CCPA fundamentals (or CCPA 101): What are the exemptions from CCPA, and what are my business’s obligations?

Type: Blog
Topic: Compliance

The CCPA does provide for certain processing activities that are exempt from the CCPA requirements. Businesses should take a conservative approach to analyzing when these exemptions apply. It is recommended the organization formally document any processing activities around California personal data that meet one of the exemptions below to outline why the business is not subject to the requirements of CCPA.

Specifically, the CCPA shall not restrict a business’s ability to:

• Comply with federal, state, or local laws
• Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities
• Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law
• Exercise or defend legal claims
• Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information
• Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California
  • For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.

Further, the CCPA provides for various exemptions to personal data collected related to the following:

• Personal information protected under the Health Insurance Portability and Accountability Act (HIPAA)
• Personal information collected by entities governed by the Confidentiality of Medical Information Act
• The sale of personal information to or from a consumer reporting agency if that information is to be re-ported in, or used to generate, a consumer report and use of that information is limited by the federal Fair Credit Reporting Act
• Personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act
• Personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994

What are the obligations if the CCPA applies to your business?

Notice Requirements:
As mentioned previously, the CCPA is based on three principles: transparency, accountability, and control. In order to meet the “transparency” principle, businesses must comply with the notice requirements included in the CCPA. Transparency has become a frequent commonality among recent data protection laws since the main goal of data protection is to provide consumers with more power and control over when and how their personal data is used. Transparency is key to pro-vide consumers with this control.

Under the CCPA, businesses must provide the following notice disclosures within their privacy policies:

• Categories of personal information collected
• Purposes for which the personal information will be processed
• Categories of third-party recipients of the data
• The right to know what personal information is collected
• The right to know whether their personal information is sold or disclosed and to whom
• The right to opt-out of the sale of their personal information
• The right to access their personal information
• The right to request the deletion of their personal information
• The right to equal service and price, regardless if they exercise their privacy rights
• Two or more designated methods to submit requests for information to, including a toll-free number and a web page
• A link to a page titled “Do Not Sell My Personal Information” that allows consumers to opt out of the sale of their personal data

The privacy policy should be regularly reviewed and updated upon any changes in data collection and processing activities to ensure compliance with the CCPA principles. At a minimum, the policy should be reviewed annually. These notice requirements should be provided whenever consumers personal data are collected or, if collected indirectly, within a reasonable timeframe after the data is collected. Failure to provide these disclosures will erode consumer trust and could lead to violations of the CCPA. The notice requirements are a cornerstone of the CCPA and should be made transparently. Consumers can easily check an organization’s privacy to determine CCPA readiness and this should be a priority for all organizations the CCPA applies to.

This blog is part of an educational series that will explain the fundamentals of California’s upcoming data protection act, CCPA – who it impacts, how to comply, and more. Follow along as our expert team breaks down the complexities of CCPA.

Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance at CompliancePoint focused on U.S. and international direct marketing compliance regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Matt has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP), a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE), and has a B.S. in Economics from Georgia College.  www.compliancepoint.com