The California Consumer Privacy Act (CCPA) gives California residents rights over their personal information. However, the law includes specific exemptions that relieve certain businesses or types of data from some or all compliance obligations under the CCPA. These exemptions are vital for businesses to understand, as they can significantly impact compliance strategies and costs. This article delves into the top CCPA exemptions, explaining when they apply and what they mean for your business.
What are CCPA exemptions, and how do they work?
CCPA exemptions are provisions within the law that specify when and where the CCPA does not apply or applies with conditions. These exemptions aim to balance consumer privacy rights with practical considerations for businesses, avoiding undue regulatory burdens in situations where CCPA compliance is less critical. By understanding these exemptions, businesses can make informed decisions about their data-handling practices and reduce unnecessary compliance costs.
Seven key situations where the CCPA does not apply
Here are seven CCPA exemptions where the law does not apply.
#1 Certain business types
Businesses below CCPA thresholds
For-profit businesses are exempt from CCPA if they do not:
- Have annual revenue over $25 million,
- Collect or sell data on 100,000+ consumers, households, or devices,
- Earn 50% or more of their annual gross revenue from selling personal information.
For example, small businesses with low revenue and minimal data collection are typically exempt.
Nonprofits
Nonprofit organisations are exempt from the CCPA because they are not considered “businesses” under the law. This includes charities, educational institutions, and other nonprofit entities. However, nonprofits must still comply if they are either:
- Affiliated with a CCPA-regulated business, sharing branding and personal information.
- In a joint venture or partnership with at least a 40% interest from each business.
Government agencies
Federal, state, and local government agencies are exempt from CCPA requirements, allowing them to collect and use personal information for official purposes, such as public safety or regulatory compliance.
Insurance institutions, agents, and support organisations
Businesses regulated by California’s Insurance Information and Privacy Protection Act (IIPPA) are exempt.
#2 Data regulated by other federal laws
Health Insurance Portability and Accountability Act (HIPAA)
The CCPA does not apply to protected health information (PHI) managed by healthcare providers or their business associates under HIPAA. PHI includes identifiable health information related to a person’s health condition, healthcare services, or payment for healthcare. This exemption is specific to PHI. Other types of personal data collected by these entities, such as employment or marketing data, might still be subject to the CCPA.
Gramm-Leach-Bliley Act (GLBA)
The GLBA protects certain types of personal information, such as financial information, which applies to financial institutions like banks and insurance companies. This information is also exempt from the CCPA. This includes nonpublic personal information (NPI) such as loan details or credit reports collected as part of financial services. However, data outside these services, like personal information from non-financial products, may still be covered by the CCPA.
Fair Credit Reporting Act (FCRA)
The CCPA exempts personal data handled by consumer reporting agencies, like credit bureaus, under the FCRA. This includes activities such as credit reporting,background checks, and tenant screenings. However, these agencies must still comply with the CCPA’s data breach provisions and cannot avoid liability for inadequate cybersecurity practices.
#3 Information collected and used entirely outside of California
The CCPA does not apply to consumer’s personal information collected while they are outside California, provided the data is not sold or processed in California. For this exemption to apply:
- The data the business collects must happen entirely outside California.
- No part of the sale of the consumer’s information occurs in California.
- No personal information collected while the consumer is in California is sold or disclosed.
This exemption is particularly relevant for businesses with operations both within and outside California, but it requires careful data management to prove compliance.
#4 Clinical trial data
Data collected as part of a clinical trial governed by the Federal Policy for the Protection of Human Subjects is exempt from the CCPA. This exemption ensures that medical research follows federal ethical standards without conflicting with state privacy laws. However, businesses must ensure that other data collected in different contexts comply with the CCPA.
#5 Data collected for warranties and recalls
The CCPA exempts data collected and used specifically for purposes related to product warranties or recalls. For example, personal information used by businesses to notify consumers about recalls or warranty services for the product they purchased is exempt. This data is only exempt if it is not sold, shared, or used for any purpose other than to fulfil warranty or recall obligations.
