The factor "Exceptions for Processing Regulated by Other Laws" means that certain data protection laws exempt specific types of data processing activities or entities from their scope when such activities or entities are already regulated by other specialized laws or regulations. This approach aims to avoid regulatory overlap and potential conflicts between different legal frameworks.

Virginia Consumer Data Protection Act (VCDPA)

VCDPA § 59.1-576(C)(4)

"The following information and data is exempt from this chapter: [...] 4. Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46; [...]"

Key points:

• Exempts identifiable private information used in human subjects research
• Specifically references federal regulations (45 C.F.R. Part 46) governing human subject protection
• Includes exemptions for clinical trials and pharmaceutical research

Montana Consumer Data Protection Act (MCDPA)

MCDPA Sec. 4(2)(m)

"Information and data exempt from [sections 1 through 12] include: [...] (m) personal data regulated by the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g, et seq., as amended;"

Key points:

• Exempts personal data already regulated by FERPA
• Recognizes the primacy of federal education privacy laws
• Avoids duplicative regulation of educational institutions

Oregon Consumer Data Protection Act (Oregon CDPA)

Oregon CDPA Sec. 2(2)(k)(C)

"Sections 1 to 9 of this 2023 Act do not apply to: [...] (k) Information collected, processed, sold or disclosed under and in accordance with the following federal laws, all as in effect on the effective date of this 2023 Act: [...] (C) The Family Educational Rights and Privacy Act, 20 U.S.C. 1232g and regulations adopted to implement that Act; and"

Key points:

• Similar to Montana's approach, exempts FERPA-regulated data
• Specifies that the exemption applies to the federal law as of the Act's effective date
• Includes regulations implementing FERPA in the exemption

Oregon CDPA Sec. 2(2)(j)(A)

"Sections 1 to 9 of this 2023 Act do not apply to: [...] (j) Any activity that involves collecting, maintaining, disclosing, selling, communicating or using information for the purpose of evaluating a consumer's creditworthiness [...] if done strictly in accordance with the provisions of the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq., as in effect on the effective date of this 2023 Act, by: (A) A consumer reporting agency, as defined in 15 U.S.C. 1681a(f), as in effect on the effective date of this 2023 Act;"

Key points:

• Exempts activities regulated by the Fair Credit Reporting Act (FCRA)
• Applies specifically to consumer reporting agencies
• Requires strict compliance with FCRA to qualify for the exemption

Uruguay Law on the Protection of Personal Data (LPPD)

LPPD № 18.331 Art. 3(2C)

"It shall not apply to the following databases: [...] C) Databases created and regulated by special laws."

Key points:

• Broad exemption for databases regulated by special laws
• Recognizes the primacy of sector-specific regulations
• Allows for flexibility in addressing unique data protection needs in different sectors

California Consumer Privacy Act (CCPA)

CCPA 1798.145(c)(1)(C)

"This title shall not apply to any of the following: [...] (C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, [...]"

Key points:

• Exempts personal information collected in clinical trials and biomedical research
• References the Common Rule and FDA human subject protection requirements
• Includes conditions for the exemption, such as not selling or sharing data inconsistently with the exemption