What are CCPA Exceptions? | [Types of Data and Companies]

Meeba Gracy

Meeba Gracy

Jan 27, 2024

CCPA exceptions

You’ve likely got the CCPA basics down, and you’re familiar with the ins and outs of the California Consumer Privacy Act (CCPA). If not, you can refer to our recent article on CCPA compliance to brush up on the essentials. In this article, we’ll talk about something equally important: CCPA exemptions.

At first glance, you might think that CCPA demands a swift response to any consumer request—delete the data ASAP or hand it over immediately. However, the reality is a bit more nuanced. CCPA exceptions introduce subtleties that businesses must consider carefully before entering compliance.

As we enter 2024, businesses are gearing up to integrate these rules into their compliance efforts. That’s why we’re here to dive into the details and highlight the exceptions that might shape your approach. Let’s get started…

What are CCPA exemptions?

The CCPA exempts certain actions related to collecting, keeping, sharing, selling, communicating, or using personal information. But it’s important to note that this exception doesn’t extend to the data breach liability rule.

CCPA exceptions

However, the law includes exemptions where data privacy regulations are already in effect. These exemptions aim to avoid disrupting established regulatory frameworks and preventing unnecessary business challenges.

In the next section, we’ll talk about whether your company can comply with CCPA and if so, for which categories you are exempt.

Which companies should comply with CCPA?

The CCPA has its sights set on for-profit businesses engaging in California, applying to those who comply with any one of these criteria:

  • If your business boasts a gross annual revenue surpassing $25 million
  • If your business sells, buys, or shares the personal information of 100,000 California residents, households, or devices
  • If 50% or more of your business’s annual revenue comes from selling the personal information of California residents

Who is Exempt from the CCPA?

Not every business falls under the reach of the CCPA. Here’s a quick look at those that are wholly exempt:

  • Nonprofits: Nonprofits catch a break as they don’t fit the definition of a business under the CCPA
  • Government Agencies: Government agencies get a pass due to their need for personal information in various official capacities, from investigations to legal matters
  • Insurance Institutions, Agents, and Support Organizations: Certain businesses regulated by other laws are exempt, including those under California’s Insurance Information and Privacy Protection Act (IIPPA)

For businesses collecting personal information from California residents, exemptions apply if they don’t meet specific thresholds, such as:

  • Earning at least $25 million in annual gross revenue
  • Dealing with the personal information of 50,000 or more California residents or households
  • Generating at least 50% of their annual revenue from selling consumer data

So, whether you’re a nonprofit, a government agency, or fall under-regulated industries, understanding these CCPA deletion exceptions helps determine if it applies to your business.

Automate CCPA compliance effortlessly

Different types of Data Exempt from CCPA

To tackle these intricacies, the California legislature has introduced exemptions to the CCPA, some of which are temporary. Let’s break down these CCPA deletion exceptions to make sense of how they navigate the complexities of the CCPA.

CCPA exceptions

1. Information collected and used “wholly outside” of California

According to CCPA Section 1798.145(a)(6), businesses have a unique opportunity to collect and sell personal information if the entire process occurs ‘wholly outside of California.’ What does this involve? Let’s break it down:

  • If no part of the sale of the consumer’s personal information occurs within California
  • If a business gathers information while the consumer is outside of California
  • If personal information is collected while the consumer is in California, it is not sold

To make use of this CCPA exception, companies must establish reliable methods to determine when consumers are outside the state of California. This exception allows businesses to operate without certain CCPA restrictions as long as every aspect of the commercial conduct remains outside the California borders

2. B2B data exemption

The B2B CCPA exemption relieves many CCPA requirements for personal information gathered directly from consumers during B2B communications.

This exemption shields the data from most CCPA obligations, with a few exceptions. Consumers will still get the right to opt out of the sale or sharing of their personal information.

3. HIPAA exemptions

The CCPA provides an exemption for PHI governed by HIPAA rules.

Under this exemption, California law doesn’t apply to PHI collected by entities covered by HIPAA, including business associates similar to CCPA service providers. It’s important to note that this exemption specifically addresses PHI; these entities might still collect and use other personal information subject to CCPA.

4. Fair Credit Reporting Act exemption

The Fair Credit Reporting Act (FCRA) lays down the guidelines for how consumer reporting agencies handle personal information, ensuring accuracy and privacy. Now, under the CCPA, there’s a specific exemption for personal information managed by these agencies and FCRA-compliant information furnishers.

5. Employee information

The CCPA once granted exemptions for employee information strictly used within the employer-employee relationship. This covered various data sources, including hired staff, independent contractors, business members, and job applicants. Until recently, employment data enjoyed exemptions from most CCPA requirements.

However, as of January 1, the California Privacy Rights Act (CPRA) amendments came into play, and the employer exemptions were not extended. This means several categories of human resources data are now subject to CCPA requirements.

Employee data is no longer treated differently but follows the same rules as other commercial information. Covered employers must now include employee data in their ongoing compliance efforts.

The CCPA defines personal information broadly with details like contact information, insurance and benefits choices, bank details, emergency contacts, resumes, performance evaluations, wage statements, equity grants, compensation history, and other standard employment-related information.

Also checkout: 5 Best CCPA Compliance Tools

6. GLBA exemption

The Gramm-Leach-Bliley Act (GLBA) sets privacy rules for financial institutions, specifically regarding collecting and sharing consumers’ nonpublic personal information (NPI). NPI, or “personally identifiable financial information,” is gathered when offering financial products or services.

