Exemptions and Limitations
The CCPA contains numerous exemptions that limit its application to specific types of information, entities, or activities. These exemptions reflect legislative intent to harmonize with federal law, avoid interfering with existing regulatory regimes, and prevent undue burden on legitimate business activities.
General Business Activity Exemptions (Section 1798.145(a))
Section 1798.145(a)(1) preserves a business's ability to engage in seven categories of activities:
(A) Legal Compliance
Businesses may comply with:
- Federal, state, or local laws
- Court orders or subpoenas to provide information
(B) Law Enforcement Cooperation
Businesses may comply with civil, criminal, or regulatory inquiries, investigations, subpoenas, or summons by federal, state, or local authorities.
Law Enforcement Hold Mechanism:
- Law enforcement agencies may direct a business not to delete a consumer's personal information pursuant to a law enforcement agency-approved investigation with an active case number
- Hold duration: 90 days from receipt of direction
- Purpose: Allow time to obtain court-issued subpoena, order, or warrant
- Extension: Additional 90-day periods for good cause and only to the extent necessary for investigatory purposes
- Restriction: Business shall not use the consumer's personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant (unless deletion request is exempt under another provision)
(C) Voluntary Law Enforcement Cooperation
Businesses may cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
(D) Emergency Access to Personal Information
Businesses may cooperate with government agency requests for emergency access when a natural person is at risk or danger of death or serious physical injury, provided:
Requirements:
- (I) Request is approved by a high-ranking agency officer for emergency access
- (II) Request is based on the agency's good faith determination that it has a lawful basis to access the information on a nonemergency basis
- (III) Agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted
Exception for Reproductive Healthcare (Section 1798.145(a)(1)(D)(ii)):
"A consumer accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services, shall not constitute a natural person being at risk or danger of death or serious physical injury."
This critical privacy protection ensures reproductive healthcare activities cannot be used as justification for emergency information requests.
(E) Exercise or Defend Legal Claims
Businesses may exercise or defend legal claims using personal information.
(F) Deidentified or Aggregate Information
Businesses may collect, use, retain, sell, share, or disclose:
- Deidentified consumer information
- Aggregate consumer information
(G) Wholly Out-of-State Commercial Conduct
Businesses may collect, sell, or share a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of California.
Definition: Commercial conduct takes place wholly outside California if:
- Business collected the information while the consumer was outside California, AND
- No part of the sale of the consumer's personal information occurred in California, AND
- No personal information collected while the consumer was in California is sold
Device Storage Exception: This does not prohibit storing personal information on a device when the consumer is in California, then collecting that information when the consumer and stored personal information is outside California.
Reproductive Healthcare Override (Section 1798.145(a)(2))
Section 1798.145(a)(2)(A):
"This subdivision shall not apply if the consumer's personal information contains information related to accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services."
This provision overrides the general business activity exemptions above when personal information relates to reproductive healthcare.
Exceptions to the Override:
- (B) Does not alter use of aggregated or deidentified PI for business purposes (as defined in Sec. 1798.140(e)(1)-(5), (7)-(8)), provided information remains aggregated and deidentified and is not sold or shared
- (C) Does not alter duty to preserve/retain evidence pursuant to California or federal law in ongoing civil proceedings
Evidentiary Privilege Exemption (Section 1798.145(b))
Business obligations under Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 do not apply where:
- Compliance would violate an evidentiary privilege under California law, OR
- The personal information is provided to a person covered by an evidentiary privilege as part of a privileged communication
This exemption protects attorney-client communications, doctor-patient confidentiality, and other legally recognized privileges.
Healthcare and Medical Information Exemptions
HIPAA and CMIA Exemption (Section 1798.145(c))
The CCPA does not apply to three categories of healthcare information:
| Category | Description | Governing Law |
|---|---|---|
| (A) Medical Information/Protected Health Information | Information governed by California's Confidentiality of Medical Information Act (CMIA) OR protected health information collected by HIPAA covered entities or business associates | CMIA: Cal. Civ. Code Part 2.6 (Sec. 56+) HIPAA: 45 CFR Parts 160 & 164 |
| (B) Healthcare Providers | Providers governed by CMIA or HIPAA covered entities, to the extent they maintain patient information in the same manner as medical/protected health information | Same as above |
| (C) Clinical Trials | Personal information collected as part of clinical trials or biomedical research subject to/conducted in accordance with Federal Policy for Protection of Human Subjects (Common Rule), ICH good clinical practice guidelines, or FDA human subject protection requirements | 45 CFR Part 46 (Common Rule) |
Condition for Clinical Trial Exemption: Information must not be sold or shared in a manner not permitted by this exemption. If use is inconsistent, participants must be informed and provide consent.
