Last updated: July 5, 2026
- Yes, CCPA exemptions exist, but they are narrow. They come in two kinds: businesses that fall outside the law entirely, and specific types of data that are exempt even when the business must comply.
- A for-profit business is only covered if it does business in California and hits one threshold: over $25M in gross annual revenue, buying/selling/sharing data on 100,000+ California residents or households, or earning 50%+ of revenue from selling/sharing personal information.
- Even when a business is exempt, the obligation lives in your privacy policy and website, where consumers exercise their rights, so most exemptions still leave work to do.
- Data-level carve-outs (HIPAA, GLBA, FCRA, employee and B2B contact data) exempt the information, not the company, and never exempt anyone from data-breach liability.
- This is a legal-judgment call, not a checkbox. Confirm exemptions with counsel, then make your website and privacy notices match.
Are there any CCPA exemptions?
Yes, there are CCPA exemptions, but they are limited and easy to misread. The California Consumer Privacy Act regulates how businesses collect, use, and sell consumer data, and it carves out two distinct categories: businesses that are not covered at all, and specific kinds of personal information that are exempt even when the business is covered. The catch is that an exemption rarely lets you off the hook completely, and the place those rights get exercised is almost always your website and privacy policy.
If you are the marketer who got handed the “are we CCPA compliant?” question, this guide breaks the exemptions down in plain language, with a table you can scan, so you know which questions to take to your legal team and what to fix on your site.
Which businesses are exempt from the CCPA?
A business is exempt from the CCPA when it does not meet the law’s coverage thresholds, full stop. The fastest way to know is to work through two questions in order: does it handle data on California residents, and is it big enough to be covered?
Do you collect data on California residents?
If your business does not collect personal information from California residents, the CCPA does not apply to you. The law protects California residents specifically, so a company with no California consumers, households, or devices in its data falls outside its scope. Because residency is defined broadly (anyone in the state for a non-temporary purpose), most companies with any national web traffic should assume some California data is in the mix and move to the second question.
Are you above the coverage thresholds?
A for-profit business that does handle California residents’ data is only covered if it meets at least one size threshold. According to the California Office of the Attorney General (guidance updated March 2024), the CCPA applies to for-profit businesses doing business in California that meet any one of the following. Note that these figures were updated by the California Privacy Rights Act (CPRA), which raised the consumer threshold from the original 50,000 to 100,000 as of January 1, 2023.
| Coverage threshold | What it means |
|---|---|
| Revenue | Gross annual revenue over $25 million. |
| Volume of data | Buys, sells, or shares the personal information of 100,000 or more California residents or households. |
| Data-driven revenue | Earns 50% or more of annual revenue from selling or sharing California residents’ personal information. |
Miss all three and your company is not a covered business. Meet even one and you are in scope, which makes the next section, data-level exemptions, the part that matters to you.
What types of consumer data are exempt from the CCPA?
Even a covered business handles some categories of personal information that are exempt from the CCPA. These exemptions apply to the data, not to the company, so they narrow your obligations rather than erase them. According to the California Office of the Attorney General (2024), the law “exempts certain types of information such as certain medical information and consumer credit reporting information.” Here are the carve-outs that come up most often.
Activity collected and used wholly outside California
Personal information collected and used entirely outside California is exempt from the CCPA. In practice this means the consumer was outside California when the data was collected, no part of any sale of that data happens in California, and the activity stays out of state. The CCPA does not spell out how to prove this cleanly, and because an IP address is itself personal information under the law, demonstrating that a consumer was truly out of state is harder than it sounds.
Employee information
Personal information collected from job applicants, staff, officers, directors, and contractors was historically treated as exempt “employee information.” Under this carve-out, businesses did not have to honor the same access, opt-out, and deletion rights for employee data, though they always had to give notice at collection and employees kept the right to act after a data breach. One important limit: the exemption only ever covered data used within the employer-employee relationship. Treat this one as a moving target and confirm its current status with counsel, since the CPRA was written to sunset it.
Business-to-business (B2B) contact information
Contact information collected through a business-to-business relationship may be exempt, but conditionally. To qualify, the underlying product or service between the companies had to already be CCPA-exempt. Even then, you still must give the other party the right to opt out of having their information sold, and B2B contacts retain the right to act if their information is exposed in a breach.
Warranty and recall information
Vehicle ownership information shared between new-car dealers and manufacturers is exempt, with no opt-out required, but only when the information is used to reach buyers about repairs tied to a warranty or recall. Use it for anything else and the exemption does not apply.
Data already governed by other U.S. laws
The CCPA defers to several other federal and state laws. When information is regulated by one of these statutes, that data is exempt, but the company is never exempt from CCPA statutory damages in a data breach.
| Law | Data it exempts |
|---|---|
| HIPAA & CMIA | Protected health information (PHI) and medical information held by covered entities and business associates. |
| Federal Common Rule | Information collected for clinical trials under the Federal Policy for the Protection of Human Subjects. |
| GLBA & CalFIPA | Certain financial information covered by the Gramm-Leach-Bliley Act or the California Financial Information Privacy Act. |
| FCRA | Consumer reporting activity authorized by the Fair Credit Reporting Act. |
| DPPA | Driver information processed under the Driver’s Privacy Protection Act. |
The pattern is consistent across all five: the exemption covers a slice of data, not the whole business. Any information that falls outside the protected category, such as website-visitor or employment data a healthcare provider collects, stays subject to the CCPA.
How does the CCPA define personal information?
