FAQ: Does My Business Qualify for One of the CCPA’s Exceptions?

Not every business must comply with the California Consumer Privacy Act (CCPA): It only seems that way. A sweeping state privacy law aimed at protecting California residents’ personal data, the CCPA applies to for-profit businesses anywhere in the U.S. that meet certain criteria. 

Those criteria are:

  • The business is a for-profit enterprise.
  • It does business in California or with Californians.
  • It meets one or more of these thresholds:
    • Receives more than $25 million in annual gross revenues
    • Annually buys, receives for a commercial purpose, sells, or shares the personal information of 50,000 or more California residents (“consumers”), households or devices
    • Derives 50 percent or more of its yearly revenues from selling consumers’ personal information

You need not worry about complying with the CCPA if yours is a smaller business with less than $25 million in annual revenue and you don’t handle 50,000 Californians’ personal information or derive half your income from selling that consumer information. 

Even if your business must comply with the CCPA, there may be instances when you’re exempt. The CCPA cannot restrict a business’s ability to:

  1. Comply with certain federal, state, or local laws
  2. Comply with certain types of investigation
  3. Cooperate with law enforcement regarding activities that may be illegal
  4. Make or defend legal claims
  5. Process, sell, or share de-identified information or aggregate data
  6. Collect personal information from transactions and consumers outside California

Which kinds of data are exempt?

Certain kinds of data are exempt from CCPA regulation:

  1. Certain types of medical information collected by a “covered entity” such as a health care provider or hospital per the Health Information Privacy Protection Act (HIPAA)
  2. Data collected in clinical trials
  3. Data used to generate a consumer report
  4. Certain kind of financial information collected in accordance with California’s Gramm-Leach-Bliley Act (GLBA)
  5. Data collected, processed, sold, or disclosed under the California Driver’s Privacy Protection Act of 1994

Consumers cannot opt out of having their information shared if doing so serves a “business purpose,” meaning that it is being used for the business’s or a service provider’s “operational purposes.”

CCPA deletion exceptions

The CCPA grants consumers many new rights, similar to the European Union’s General Data Protection Regulation (GDPR). For instance, just as the GDPR stipulates that a “data subject” owns their data, the CCPA stipulates the consumer’s right to ownership of their personal information. 

  • It establishes the consumer’s right to opt out of having their information sold or shared via a “Do Not Sell” button or link on the home page of a business’s website.
  • It provides a right to “portability” of personal information, requiring businesses to honor consumer requests to view their data.
  • It provides a “private right of action” under which consumers can sue a business for statutory damages if their information is accessed in a data breach. Alternatively, for general violations of the law, the California attorney general may prosecute and levy a civil penalty.
  • It allows consumers to make a deletion request (the so called “right to be forgotten”). However, data does not have to be deleted if it’s necessary to:
    • Complete the transaction for which the data was collected; provide goods or services requested by the consumer, or perform a contract between the business and consumer
    • Detect security incidents or protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for it
    • Identify and repair errors
    • Exercise or ensure free speech or another right granted by law
    • Comply with certain laws or legal obligations
    • Enable the business to meet certain consumer needs or expectations
    • Conduct or produce certain research, including academic research