Definitions (Section 1798.145(c)(2)):
- "Medical information" and "provider of health care" per Cal. Civ. Code Section 56.05
- "Business associate," "covered entity," and "protected health information" per 45 CFR 160.103
Expanded Medical Information Exemption (Section 1798.146)
Section 1798.146, added by AB 713 (Stats. 2020, Ch. 172), provides additional healthcare exemptions:
(a)(1)-(3) Parallel exemptions to Section 1798.145(c) for HIPAA/CMIA covered information, healthcare providers, and business associates
(a)(4) Deidentified Patient Information:
Information that meets both conditions:
- (i) Deidentified in accordance with 45 CFR 164.514 (HIPAA deidentification standard), AND
- (ii) Derived from patient information originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, CMIA, or the Common Rule
Reidentification Consequence:
"Information that met the requirements of subparagraph (A) but is subsequently reidentified shall no longer be eligible for the exemption in this paragraph, and shall be subject to applicable federal and state data privacy and security laws, including, but not limited to, the Health Insurance Portability and Accountability Act, the Confidentiality Of Medical Information Act, and this title."
(a)(5) Research:
Information collected, used, or disclosed in research (as defined in 45 CFR 164.501), including clinical trials, conducted in accordance with:
- 45 CFR Part 164 (HIPAA Privacy Rule)
- Federal Policy for Protection of Human Subjects (Common Rule)
- ICH good clinical practice guidelines
- FDA human subject protection requirements
Reidentification Prohibitions (Section 1798.148)
Section 1798.148 prohibits reidentification of information exempted under Section 1798.146(a)(4) except for these purposes:
| Permitted Purpose | Description | Governing Standard |
|---|---|---|
| (1) Healthcare Operations | Treatment, payment, or health care operations by covered entity or business associate acting on behalf of covered entity | 45 CFR 164.501 definitions |
| (2) Public Health | Public health activities or purposes | 45 CFR 164.512 |
| (3) Research | Research conducted in accordance with Common Rule | 45 CFR Part 46 |
| (4) Deidentification Testing | Testing, analysis, or validation of deidentification or statistical techniques pursuant to contract | Contract must ban other use/disclosure and require return/destruction upon completion |
| (5) Legal Requirement | When otherwise required by law | N/A |
Consequence of Permitted Reidentification (Section 1798.148(b)):
Reidentified information becomes subject to HIPAA, CMIA, and the CCPA.
Contract Requirements (Section 1798.148(c)):
Effective January 1, 2021, contracts for sale or license of deidentified information under Section 1798.146(a)(4) where one party resides/does business in California must include:
- (1) Statement that the information includes deidentified patient information
- (2) Statement that reidentification is prohibited per Section 1798.148
- (3) Requirement that purchaser/licensee may not further disclose to third parties unless third party is bound by same or stricter restrictions
Definition of "Reidentify" (Section 1798.148(d)):
"The process of reversal of deidentification techniques, including, but not limited to, the addition of specific pieces of information or data elements that can, individually or in combination, be used to uniquely identify an individual or usage of any statistical method, contrivance, computer software, or other means that have the effect of associating deidentified information with a specific identifiable individual."
Financial Information Exemptions
Fair Credit Reporting Act (Section 1798.145(d))
The CCPA does not apply to activities involving collection, maintenance, disclosure, sale, communication, or use of personal information bearing on:
- Creditworthiness
- Credit standing
- Credit capacity
- Character
- General reputation
- Personal characteristics
- Mode of living
By entities defined in the Fair Credit Reporting Act (FCRA):
- Consumer reporting agencies (15 USC 1681a(f))
- Furnishers of information (15 USC 1681s-2)
- Users of consumer reports (15 USC 1681b)
Conditions:
- (2) Applies only to the extent activity is subject to regulation under the FCRA (15 USC 1681 et seq.)
