Skip to main content

Run a free cookie audit of your website

CCPA/CPRA

13 min read

CCPA Exemptions: 7 Key Cases Where the Law Doesn’t Apply

By m0040 September 6, 2024

CCPA Exemptions: 7 Key Cases Where the Law Doesn’t Apply

The California Consumer Privacy Act (CCPA) gives California residents rights over their personal information. However, the law includes specific exemptions that relieve certain businesses or types of data from some or all compliance obligations under the CCPA. These exemptions are vital for businesses to understand, as they can significantly impact compliance strategies and costs. This article delves into the top CCPA exemptions, explaining when they apply and what they mean for your business.

What are CCPA exemptions, and how do they work?

CCPA exemptions are provisions within the law that specify when and where the CCPA does not apply or applies with conditions. These exemptions aim to balance consumer privacy rights with practical considerations for businesses, avoiding undue regulatory burdens in situations where CCPA compliance is less critical. By understanding these exemptions, businesses can make informed decisions about their data-handling practices and reduce unnecessary compliance costs.

Seven key situations where the CCPA does not apply

Here are seven CCPA exemptions where the law does not apply.

Please note that the CCPA was amended by the California Privacy Rights Act (CPRA) in 2020, adding new consumer privacy protections.

#1 Certain business types

Businesses below CCPA thresholds

For-profit businesses are exempt from CCPA if they do not:

  • Have annual revenue over $25 million,
  • Collect or sell data on 100,000+ consumers, households, or devices,
  • Earn 50% or more of their annual gross revenue from selling personal information.

For example, small businesses with low revenue and minimal data collection are typically exempt.

Nonprofits

Nonprofit organisations are exempt from the CCPA because they are not considered “businesses” under the law. This includes charities, educational institutions, and other nonprofit entities. However, nonprofits must still comply if they are either:

  • Affiliated with a CCPA-regulated business, sharing branding and personal information.
  • In a joint venture or partnership with at least a 40% interest from each business.

Government agencies

Federal, state, and local government agencies are exempt from CCPA requirements, allowing them to collect and use personal information for official purposes, such as public safety or regulatory compliance. 

Insurance institutions, agents, and support organisations

Businesses regulated by California’s Insurance Information and Privacy Protection Act (IIPPA) are exempt.

#2 Data regulated by other federal laws

Health Insurance Portability and Accountability Act (HIPAA)

The CCPA does not apply to protected health information (PHI) managed by healthcare providers or their business associates under HIPAA. PHI includes identifiable health information related to a person’s health condition, healthcare services, or payment for healthcare. This exemption is specific to PHI. Other types of personal data collected by these entities, such as employment or marketing data, might still be subject to the CCPA.

Gramm-Leach-Bliley Act (GLBA)

The GLBA protects certain types of personal information, such as financial information, which applies to financial institutions like banks and insurance companies. This information is also exempt from the CCPA. This includes nonpublic personal information (NPI) such as loan details or credit reports collected as part of financial services. However, data outside these services, like personal information from non-financial products, may still be covered by the CCPA.

Fair Credit Reporting Act (FCRA)

The CCPA exempts personal data handled by consumer reporting agencies, like credit bureaus, under the FCRA. This includes activities such as credit reporting,background checks, and tenant screenings. However, these agencies must still comply with the CCPA’s data breach provisions and cannot avoid liability for inadequate cybersecurity practices.

#3 Information collected and used entirely outside of California

The CCPA does not apply to consumer’s personal information collected while they are outside California, provided the data is not sold or processed in California. For this exemption to apply:

  • The data the business collects must happen entirely outside California.
  • No part of the sale of the consumer’s information occurs in California.
  • No personal information collected while the consumer is in California is sold or disclosed.

This exemption is particularly relevant for businesses with operations both within and outside California, but it requires careful data management to prove compliance.

#4 Clinical trial data

Data collected as part of a clinical trial governed by the Federal Policy for the Protection of Human Subjects is exempt from the CCPA. This exemption ensures that medical research follows federal ethical standards without conflicting with state privacy laws. However, businesses must ensure that other data collected in different contexts comply with the CCPA.

#5 Data collected for warranties and recalls

The CCPA exempts data collected and used specifically for purposes related to product warranties or recalls. For example, personal information used by businesses to notify consumers about recalls or warranty services for the product they purchased is exempt. This data is only exempt if it is not sold, shared, or used for any purpose other than to fulfil warranty or recall obligations.

#6 Compliance with Legal Processes and Law Enforcement

Legal obligations

Information that businesses must collect or retain to comply with state or federal laws is exempt from the CCPA. This includes records required for regulatory inquiries, subpoenas, or litigation. Businesses must ensure that such data is used strictly for its legal purpose. The CCPA also allows businesses to collect, use, retain, sell, or disclose personal information to exercise or defend legal claims.

