
CCPA vs GDPR: Learn the Key Differences in Data Privacy Laws [Infographic]
Read articleThe California Consumer Privacy Act (CCPA) was passed to protect the data privacy and security of California residents.
Companies that aren’t physically located in California or the United States can still fall within the scope of CCPA. That means businesses all over the world may need to comply with CCPA requirements.
There are exemptions however. Keep reading to learn which organizations and types of data are exempt from this data privacy law.
Any for-profit organization that collects the personal information of California residents and meets one of the following threshold requirements must comply with the CCPA:
Because of the CCPA’s scope relevant to California residents’ personal data, this legislation may impact businesses all over the world. However, many businesses underestimate its reach.
Let’s take a look at an example of a business that must comply with the CCPA below. This is based on a CCPA enforcement case example posted by the Office of the Attorney General in California.
A business that provides an online dating platform is based in Colorado. It sells the personal information of over 50,000 users who have an account. These users live all over the country, including in California. Does the CCPA apply to this business?
Yes, the CCPA applies to this business because it collects and sells the personal information of more than 50,000 consumers, some of whom live in California.
CCPA vs GDPR: Learn the Key Differences in Data Privacy Laws [Infographic]
Read articleUnder the CCPA, the definitions of personal information, business, and consumer are broad. For example, the term “consumer” refers to any California resident — not just customers. This brings up complicated questions, like whether the personal information of employees and job applicants is subject to the CCPA. If it were, then managing this personal information would increase the compliance burden on businesses, especially those with limited resources.
In order to address these complexities, the California legislature added exemptions to the CCPA, some of which are temporary.
In 2019, the CCPA was amended to include temporary exemptions for employee personal information and B2B communications. These temporary exemptions were extended with the passage of the California Privacy Rights Act (CPRA) and are currently set to expire on January 1, 2023. However, in February 2022, two bills were introduced to extend the timeline of the exemptions either until January 1, 2026 or indefinitely.
Let’s take a closer look at which businesses and categories of personal information are exempt from the CCPA.
There are a few businesses that are wholly exempt from the CCPA as it is currently written — even if they collect the personal information of California residents and meet one of the threshold requirements described above. These businesses are:
In addition to exempted businesses, there are also exempted categories of personal information. These include the following categories.
The CCPA includes a limited exemption for personal information of employees and job applicants that businesses collect and use solely in the context of that person’s role or former role. So if a consumer is both an employee and customer of an ecommerce business for example, then any personal information collected while they are acting as a customer is covered by the CCPA.
The CCPA employee exemption is temporary, and currently set to expire on January 1, 2023. Businesses relying on this exemption for CCPA compliance should plan accordingly.
Some personal information collected during dealings with other businesses and organizations is partially exempt from the CCPA. This includes B2B contact information handled solely in the context of due diligence or transactions where a product or service is provided or received.
The CCPA B2B exemption is another temporary exemption set to expire on January 1, 2023. Businesses relying on this exemption for CCPA compliance should plan accordingly.
The entities below are not wholly exempt from CCPA — but some types of data that they collect are because they are subject to other laws.
The CCPA exempts information that is collected by financial institutions and financial services businesses and subject to the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act (CalFIPA).
The CCPA exempts protected health information (PHI) collected by covered entities or business associates and subject to HIPAA. It also exempts medical information subject to California’s analogous law, the Confidentiality of Medical Information Act (CMIA).
The CCPA exempts information collected as part of a clinical trial or other biomedical research study that is subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.
The CCPA exempts the collection, maintenance, disclosure, sale, communication or use of any personal information subject to the Fair Credit Reporting Act (FCRA) so long as the activity is authorized by the FCRA.
The CCPA exempts data processed following the Driver’s Privacy Protection Act of 1994 (DPPA).
Warranty and recall information in any industry is exempt from the CCPA.
Additionally, vehicle or ownership information retained or shared between a new car dealer and the manufacturer is exempt as long as that information is being shared to prompt a repair covered by a written warranty or recall.
The CCPA does not apply to activity that takes place wholly outside of California. So if a business collects the personal information of a consumer when they are outside of California, then that is not subject to the CCPA. If their personal information is collected when they are in California but it is not sold, then that’s not subject to the CCPA either. Finally, if no part of the sale of the consumer’s personal information occurs in California, then it’s not subject to the CCPA.
This exemption is probably the most difficult to apply in practice since the CCPA does not specify how a business is supposed to determine when a consumer is outside of California.
What Is Data Classification? Everything You Need To Know
Read articleLike GDPR, CCPA is a landmark data privacy law that gives consumers more control over the personal information that businesses collect about them.
While it has major implications for how businesses can handle California residents’ personal data, it doesn’t apply to all businesses or to all types of personal information. These exemptions can make it harder for businesses to operationalize the law.
That’s where Secureframe comes in. We can help you understand how the CCPA impacts your business and verify compliance. We make the compliance process clear by providing procedures and policies vetted by CCPA experts, proprietary CCPA training for automated employee compliance, access to in-house experts, and updates on the latest CCPA requirements.
For total confidence in your CCPA compliance strategy, schedule a demo of our platform today.