- Information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the FCRA
- (3) Exception: This exemption does not apply to Section 1798.150 (private right of action for data breaches)
Gramm-Leach-Bliley Act (Section 1798.145(e))
The CCPA does not apply to personal information collected, processed, sold, or disclosed subject to:
- Federal Gramm-Leach-Bliley Act (GLBA, Public Law 106-102) and implementing regulations
- California Financial Information Privacy Act (Cal. Fin. Code Div. 1.4, Sec. 4050+)
- Federal Farm Credit Act of 1971 (12 USC 2001-2279cc and 12 CFR 600+)
Exception: This exemption does not apply to Section 1798.150 (private right of action for data breaches)
Driver's Privacy Protection Act (Section 1798.145(f))
The CCPA does not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver's Privacy Protection Act of 1994 (18 USC 2721 et seq.).
Exception: This exemption does not apply to Section 1798.150 (private right of action for data breaches)
Vehicle and Vessel Warranty Information (Section 1798.145(g))
Section 1798.120 (opt-out of sale/sharing) does not apply to:
(1) Vehicle Information
- Retained or shared between new motor vehicle dealer (Cal. Veh. Code Sec. 426) and vehicle manufacturer (Cal. Veh. Code Sec. 672)
- For purpose of effectuating or anticipating vehicle repair covered by warranty or recall (49 USC 30118-30120)
- Condition: Dealer or manufacturer does not sell, share, or use for any other purpose
"Vehicle information" defined (Section 1798.145(g)(3)(B)):
Vehicle information number, make, model, year, and odometer reading
"Ownership information" defined (Section 1798.145(g)(3)(A)):
Name(s) of registered owner(s) and contact information
(2) Vessel Information
- Retained or shared between vessel dealer and vessel manufacturer (Cal. Harb. & Nav. Code Sec. 651)
- For purpose of effectuating or anticipating vessel repair covered by warranty or recall (46 USC 4310)
- Condition: Dealer or manufacturer does not sell, share, or use for any other purpose
"Vessel dealer" defined (Section 1798.145(g)(3)(C)):
Person engaged in business of selling, offering for sale, buying for resale, or exchanging vessels for money, profit, or value
"Vessel information" defined (Section 1798.145(g)(3)(D)):
Hull identification number, model, year, month/year of production, and equipment description for:
- (i) Inboard engines
- (ii) Outboard engines
- (iii) Stern drive units
- (iv) Inflatable personal flotation devices (46 CFR 160.076)
Consumer Request Extensions and Limitations (Section 1798.145(h))
(1) Extension of Response Time
- Response time may be extended by up to 90 additional days (total) where necessary due to complexity and number of requests
- Business must inform consumer within 45 days of receipt, with reasons for delay
(2) Refusal to Act
- If business does not take action, must inform consumer without delay and within permitted response time
- Must provide reasons for not taking action
- Must inform consumer of any rights to appeal to the business
(3) Manifestly Unfounded or Excessive Requests
Business may either:
- Charge a reasonable fee (taking into account administrative costs), OR
- Refuse to act on the request and notify consumer of reason
Burden of proof: Business must demonstrate the verifiable consumer request is manifestly unfounded or excessive, particularly due to repetitive character.
Service Provider and Contractor Liability (Section 1798.145(i))
(1) Service Provider/Contractor Violations
- Business disclosing PI to service provider/contractor in CCPA compliance is not liable if service provider/contractor violates restrictions
- Condition: At time of disclosure, business does not have actual knowledge or reason to believe service provider/contractor intends to commit violation
- Service provider/contractor is liable for its own CCPA violations
(2) Third Party Violations
- Business disclosing PI to third party pursuant to written contract requiring same level of consumer protection is not liable if third party violates restrictions
- Condition: At time of disclosure, business does not have actual knowledge or reason to believe third party intends to commit violation
- Exclusions from this protection: Consumers who have:
- Exercised right to opt out of sale/sharing
- Limited use/disclosure of sensitive PI
- Not opted in (for minors)
Business Retention and Maintenance Requirements (Section 1798.145(j))
The CCPA shall not be construed to require a business, service provider, or contractor to:
| Prohibited Requirement | Description |
|---|---|
| (1) Reidentification | Reidentify or link information not maintained as personal information in ordinary course of business |
| (2) Retention | Retain any personal information about a consumer if that information would not be retained in ordinary course of business |
| (3) Identifiable Maintenance | Maintain information in identifiable, linkable, or associable form, or collect/obtain/retain/access data or technology to enable linking verifiable consumer requests with personal information |
This exemption prevents the CCPA from forcing businesses to create new data systems solely to comply with consumer requests.