Law enforcement cooperation

Businesses are exempt when cooperating with law enforcement agencies concerning conduct or activities believed to violate the law or when responding to requests necessary for child welfare, foster care, adoption, or parental support programs.

#7 Deidentified or aggregate consumer information

The CCPA does not apply to:

Deidentified personal information

Information that cannot be used to identify or link to a specific person.

Aggregate personal information

Information about a group of consumers where individual identities have been removed and cannot be linked to any specific person or household, including via a device.

The CCPA previously exempted personal information collected in the context of employment and business-to-business (B2B) transactions. However, this exemption expired on January 1, 2023.

Implications of CCPA exemptions for businesses

Understanding these exemptions helps businesses determine their legal obligations under the CCPA and streamline their compliance efforts. Companies that qualify for one or more exemptions can focus on areas where the CCPA still applies, such as responding to data breaches, issuing privacy notices, and addressing consumer requests for access, deletion, or correction. However, businesses should not assume a blanket exemption and must assess each data type and activity individually.

How to determine if your business qualifies for CCPA exemptions?

To find out if your business qualifies for CCPA exemptions:

  • Review the data you handle: Identify if any personal information you collect falls under exempt categories like PHI, NPI, or data protected by the FCRA.
  • Assess your business status: Determine if your organisation is a nonprofit, government agency, or falls below the CCPA thresholds for revenue, data handling, or revenue from data sales.
  • Stay informed: Keep up with changes to the CCPA and CPRA, especially concerning temporary exemptions like those for employee data.

Check your CPRA status with our free CPRA Compliance Checker

Documentation and compliance requirements

Even if a business is exempt from specific CCPA requirements, maintaining proper documentation is crucial to demonstrate compliance:

  • Record your data practices: Keep detailed records of what personal information you collect, how it is used, and which exemptions apply.
  • Provide clear notices: Even exempt businesses must provide notices if they handle consumer data, specifying what data is collected and its intended use.
  • Consult legal experts: Seek legal advice to ensure your understanding of exemptions is accurate, and your compliance strategy aligns with both federal and state laws.

Automate CCPA compliance with CookieYes!

Add cookie notices and respect universal opt-out signals with our easy-to-install CMP

Try for free

Conclusion

The CCPA exemptions help businesses manage compliance more effectively. By understanding which activities, data types, or business models qualify for exemptions, companies can reduce regulatory burdens, avoid penalties, and maintain consumer trust. However, even exempt businesses should carefully document their practices and stay updated on any legislative changes.

FAQs on CCPA exemptions

Who does the CCPA not apply to?

The CCPA does not apply to small businesses below specific thresholds, nonprofits, government agencies, and entities regulated by federal laws like HIPAA, GLBA, FCRA, and IIPPA.

What is the CCPA exemption from the FCRA?

The CCPA exempts personal data managed by consumer reporting agencies under the FCRA, including contact information and employment data, provided they comply with FCRA rules. They must still meet California law standards for data security.

What are the exceptions to the CCPA right to deletion request?

Deletion is optional if data is needed to complete transactions, comply with laws like the CPRA, maintain security, handle job applicants, or retain sensitive personal information consistent with consumer expectations.

Are there any industry-specific exemptions to the CCPA?

Yes, the CCPA exempts certain industries regulated by federal laws, such as healthcare entities covered by HIPAA, financial institutions under the GLBA, and consumer reporting agencies under the FCRA. Insurance institutions regulated by California’s IIPPA are also exempt.

Are nonprofit organisations exempt from the CCPA?

Yes, nonprofit organisations are generally exempt because they are not considered “businesses” under the CCPA. However, they must comply if they are controlled by, or share branding and personal information with, a CCPA-regulated business or are in a joint venture where each partner holds at least a 40% interest.

What types of personal information are exempt from CCPA requirements?

Exempt types of personal information include protected health information (PHI) under HIPAA, nonpublic personal information (NPI) under the GLBA, data covered by the FCRA, deidentified or aggregate consumer data, and information required for warranties, recalls, or other legal obligations.

m0040

Shreya is the Senior Content Writer at CookieYes, making sure every piece of content is engaging and audience-focused. Off the clock, you’ll find her happily lost in the world of fiction.

Keep reading

Featured image of Top 5 Preference Management Tools for 2024

Consent

Top 5 Preference Management Tools for 2024

In a world where privacy is becoming increasingly important, businesses must adhere to regulations like …

Read more
Featured image of GDPR Data Subject Rights for Businesses: A Complete Guide

GDPRPrivacy Laws

GDPR Data Subject Rights for Businesses: A Complete Guide

In a data-driven world, honouring privacy rights are crucial more than ever and that is …

Read more
Featured image of Preference Management: 7 Best Practices for Businesses

Consent

Preference Management: 7 Best Practices for Businesses

In a privacy-first world where personalised experiences shape businesses’ operations, preference management has become critical …

Read more

Show all articles