Understanding CCPA Exemptions: Who's Affected?

You've implemented privacy measures for your business to comply with the California Consumer Privacy Act (CCPA), investing significant time and resources. Then you hear rumors that certain businesses might be exempt from these regulations. Could your business qualify? What about the different types of data you collect - are some of those exempt too?

The confusion around CCPA exemptions leaves many organizations uncertain about their compliance obligations, potentially causing them to waste resources on unnecessary measures or, worse, unknowingly violate the law despite their best efforts.

Understanding CCPA Basics

The California Consumer Privacy Act, which went into effect on January 1, 2020, is a landmark privacy legislation that grants California residents unprecedented rights over their personal information:

• Right to Know: Consumers can request details about what personal information a business has collected about them
• Right to Delete: Consumers can request deletion of their personal data (with some exceptions)
• Right to Opt-Out: Consumers can direct businesses not to sell their personal information
• Right to Non-Discrimination: Businesses cannot treat consumers differently for exercising their CCPA rights

While these protections are robust, the law recognizes that not all entities and data types warrant the same level of regulation. Understanding these exemptions is crucial for proper compliance strategy.

Companies Exempt from CCPA

Contrary to what many assume, the CCPA doesn't apply universally to all organizations operating in California. Here are the key categories of exempt businesses:

1. Nonprofit Organizations

If you run a nonprofit organization, there's good news - nonprofits are generally exempt from CCPA compliance. This is because the CCPA specifically applies to "businesses," which are defined as for-profit entities.

However, this exemption isn't absolute. Nonprofits should be cautious if they:

• Share common branding with a regulated business
• Share personal information with a regulated business
• Receive personal information from a regulated business

In such cases, the nonprofit may need to comply with certain aspects of the CCPA.

2. Government Agencies

Government agencies at all levels (federal, state, local) are exempt from CCPA requirements when collecting personal information for official functions. This makes sense as these entities are typically governed by other privacy regulations specific to government operations.

3. Small and Mid-Sized Businesses

Not all for-profit companies fall under CCPA jurisdiction. The law specifically targets larger businesses by establishing thresholds that exempt smaller operations. Your business is exempt if it:

• Has annual gross revenue under $25 million
• Collects, buys, sells, or shares personal information of fewer than 100,000 California consumers or households annually
• Derives less than 50% of its annual revenue from selling California consumers' personal information

For small business owners, this is significant relief, as CCPA compliance can be resource-intensive. However, remember that these thresholds are evaluated annually, so growing businesses should monitor their status.

4. Insurance Entities

Insurance companies and agents operating in California are generally regulated by the California Insurance Information and Privacy Protection Act (IIPPA) rather than the CCPA. This industry-specific regulation addresses similar privacy concerns but is tailored to insurance operations.

Types of Data Exempt from CCPA

Even for businesses that must comply with the CCPA, certain categories of data remain exempt from some or all of its requirements:

1. Data Collected Outside California

The CCPA specifically protects California residents, so personal information collected entirely outside California doesn't fall under its purview. This includes data collected:

• From non-California residents
• From Californians while they're physically outside the state
• Before a consumer moved to California

This territorial limitation helps businesses segment their data management practices based on geographic considerations.

2. B2B Data Exemption

Business-to-business communications and transactions enjoy partial exemption. Specifically, personal information obtained in the context of:

• Communications between businesses
• Due diligence processes
• Contract negotiations and fulfillment

This exemption recognizes the different privacy expectations in commercial relationships versus consumer contexts. However, B2B data isn't completely exempt - businesses must still honor opt-out requests and maintain reasonable security measures.

3. Federally Regulated Data

Several federal laws govern specific categories of data, and the CCPA defers to these regulations to avoid creating conflicting requirements:

HIPAA-Protected Health Information If your business is a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA), the health information you process under HIPAA is exempt from CCPA. This prevents healthcare providers and insurers from navigating contradictory regulations.

Financial Information Under GLBA The Gramm-Leach-Bliley Act (GLBA) regulates how financial institutions handle personal financial information. Data collected, processed, sold, or disclosed pursuant to the GLBA is exempt from CCPA requirements.

As one Reddit user noted: "I've seen more than one instance where a fintech or financial institution refuses to honor requests to access information they hold about a client as per California Consumer Privacy Act rights, under the guise that the information requested is covered under the federal Gramm-Leach-Bliley Act."

This highlights the confusion around these exemptions. While GLBA-covered data is exempt from many CCPA provisions, consumers retain the right to non-discrimination and the right to sue in the event of a data breach.

Consumer Reporting Information (FCRA) Personal information collected, processed, or disclosed by consumer reporting agencies (like credit bureaus) under the Fair Credit Reporting Act is exempt from CCPA. This prevents interference with critical credit reporting functions.

4. Warranty and Recall Information

Vehicle information and ownership data used solely for warranty or recall purposes is exempt. This practical exemption ensures that safety-critical vehicle recalls aren't hindered by privacy regulations.

5. Clinical Trial Data

Information collected as part of clinical trials following the Federal Policy for the Protection of Human Subjects (Common Rule) enjoys exemption. This prevents interference with critical medical research while ensuring participants' rights are protected under appropriate research protocols.