Given that the GLBA already has its own privacy regulations, the CCPA excludes personal information subject to the GLBA, such as NPI. However, it’s essential to note that this isn’t a broad exemption for the entire financial institution; it applies specifically to information governed by the GLBA.

Note

For instance, if the institution provides non-financial products, any personal information collected in that context could come under the purview of the CCPA.

For instance, if the institution provides non-financial products, any personal information collected in that context could come under the purview of the CCPA.

7. Warranty and recall information

Here’s a simple rule: when it comes to warranty and recall information in any industry, the CCPA takes a step back.

Essentially, if this information is used to contact buyers about things like vehicle repairs due to a warranty or recall, and it’s not sold, shared, or used for anything else, it’s covered by an exemption.

To add a bit more detail, even the information exchanged between a new car dealer and the manufacturer related to vehicle or ownership details is exempt.

The catch? It must be shared for the sole purpose of addressing a repair under a written warranty or recall. So, in these situations, the CCPA steps aside.

8. Clinical trials

Initially, Section 1798.145(c)(1)(C) of the CCPA brought some confusion when it exempted “[personal] information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects.”

The hiccup? It left the term “clinical trials” open to interpretation, raising questions about the exemption’s extent.

Now, there is clarity. The exemption covers personal information gathered as part of “research” aligned with Section 164.501, broadly defining research as a systemic investigation contributing to generalizable knowledge.

The definition explicitly mentions clinical trials and research following the Common Rule. According to most commentators, this refinement has settled the key ambiguity outlining the scope of the exemption when it comes to personal information.

9. To complete transactions

When it comes to completing transactions, the CCPA offers a clear exemption for personal information. This exemption applies when the information is “reasonably anticipated within the context of a business’s ongoing relationship with the consumer” or is necessary to fulfill a contract between the business and the consumer.

So, if a customer, for instance, has a standing order for weekly shampoo delivery, the organization is exempt from deleting the personal information required to fulfill that service. This includes names, credit card numbers, addresses, emails, preferences, and other necessary account information.

Checkout: CCPA Compliance Checklist (This is All You Need)

10. Free speech

Within the CCPA, the right to free speech is a priority. This means protecting the requesting consumer’s free speech and ensuring it for other consumers.

The CCPA goes further, permitting the “exercise of another right provided for by law.” In essence, the law aims to uphold and respect the freedom of expression for consumers, fostering a balance between privacy rights and the exercise of lawful rights.

11. Exemptions for Research

When it comes to public or peer-reviewed research under the CCPA, specific exemptions exist. Scientific, peer-reviewed, historical, or statistical research that collects and maintains personal information can be exempt from deletion requests, but there are conditions to meet.

The research must comply with relevant privacy laws and ethics, and the consumer must have informed consent. Also, the research should be in the public interest, and a deletion request should not severely hinder the investigation.

Moreover, SB 1121 clarifies that information collected as part of a clinical trial is also exempt from CCPA deletion requests in medical research. These exemptions acknowledge the importance of preserving data integrity for valuable research endeavors while respecting privacy considerations.

How can Sprinto help you ensure CCPA compliance?

Feeling a bit overwhelmed with the ins and outs of CCPA compliance? You’re not alone, and that’s where Sprinto comes to the rescue. We understand that keeping up with exemptions and regulations can be a challenge.

Our platform, powered by automation, simplifies the entire CCPA/CPRA compliance journey. The numerous exemptions can add complexity to compliance efforts and

we help you comprehend their impact on your business, ensuring clarity and verification of compliance.

Our services include procedures and policies approved by CCPA experts, specialized training for automated employee compliance, direct access to in-house experts, and timely updates on the latest CCPA requirements.

With Sprinto, CCPA compliance becomes a streamlined and manageable process.

FAQs

1. What are the data classifications for CCPA?

The data classifications under CCPA are attributes recognized by California or federal law, such as ancestry, race, ethnic origin, religion, age, mental and physical disability, sexual orientation, gender identity, medical condition, email address, genetic information, marital status, or military status.

2. Can I achieve CCPA compliance on my own?

Yes. The CCPA doesn’t mandate third-party certification for compliance. You have the option to achieve compliance on your own. That being said, many companies find it beneficial to partner with experienced CCPA compliance experts to simplify and streamline the process.

3. What are the employer obligations for the California Consumer Privacy Act?

Employers have specific obligations to CCPA. These include providing a notice, either at or before the time Personal Information is collected, which must include:

  • A description of the categories of sensitive personal information collected
  • Transparency on whether the employer sells or shares the PI
  • Information about how long the employer intends to retain the PI

4. What is a deletion exemption?

A deletion exemption safeguards information from being deleted if used solely internally and aligns with consumer expectations. Think of it as a sort of ‘legitimate interests’ exemption, allowing businesses to retain information in certain cases. This exemption may come into play to ensure legal compliance or meet specific legal obligations.

Meeba Gracy

Meeba Gracy

Meeba, an ISC2-certified cybersecurity specialist, passionately decodes and delivers impactful content on compliance and complex digital security matters. Adept at transforming intricate concepts into accessible insights, she’s committed to enlightening readers. Off the clock, she can be found with her nose in the latest thriller novel or exploring new haunts in the city.

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.