Are There Any CCPA Exemptions Available?
The California Consumer Privacy Act, or CCPA, started at the beginning of 2020. The legislation regulates when and how companies collect and use consumer data. Many are asking, “Are there CCPA exemptions?”
The short answer is, yes, there are exemptions to the CCPA. However, it’s much more complex than a yes or no answer. In this article, we’ll be exploring the fundamentals of the legislation and outline where and what the CCPA exemptions are.
FURTHER READING: What is the California Consumer Privacy Act?
What Are The CCPA Exemptions?
There are different types of exemptions from the CCPA. For example, not all companies will be required to follow the laws. There are also certain types of consumer data that is exempt from being covered under the CCPA.
What Companies Are Wholly Exempt From The CCPA?
If you’re unsure if your company is required to become CCPA compliant, this is the best place to start. It may happen that your company doesn’t fall within the definition of companies that need to be compliant. So, let’s start there.
First, determine whether or not your company collects personal information from California residents. If the answer is no, you don’t need to worry about becoming CCPA compliant. The legislation only covers residents of that state.
According to Section 17014 of Title 18, a California resident is essentially anyone in the state for a purpose that is not transitory or temporary.
If your company doesn’t collect data from California residents it’s exempt from the CCPA.
If your company DOES collect personal information from California residents and meets one or more of the following thresholds, your company IS required to become CCPA compliant:
- Has an annual gross revenue of $25MM or higher
- Collects personal information (PI) from 50,000 or more California residents, households, or devices each year
- Half (50%) or more of the company’s annual revenue is earned by selling personal information on California residents
FURTHER READING: Who Must Be CCPA Compliant
If your company isn’t exempt from the CCPA, there are a few other types of exemptions to learn about. However, these will not release your company from its obligations to become CCPA compliant. Rather, they are exemptions in the types of data that are regulated under the legislation.
What Consumer Data Types Are CCPA Exemptions?
So, you’ve already determined your company is covered by the CCPA. The next step to learn about what types of consumer data are exempt.
It’s crucial to understand that these exemptions apply only to consumers’ personal information, not to the company collecting said data.
The exemptions of personal information include:
Activity Collected and Used Wholly Outside of California
According to the CCPA, any personal information collected and used entirely outside of the state of California is exempt from the CCPA.
This is described in the CCPA statute in this way:
- The consumer is outside of the state of California when the data was collected
- Any personal information that was collected while a consumer was within the borders of California is sold
- When a company sells the consumers’ personal information, no part of said sale takes place in California
Unfortunately, the CCPA does not make it clear how exemptions of this type will apply in practice. It’s difficult for companies to establish that the consumer is, indeed, outside of the state of California.
One example of this would be in regards to IP addresses, which are defined in the CCPA as personal information. A company would need to lookup each IP address to determine its point of origin.
That being said, it’s a good time to remind you to stay up-to-date on current CCPA amendments. Certain aspects of it may be updated for clarity or other reasons.
The Collection Of Employee Information
Further, there are some CCPA requirements which don’t apply to personal information that has been collected from the following:
- Applicants to a job
- Hired staff members and employees (including officers and directors)
- Independent contractors and business members
Personal information under this category is considered to be and referred to as “Employee Information”. The CCPA has established that employee information does not include the same “right to access” as consumer data. Similarly, employers do not need to provide an opt-out, nor are they required to fulfill delete requests from employees.
However, it is still required that businesses give notice to employees when employee information is being collected. Furthermore, employees do maintain the right to take action if their employee information was involved in a data breach.
But, there’s an exception to this exception…
The employee information exception only covers employee information that is used within the scope of the employer-employee relationship. If a company collects and uses employee information beyond that relationship, it will not be exempt from the CCPA.
Information Collected On Business-to-Business Relationships
Contact information collected as part of a business to business (B2B) relationship may also be exempt from CCPA compliance.
But, it’s a little tricky…
To qualify for this exemption, the product or service taking place between the businesses must have already been CCPA exempt.
But, businesses must still provide the other party with the right to opt-out of having their information sold. Businesses will also have the right to take action should their B2B contact information be involved in a data breach.
Warranty and Recall Information
This exemption to the CCPA relates to new car dealers and buyers. It rules that vehicle ownership information may be kept and shared between dealers and manufacturers. Further, it does not require an opt-out option. This only applies if the information is used to contact buyers about vehicle repairs in the case of a warranty or recall.
FURTHER READING: What Happens If I Violate the CCPA?
Data Subject to Other US Laws
Lastly, the CCPA explicitly states that certain information is exempt from the CCPA if they are subject to other laws. But, entities themselves are NOT exempt from the CCPA or statutory damages as a result of a data breach.
Protected Health Information And Medical Information
Any personal health information (PHI) is exempt from the CCPA if is it collected by “covered entities” and “business associates”. However, they must be subject to the Health Insurance Portability and Accountability Act (HIPAA) and/or the Confidentiality of Medical Information Act (CMIA).
If your company qualifies for this exemption, you need to understand exactly what types of data are covered under the exemption. Any information that falls outside the realm of PHI and medical information will still be subject to CCPA.
For example, healthcare providers and other covered entities often collect personal information such as employment data on their patients. Or, perhaps they collect information about visitors to their website. Those types of information would likely still be held to the CCPA regulations.
Information covered under the Federal Policy for the Protection of Human Subjects is exempt from the CCPA.
If your company collects certain financial information according to the California Financial Information Privacy Act (CalFIPA) or the Gramm Leach-Billey Act (GLBA) said financial information will be exempt from the CCPA. It will not, however, be exempt from liability in the event of a data breach.
This doesn’t mean that entities are released from all CCPA requirements. If they’re collecting data that isn’t covered by CalFIPA or GLBA, that additional data may be subject to CCPA enforcement.
Consumer Reporting Information
Another CCPA exemption includes activities involving personal information that is also subject to the Fair Credit Reporting Act (FCRA). This includes the collection, disclosure, sale, maintenance, and use of the information. Said activities must be authorized by the Fair Credit Reporting Act.
And, like other exemptions, this one also does not exempt entities from being held responsible for data breaches.
Lastly, data that is processed following the Driver’s Privacy Protection Act (DDPA) also qualifies as a CCPA exemption. Again, this doesn’t mean the entity collecting the data is exempt. Rather only certain types of information it collects will be exempt.
Under the CCPA, the entity will still be responsible in the event of a data breach.
Personal Information As Defined By The CCPA
A complete list of what the CCPA defines as personal information can be found in the actual language of the bill.
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
It goes on to list the specifics, which include, but are not limited to:
- Real name and aliases, postal and email addresses
- Internet protocol (IP) addresses and account names
- Social security number, driver’s license number, passport number, etc.
- Records of personal property, products or services purchased or considered, and other data related to consumer buying habits
- Biometric information
- Internet and app activity information, such as browsing and search histories
- Information regarding a consumers’ interaction with an Internet Web site, application, or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional, employment, and educational related information
There’s No Substitute For Due Diligence When It Comes To CCPA Exemptions
As you’re researching all the different exemptions, do your due diligence! Determine any difference in how various laws define “personal information”.
What the CCPA defines as personal data may have a different definition under the GLBA, for example. Even the slightest discrepancy between them could mean the difference of an entire exemption vs a partial exemption.
FURTHER READING: How To Prepare To Be CCPA Compliant
It Takes A Village
Feel free to reach out to us at 3 Media Web for a consultation.