6. Deidentified and Aggregate Consumer Information

Information that has been properly deidentified (stripped of identifying elements) or aggregated (combined with data from other consumers to prevent individual identification) is exempt from CCPA. This encourages businesses to minimize privacy risks through appropriate anonymization techniques.

Implications for Businesses

Understanding CCPA exemptions has significant practical implications for your organization:

Assess Your Compliance Obligations Regularly

As one Reddit user pointed out: "Even if the data is never sold, data retention policies and transparencies need to be established and clearly labeled. CCPA 2.0 will also introduce employee data on top of the existing consumer data."

This highlights that compliance obligations can change based on:

• Annual revenue fluctuations
• Changes in data collection practices
• Legislative updates (like the CPRA/"CCPA 2.0")

Regular compliance assessments can prevent both unnecessary regulatory burdens and accidental violations.

Understand the Broad Definition of "Sale"

The CCPA defines "selling" much more broadly than conventional understanding. As noted in online discussions: "The CCPA's definition of sale is far more broad than what you would conventionally consider a sale. In particular, it's possible to be selling data that you transfer to a third party even if you receive nothing at all for it."

This means businesses might be "selling" data without realizing it through:

• Sharing data with partners
• Using certain third-party cookies and tracking technologies
• Participating in data-sharing arrangements

Even exempt businesses should understand this definition to avoid unintentional compliance issues if their exempt status changes.

Prepare for Legitimate Denial of Consumer Requests

Businesses can rightfully deny certain consumer requests when exemptions apply. As one commenter explained: "There are a variety of state and federal laws that would prohibit a company from following a deletion request. These could include tax records, employment records, or contractual requirements (like warranty obligations)."

When denying requests based on exemptions, businesses should:

• Clearly explain the legal basis for the denial
• Fulfill any portions of the request that aren't exempt
• Document the decision-making process

Consider Alternative Privacy Regulations

Even exempted entities often fall under other privacy regulations. As one user asked: "Are there other privacy regulations that these 3 categories must comply with?"

Exempt businesses should consider:

• Federal regulations like HIPAA, GLBA, or COPPA
• Industry-specific requirements
• Other state privacy laws in jurisdictions where they operate
• Self-regulatory frameworks

Conclusion

The CCPA's exemptions create a nuanced compliance landscape that requires careful navigation. By understanding which entities and data types are exempt, businesses can focus their compliance efforts where legally required while maintaining trust with their customers through appropriate data handling practices.

For businesses uncertain about their obligations, consulting with a privacy attorney is advisable, as misinterpreting exemptions can lead to compliance gaps. Even exempt organizations should consider adopting privacy best practices, as consumer expectations for responsible data handling continue to rise regardless of legal requirements.

By staying informed about CCPA exemptions and maintaining robust data governance practices, businesses can balance regulatory compliance with operational efficiency while respecting consumer privacy rights.

Frequently Asked Questions (FAQ)

What is the CCPA?

The CCPA, or California Consumer Privacy Act, is a California state law effective January 1, 2020, that grants California residents significant rights over their personal information. These rights include the right to know what data businesses collect, the right to delete that data, the right to opt-out of its sale, and the right to non-discrimination for exercising these rights.

Which businesses are generally exempt from CCPA?

Several types of businesses are generally exempt from CCPA. These primarily include nonprofit organizations, government agencies, certain small and mid-sized businesses that don't meet specific revenue or data processing thresholds, and insurance entities regulated by the California Insurance Information and Privacy Protection Act (IIPPA).

Does CCPA apply to all types of personal data?

No, CCPA does not apply to all types of personal data. Certain categories are exempt, such as personal information collected entirely outside California, specific business-to-business (B2B) data, federally regulated data like HIPAA-protected health information or GLBA-covered financial information, warranty and recall information, clinical trial data, and properly deidentified or aggregated consumer information.

What are the thresholds for a for-profit business to be exempt from CCPA?

A for-profit business is exempt from CCPA if it meets any one of the following conditions: has annual gross revenue under $25 million; collects, buys, sells, or shares personal information of fewer than 100,000 California consumers or households annually; OR derives less than 50% of its annual revenue from selling California consumers' personal information. These thresholds are evaluated annually.

How does the CCPA define "selling" personal information?

The CCPA defines "selling" personal information very broadly, encompassing more than just a direct monetary exchange. It can include sharing, transferring, or making available consumers' personal information to a third party for monetary or other valuable consideration. This means activities like sharing data with partners or using certain third-party tracking technologies might be considered "selling" under CCPA.

If my business is exempt from CCPA, do I need to worry about any privacy regulations?

Yes, even if your business is exempt from CCPA, you may still need to comply with other privacy regulations. Depending on your operations, these could include federal laws like HIPAA (for health information), GLBA (for financial information), COPPA (for children's online privacy), industry-specific requirements, or other state privacy laws. It's also a good practice to adopt privacy best practices, as consumer expectations for data protection are high.

For the latest information on CCPA compliance and exemptions, visit the California Attorney General's CCPA page.