USA - California: Sectoral Exceptions Regulated by Other Laws

California: Sectoral Exceptions Regulated by Other Laws

The California Consumer Privacy Act (CCPA) incorporates several sectoral exceptions to ensure that entities already regulated by other stringent data protection laws are not subject to overlapping compliance requirements. These exceptions help maintain a streamlined regulatory environment for specific industries.

Text of Relevant Provisions

CCPA 1798.145(g)(1):

"(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicle’s manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose."

CCPA 1798.145(g)(2):

"(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessel’s manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose."

CCPA 1798.145(f):

"(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150."

CCPA 1798.145(e):

"(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150."

CCPA 1798.145(d)(1):

"(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision."

CCPA 1798.145(d)(2):

"(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act."

CCPA 1798.145(c)(1)(C):

"(c) (1) This title shall not apply to any of the following: (C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent."

CCPA 1798.145(c)(1)(B):

"(c) (1) This title shall not apply to any of the following: (B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section."

CCPA 1798.145(c)(1)(A):

"(c) (1) This title shall not apply to any of the following: (A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5)."

CCPA 1798.145(b):

"(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication."

Analysis of Provisions

The CCPA includes several sectoral exceptions that limit the law’s applicability to specific types of data processing activities. These exceptions are designed to prevent duplicative regulation and ensure that entities already subject to stringent data protection standards under other laws are not burdened with additional compliance requirements under the CCPA.

Vehicle and Vessel Information:

The CCPA does not apply to vehicle or vessel information shared between dealers and manufacturers if the information is used for warranty or recall purposes. This is specified in CCPA 1798.145(g)(1) and (g)(2):

"Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer ... and the vehicle’s manufacturer ... if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall ... provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose."

Financial Data:

Personal information collected, processed, sold, or disclosed subject to the Gramm-Leach-Bliley Act, the California Financial Information Privacy Act, or the federal Farm Credit Act is exempt from the CCPA as specified in CCPA 1798.145(e):

"This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act ..., or the California Financial Information Privacy Act ..., or the federal Farm Credit Act of 1971 ..."

Medical and Health Information:

The CCPA exempts medical information governed by the Confidentiality of Medical Information Act or protected health information under HIPAA, as stated in CCPA 1798.145(c)(1)(A) and (B):

"This title shall not apply to ... (A) Medical information governed by the Confidentiality of Medical Information Act ... or protected health information ... under HIPAA ... (B) A provider of health care governed by the Confidentiality of Medical Information Act ... or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services ..."

Research Data:

Personal information collected as part of clinical trials or biomedical research subject to the Common Rule is exempt from the CCPA as per CCPA 1798.145(c)(1)(C):

"This title shall not apply to ... (C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Common Rule ..."

Credit Reporting Information:

Activities involving the collection, maintenance, disclosure, sale, or use of personal information by consumer reporting agencies regulated under the Fair Credit Reporting Act are exempt from the CCPA, as detailed in CCPA 1798.145(d)(1) and (2):

"This title shall not apply to ... (1) an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information ... by

a consumer reporting agency ... (2) Paragraph (1) shall apply only to the extent that such activity ... is subject to regulation under the Fair Credit Reporting Act ..."*

Evidentiary Privilege:

The CCPA exempts personal information where compliance would violate an evidentiary privilege under California law, as stated in CCPA 1798.145(b):

"The obligations imposed on businesses ... shall not apply where compliance ... would violate an evidentiary privilege under California law ..."

Implications

For businesses operating in California, these sectoral exceptions mean that:

Automotive and Maritime Industries: Dealers and manufacturers can share vehicle and vessel information for warranty and recall purposes without additional CCPA compliance, provided the information is not used for other purposes.
Financial Institutions: Entities subject to the Gramm-Leach-Bliley Act, California Financial Information Privacy Act, or federal Farm Credit Act are exempt from CCPA compliance for covered activities.
Healthcare Providers: Medical information governed by HIPAA or the Confidentiality of Medical Information Act is exempt from the CCPA, reducing the regulatory burden on healthcare providers.
Research Institutions: Data collected as part of clinical trials or biomedical research is exempt from the CCPA, allowing research activities to continue without additional compliance requirements.
Credit Reporting Agencies: Activities regulated under the Fair Credit Reporting Act are exempt from the CCPA, ensuring that credit reporting processes are not disrupted by additional state-level requirements.
Legal Privileges: Businesses can avoid CCPA compliance where it would violate evidentiary privileges under California law, ensuring that privileged communications are protected.

These exemptions help to streamline compliance and reduce regulatory burdens on specific industries, ensuring that data protection efforts are focused where they are most needed.

Jurisdiction Overview

USA - California

🗞️ Exception for Publicly Available Information, including Public Records 🔗 Processing in Context of Local Establishment 👮🏼 National Security and Law Enforcement Exemption 🎯 Exemption for Specific Purposes of Processing 📍 Processing by Local Establishment 🛂 Applicability to Citizens and Residents' Data 💼 Processing by Entity Registered or Incorporated in Jurisdiction 🛍️ Offering Goods and Services to Data Subjects in Jurisdiction 🏡 Personal and Domestic Use Exemption Sale of Personal Data Criterion 💵 Revenue-Based Applicability ⚖️ Sectoral Exceptions Regulated by Other Laws 🛃 Exception for Data Processing Outside Jurisdiction 🧮 Number of Data Subjects 🧓🏿 Long-Term Residency Threshold 👇🏿 Statutory Requirement Processing Exception 💼 Doing Business in Jurisdiction