#6 Compliance with Legal Processes and Law Enforcement
Legal obligations
Information that businesses must collect or retain to comply with state or federal laws is exempt from the CCPA. This includes records required for regulatory inquiries, subpoenas, or litigation. Businesses must ensure that such data is used strictly for its legal purpose. The CCPA also allows businesses to collect, use, retain, sell, or disclose personal information to exercise or defend legal claims.
Law enforcement cooperation
Businesses are exempt when cooperating with law enforcement agencies concerning conduct or activities believed to violate the law or when responding to requests necessary for child welfare, foster care, adoption, or parental support programs.
#7 Deidentified or aggregate consumer information
The CCPA does not apply to:
Deidentified personal information
Information that cannot be used to identify or link to a specific person.
Aggregate personal information
Information about a group of consumers where individual identities have been removed and cannot be linked to any specific person or household, including via a device.
Implications of CCPA exemptions for businesses
Understanding these exemptions helps businesses determine their legal obligations under the CCPA and streamline their compliance efforts. Companies that qualify for one or more exemptions can focus on areas where the CCPA still applies, such as responding to data breaches, issuing privacy notices, and addressing consumer requests for access, deletion, or correction. However, businesses should not assume a blanket exemption and must assess each data type and activity individually.
How to determine if your business qualifies for CCPA exemptions?
To find out if your business qualifies for CCPA exemptions:
- Review the data you handle: Identify if any personal information you collect falls under exempt categories like PHI, NPI, or data protected by the FCRA.
- Assess your business status: Determine if your organisation is a nonprofit, government agency, or falls below the CCPA thresholds for revenue, data handling, or revenue from data sales.
- Stay informed: Keep up with changes to the CCPA and CPRA, especially concerning temporary exemptions like those for employee data.
Documentation and compliance requirements
Even if a business is exempt from specific CCPA requirements, maintaining proper documentation is crucial to demonstrate compliance:
- Record your data practices: Keep detailed records of what personal information you collect, how it is used, and which exemptions apply.
- Provide clear notices: Even exempt businesses must provide notices if they handle consumer data, specifying what data is collected and its intended use.
- Consult legal experts: Seek legal advice to ensure your understanding of exemptions is accurate, and your compliance strategy aligns with both federal and state laws.
Automate CCPA compliance with CookieYes!
Add cookie notices and respect universal opt-out signals with our easy-to-install CMP
Try for freeConclusion
The CCPA exemptions help businesses manage compliance more effectively. By understanding which activities, data types, or business models qualify for exemptions, companies can reduce regulatory burdens, avoid penalties, and maintain consumer trust. However, even exempt businesses should carefully document their practices and stay updated on any legislative changes.
FAQs on CCPA exemptions
The CCPA does not apply to small businesses below specific thresholds, nonprofits, government agencies, and entities regulated by federal laws like HIPAA, GLBA, FCRA, and IIPPA.
The CCPA exempts personal data managed by consumer reporting agencies under the FCRA, including contact information and employment data, provided they comply with FCRA rules. They must still meet California law standards for data security.
Deletion is optional if data is needed to complete transactions, comply with laws like the CPRA, maintain security, handle job applicants, or retain sensitive personal information consistent with consumer expectations.
Yes, the CCPA exempts certain industries regulated by federal laws, such as healthcare entities covered by HIPAA, financial institutions under the GLBA, and consumer reporting agencies under the FCRA. Insurance institutions regulated by California’s IIPPA are also exempt.
Yes, nonprofit organisations are generally exempt because they are not considered “businesses” under the CCPA. However, they must comply if they are controlled by, or share branding and personal information with, a CCPA-regulated business or are in a joint venture where each partner holds at least a 40% interest.
Exempt types of personal information include protected health information (PHI) under HIPAA, nonpublic personal information (NPI) under the GLBA, data covered by the FCRA, deidentified or aggregate consumer data, and information required for warranties, recalls, or other legal obligations.