Security compliance Designing security programs Security compliance Designing security programs CPRA

What are the exceptions to CCPA?

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

You may already know the basics of the California Consumer Privacy Act (CCPA) and understand which types of information it regulates. But, do you know about CCPA exceptions? That’s right, the CCPA exempts certain companies and data types. To find out if your company or any of the information you handle is exempt from the CCPA, read on. 

First and foremost, let’s look at who needs to comply with the CCPA and which companies are exempt. As currently written, the CCPA and its regulations apply to entities both within and outside of California that engage in transactions with Californians for the purpose of financial gain or that collect any information — called personally identifiable information, or PII — from California residents.

Who’s considered a California resident? ​​According to Section 17014 of Title 18, a California resident is anyone in the state for a purpose that is not transitory or temporary.

If a company does collect PII from California residents and meets one or more of the following thresholds, they also must abide by the CCPA:

  • Has an annual gross revenue of over $25 million USD
  • Derives 50% or more of its annual revenues from selling consumers’ PII
  • Holds data containing personally identifiable information of 50,000 or more Californian consumers, households, or devices

So, if your business doesn’t collect any information from California residents — or it does but it doesn’t fall into any of these three thresholds — then the CCPA doesn’t apply to you.

In addition to company exceptions, there are also CCPA exemptions for data based on the type of information that a business collects and the type of individual from whom the information comes. Let’s take a quick look at each data exemption:

Information collected and used “wholly outside” of California

Data is exempt if the actions pertaining to it take place wholly outside of California. Specifically, the CCPA defines data as exempt if the conduct around it meets the following criteria:

    • A business collects information while a consumer is outside of California.
    • No part of the sale of a consumer’s personal information occurs in California.
    • No personal information collected while a consumer is in California is sold.

To take advantage of this CCPA exception, companies must establish means by which to determine if and when consumers are outside the state of California.

Employee information

The CCPA exempts employee information used solely in the context of the employer-employee relationship. This includes data from the following sources:

    • Hired staff members and employees (including directors and officers)
    • Independent contractors and business members
    • Applicants to a job

Employee information used outside of these contexts may be subject to full applicability of the CCPA.

While employers don’t need to provide an opt-out option or fulfill delete requests from employees, they do need to provide notice to employees when or before their information is collected. Furthermore, employees have the private right to action in the event of a data breach.

Business relationship information

Next up: business relationship information. The CCPA states that business-to-business (B2B) contact information handled solely in the context of due diligence — or situations where a product or service is provided or received — is partially exempt from the CCPA. However, to qualify for this exemption, the product or service in question must have already been CCPA exempt.

Regardless, businesses must still provide the other party with the right to opt-out of having their information sold and comply with the nondiscrimination provision. Similar to employees, businesses also have the right to take action should their information be involved in a data breach.

Information pertaining to warranties and recalls

This exemption states that businesses — across all industries — don’t have to delete warranty or recall information. As it specifically relates to new car dealers and buyers, the exemption establishes that vehicle or ownership information may be kept and shared between dealers and manufacturers and doesn’t require an opt-out option. In other words, if the information is used to contact buyers about vehicle repairs in the case of a warranty or recall — and isn’t sold, shared, or used for any other purpose — it qualifies for this exemption.

Information subject to other state and federal laws

Certain information is also exempt from the CCPA if it is subject to other state and federal laws. However, it’s important to note that the CCPA doesn’t exempt entities subject to such state and federal laws altogether. For example, entities aren’t exempt from the CCPA or statutory damages as a result of a data breach.

Protected health information (PHI) and medical information

All PHI collected by covered entities and business associates subject to HIPAA is exempt, as is all medical information subject to California’s Confidentiality of Medical Information Act (CMIA).

The CCPA also exempts any patient information to the extent a covered entity or healthcare provider maintains the patient information in the same manner as PHI or medical information. However, any information that falls outside the realm of PHI and medical information — like employment or website visitor information — will still be subject to the CCPA.

Clinical trials

The CCPA exempts information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.

Financial information

Also exempt from the CCPA is information processed pursuant to the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act (CalFIPA). As with PHI and medical information, however, companies won’t be exempt from liability in the event of a data breach.

Consumer reporting information

As long as the activity is authorized by the Fair Credit Reporting Act (FCRA), the CCPA exempts any activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information subject to it. Once again, this exemption doesn’t apply to the data breach liability provision.

Driver information

Last but not least, data processed pursuant to the Driver’s Privacy Protection Act of 1994 (DPPA) also qualifies as an exemption. Like with other types of exempt information, entities aren’t altogether exempt and won’t be protected in the event of a breach.

Is your head spinning yet? We get it. Keeping track of all of these exemptions can be mind-numbing. Thankfully, Strike Graph’s platform simplifies the CCPA / CPRA compliance process.

Our library of CCPA / CPRA-applicable policies and controls means you don’t have to write a ton of documentation from scratch, while our dashboard helps you maintain your company's CCPA / CPRA compliance with automatic notifications and status updates. This allows you to know with certainty you’re safe from fines, all while building trust with your customers.

Keep up to date with Strike Graph.

The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.