The CCPA defines personal information as anything that identifies, relates to, describes, or could reasonably be linked with a particular consumer or household. That is a deliberately wide net, which is why so much data ends up in scope. The categories named in the statute include, but are not limited to:
- Real name, aliases, and postal and email addresses
- IP addresses and account names
- Social Security, driver’s license, and passport numbers
- Purchase records and other data about buying habits
- Biometric information
- Browsing history, search history, and website interaction data
- Geolocation data
- Professional, employment, and education information
The definition matters for exemptions because other laws define “personal information” differently. A field that GLBA treats as exempt financial data may not line up exactly with the CCPA’s definition, and that gap can turn a clean exemption into a partial one.
What is the difference between the CCPA and the CPRA?
The CPRA (California Privacy Rights Act) is an amendment that expanded and strengthened the CCPA, not a separate law that replaced it. In practice the CCPA-as-amended-by-the-CPRA is the standard you comply with today. The CPRA raised the consumer-data coverage threshold to 100,000, added a new category of “sensitive personal information,” created the California Privacy Protection Agency to enforce the rules, and phased out the temporary employee and B2B exemptions. When you evaluate an exemption, use the current CPRA-updated version rather than the original 2020 text.
When should you update your privacy policy for CCPA exemptions?
Update your privacy policy whenever an exemption status changes on either side of the equation: your business crosses a coverage threshold, an exemption you relied on sunsets (as the employee carve-out did), or you start collecting a new category of data. The CCPA also expects privacy notices to be reviewed at least every 12 months, so an annual review is the safe default. The trigger is a change in what you collect or how you use it, not the calendar alone.
CCPA exemptions: business-level vs. data-level at a glance
The single most common mistake is assuming a data-level exemption means the company is off the hook. Use this side-by-side to keep the two straight before you make any calls about your site or privacy policy.
| Question | Business-level exemption | Data-level exemption |
|---|---|---|
| What is exempt | The entire business. | One category of data only. |
| Triggered by | Falling below all coverage thresholds. | Data governed by HIPAA, GLBA, FCRA, DPPA, or a specific carve-out. |
| Other obligations remain? | No CCPA obligations while you stay below the thresholds. | Yes. All non-exempt data is still fully covered. |
| Data-breach liability? | None under the CCPA. | Yes. Breach liability is never exempted. |
| Impact on your website | You can simplify privacy notices, but keep monitoring your thresholds. | Your privacy policy and opt-out flows must still cover everything that is not exempt. |
Why CCPA exemptions are a website problem, not just a legal one
Exemptions decide what your website and privacy policy have to say and do. Whether a consumer can submit a “do not sell or share my information” request, what your privacy notice discloses, and how you handle a data-subject request are all expressed through your site. So once your legal team confirms which exemptions apply, the work moves to your website, where those decisions become real for visitors.
That is the part marketing teams own, and it is where a clear plan pays off. Mapping privacy requirements into your information architecture and privacy notices is exactly the kind of thing we handle in web strategy, the same way compliance work shows up in website accessibility and compliance projects. Both sit inside how we build websites at 3 Media Web: human judgment on the requirements, supported by AI and a disciplined process.
In our work with Claritas Rx, a specialty pharmaceutical data analytics company, we built GDPR/CCPA consent management and WCAG 2.1 AA accessibility directly into a custom WordPress site rather than bolting them on afterward. Because the compliance rules were designed into the information architecture, the same rebuild also lifted their search impressions by 138.5% and put 100% of their pages in the “Good” Core Web Vitals band. That is the pattern we see most often: the privacy decisions your counsel makes only become real when they are engineered into the site itself.
Frequently asked questions
Are there CCPA exemptions for small businesses?
Indirectly, yes. The CCPA does not exempt “small businesses” by name, but a for-profit company is only covered if it exceeds $25 million in revenue, handles data on 100,000 or more California residents or households, or earns half its revenue from selling personal information. A business under all three thresholds is not covered, though it should re-check as it grows.
Does the CCPA apply to nonprofits?
Generally no. The CCPA defines a covered “business” as a for-profit entity, so a true nonprofit is outside its scope on that basis alone. The exception is a nonprofit that is controlled by, or operates for the benefit of, a covered for-profit business and shares branding with it. Standalone nonprofits are exempt, but they should still document why the for-profit definition does not apply to them.
Does the CCPA apply if my business is not in California?
It can. The CCPA follows the consumer, not the company’s headquarters. If you collect personal information from California residents and meet a coverage threshold, the law applies no matter where your business is located. Only a company that collects no California resident data is fully outside its scope.
Is employee data still exempt under the CCPA?
Treat it as no longer safely exempt. The original employee-information carve-out was written to sunset under the CPRA, so employee and applicant data is now broadly subject to CCPA rights. Because this area has shifted, confirm the current rules with legal counsel before relying on any employee-data exemption.
Do CCPA exemptions remove data-breach liability?
No. Every CCPA exemption, whether business-level or data-level, leaves data-breach liability intact. A company can be exempt from honoring access or deletion rights for certain data and still face statutory damages if that information is exposed in a breach, which is why security stays mandatory regardless of exemptions.
Does a HIPAA or GLBA exemption cover my whole company?
No. HIPAA, GLBA, FCRA, and DPPA exemptions cover specific categories of data, not the business. A healthcare provider’s PHI may be exempt while its website-visitor and employment data remain fully subject to the CCPA. You have to separate the exempt data from everything else rather than assume blanket coverage.
How 3 Media Web can help
CCPA exemptions are a legal call, but they always land on your website. Once your counsel confirms which exemptions apply, your privacy policy, opt-out flows, and disclosures have to reflect them, and that is the part we make straightforward. At 3 Media Web, we translate compliance requirements into clean information architecture and privacy notices through web strategy and accessibility and compliance work, guided by our Human and AI approach so judgment leads and the tooling supports it.
Need your website and privacy policy to match your compliance reality? Reach out to our team and we will help you put it into effect. This article is general information, not legal advice; confirm your specific obligations with qualified counsel.