CCPA Exemptions: What Isn’t Covered Under the Data Privacy Law

  • September 06, 2022
Author

Anna Fitzgerald

Senior Content Marketing Manager at Secureframe

Reviewer

Cavan Leung

Senior Compliance Manager at Secureframe

The California Consumer Privacy Act (CCPA) was passed to protect the data privacy and security of California residents. 

Companies that aren’t physically located in California or the United States can still fall within the scope of CCPA. That means businesses all over the world may need to comply with CCPA requirements.

There are exemptions however. Keep reading to learn which organizations and types of data are exempt from this data privacy law.

Which organizations must comply with the CCPA?

Any for-profit organization that collects the personal information of California residents and meets one of the following threshold requirements must comply with the CCPA:

  • Exceeds $25 million in annual gross revenue: All global revenues count toward the $25 million, not just revenue from California. That means national and multinational organizations that process personal information about a small number of California residents could fall under the law. 
  • Buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices: This total might encompass the number of records of personal information an organization purchased from a data broker, the number of website visitors it had in the past year, and/or the number of contacts in its CRM. 
  • Earns 50% or more of its annual revenue from selling personal data: Revenue connected to interest-based advertising, like retargeting ads, counts toward this percentage.

Flowchart to determine whether CCPA applies to your business

Example

Because of the CCPA’s scope relevant to California residents’ personal data, this legislation may impact businesses all over the world. However, many businesses underestimate its reach.

Let’s take a look at an example of a business that must comply with the CCPA below. This is based on a CCPA enforcement case example posted by the Office of the Attorney General in California. 

A business that provides an online dating platform is based in Colorado. It sells the personal information of over 50,000 users who have an account. These users live all over the country, including in California. Does the CCPA apply to this business?

Yes, the CCPA applies to this business because it collects and sells the personal information of more than 50,000 consumers, some of whom live in California.

Why were CCPA exemptions created?

Under the CCPA, the definitions of personal information, business, and consumer are broad. For example, the term “consumer” refers to any California resident — not just customers. This brings up complicated questions, like whether the personal information of employees and job applicants is subject to the CCPA. If it were, then managing this personal information would increase the compliance burden on businesses, especially those with limited resources. 

In order to address these complexities, the California legislature added exemptions to the CCPA, some of which are temporary.

In 2019, the CCPA was amended to include temporary exemptions for employee personal information and B2B communications. These temporary exemptions were extended with the passage of the California Privacy Rights Act (CPRA) and are currently set to expire on January 1, 2023. However, in February 2022, two bills were introduced to extend the timeline of the exemptions either until January 1, 2026 or indefinitely.

Let’s take a closer look at which businesses and categories of personal information are exempt from the CCPA.

Which businesses are exempt from the CCPA?

There are a few businesses that are wholly exempt from the CCPA as it is currently written — even if they collect the personal information of California residents and meet one of the threshold requirements described above. These businesses are:

  • Nonprofits: Nonprofits are exempt because they do not fall under the definition of a business. 
  • Government agencies: Government agencies are exempt because they may need personal information for investigations, subpoenas, and summons; federal, state, and local laws; or other matters. The term government agency is broad and therefore open to interpretation. It would likely encompass federal, state, and local agencies as well as governmental bodies at all levels, including public schools.
  • Insurance institutions, agents, and support organizations: The CCPA exempts certain businesses that are regulated by other laws. This includes insurance institutions, agents, and support organizations that are subject to California’s Insurance Information and Privacy Protection Act (IIPPA).

What types of data are exempt from the CCPA?

In addition to exempted businesses, there are also exempted categories of personal information. These include the following categories.

Employment-related information

The CCPA includes a limited exemption for personal information of employees and job applicants that businesses collect and use solely in the context of that person’s role or former role. So if a consumer is both an employee and customer of an ecommerce business for example, then any personal information collected while they are acting as a customer is covered by the CCPA. 

The CCPA employee exemption is temporary, and currently set to expire on January 1, 2023. Businesses relying on this exemption for CCPA compliance should plan accordingly. 

B2B communications

Some personal information collected during dealings with other businesses and organizations is partially exempt from the CCPA. This includes B2B contact information handled solely in the context of due diligence or transactions where a product or service is provided or received.

The CCPA B2B exemption is another temporary exemption set to expire on January 1, 2023. Businesses relying on this exemption for CCPA compliance should plan accordingly.

Data subject to other US laws

The entities below are not wholly exempt from CCPA — but some types of data that they collect are because they are subject to other laws. 

1. Financial information

The CCPA exempts information that is collected by financial institutions and financial services businesses and subject to the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act (CalFIPA). 

2. Protected health information

The CCPA exempts protected health information (PHI) collected by covered entities or business associates and subject to HIPAA. It also exempts medical information subject to California’s analogous law, the Confidentiality of Medical Information Act (CMIA).

3. Clinical trial information

The CCPA exempts information collected as part of a clinical trial or other biomedical research study that is subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.

4. Consumer reporting information

The CCPA exempts the collection, maintenance, disclosure, sale, communication or use of any personal information subject to the Fair Credit Reporting Act (FCRA) so long as the activity is authorized by the FCRA. 

5. Driver information

The CCPA exempts data processed following the Driver’s Privacy Protection Act of 1994 (DPPA).

Warranty and recall information

Warranty and recall information in any industry is exempt from the CCPA. 

Additionally, vehicle or ownership information retained or shared between a new car dealer and the manufacturer is exempt as long as that information is being shared to prompt a repair covered by a written warranty or recall.

Personal information collected and used entirely outside of the state of California

The CCPA does not apply to activity that takes place wholly outside of California. So if a business collects the personal information of a consumer when they are outside of California, then that is not subject to the CCPA. If their personal information is collected when they are in California but it is not sold, then that’s not subject to the CCPA either. Finally, if no part of the sale of the consumer’s personal information occurs in California, then it’s not subject to the CCPA.

This exemption is probably the most difficult to apply in practice since the CCPA does not specify how a business is supposed to determine when a consumer is outside of California.

How Secureframe can take the guesswork out of CCPA compliance

Like GDPR, CCPA is a landmark data privacy law that gives consumers more control over the personal information that businesses collect about them. 

While it has major implications for how businesses can handle California residents’ personal data, it doesn’t apply to all businesses or to all types of personal information. These exemptions can make it harder for businesses to operationalize the law.

That’s where Secureframe comes in. We can help you understand how the CCPA impacts your business and verify compliance. We make the compliance process clear by providing procedures and policies vetted by CCPA experts, proprietary CCPA training for automated employee compliance, access to in-house experts, and updates on the latest CCPA requirements.

 For total confidence in your CCPA compliance strategy, schedule a demo of our platform today.