection under California law.

In practice, companies should secure all personal information and safeguard customer privacy. Personal data exempt under CCPA most likely falls under HIPAA or GLBA. The bottom line is that businesses need robust data breach protection, consent systems, and processes to enable consumer requests.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consult a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.

Learn next

Network security
Zero Trust
Secure Access Service Edge (SASE)
Cloud security
Virtual Private Network (VPN)
Identity access management (IAM)
Firewall
Access control
PCI-DSS
Regulatory compliance