Other Natural Persons' Rights (Section 1798.145(k))
Consumer rights and business obligations shall not adversely affect the rights and freedoms of other natural persons.
Limitations on consumer requests:
- Verifiable consumer requests for specific pieces of PI (Sec. 1798.110), deletion (Sec. 1798.105), or correction (Sec. 1798.106) do not extend to personal information about the consumer that belongs to or is maintained on behalf of another natural person
Business reliance:
- May rely on representations in verifiable consumer requests regarding rights to PI
- Under no legal requirement to seek out other persons with claims to the information
- Under no legal obligation to take action in event of dispute between persons claiming rights to PI in business's possession
Noncommercial Activities (Section 1798.145(l))
The CCPA does not apply to the extent it would infringe on noncommercial activities of a person or entity described in Article I, Section 2(b) of the California Constitution (freedom of speech and press).
This exemption protects First Amendment activities such as journalism, academic research, and artistic expression.
Employment Relationship Exemption (Section 1798.145(m)) [INOPERATIVE]
Status: Became inoperative January 1, 2023 per Section 1798.145(m)(4)
This exemption previously covered:
- (A) Personal information collected about natural persons acting as job applicants, employees, owners, directors, officers, medical staff members, or independent contractors in that capacity
- (B) Emergency contact information of such persons
- (C) Personal information necessary to administer benefits for another natural person relating to such persons
Exceptions that remain operative: This exemption did not apply to Section 1798.100(a) or Section 1798.150.
Business-to-Business Communications Exemption (Section 1798.145(n)) [INOPERATIVE]
Status: Became inoperative January 1, 2023 per Section 1798.145(n)(3)
This exemption previously exempted obligations under Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 for:
- Personal information reflecting written or verbal communication or transaction between business and consumer
- Where consumer is a natural person acting as employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency
- Where communications/transactions occur solely within context of the business conducting due diligence or providing/receiving product or service to/from such entity
Commercial Credit Reporting (Section 1798.145(o))
Sections 1798.105 (deletion) and 1798.120 (opt-out of sale) do not apply to a commercial credit reporting agency's collection, processing, sale, or disclosure of business controller information to the extent the agency uses it solely to:
- Identify the relationship of a consumer to a business the consumer owns, OR
- Contact the consumer only in the consumer's role as owner, director, officer, or management employee
"Business controller information" defined (Section 1798.145(o)(2)(A)):
- Name(s) of owner(s), director, officer, or management employee of a business
- Contact information, including business title, for such persons
"Commercial credit reporting agency" defined: Per Cal. Civ. Code Section 1785.42(b)
"Owner," "Director," "Officer," "Management employee" defined: See Section 1798.145(o)(2)(C)-(F)
Household Data Exemption (Section 1798.145(p))
Business obligations under Sections 1798.105, 1798.106, 1798.110, and 1798.115 do not apply to household data.
Student Educational Records (Section 1798.145(q))
(1) Grades and Educational Scores
CCPA does not require a business to comply with deletion requests (Sec. 1798.105) for:
- Student's grades, educational scores, or educational test results
- That the business holds on behalf of a local educational agency (Cal. Ed. Code Sec. 49073.1(d))
- Where the student is currently enrolled at that LEA
Notification requirement: If business relies on this exception, must notify consumer.
(2) Educational Assessment Responses
CCPA does not require a business to disclose (in response to Sec. 1798.110 access request):
- Educational standardized assessment or educational assessment itself, OR
- Consumer's specific responses to such assessments
- If access/possession/control would jeopardize validity and reliability
Notification requirement: If business relies on this exception, must notify consumer.
"Educational standardized assessment or educational assessment" defined (Section 1798.145(q)(3)(A)):
Standardized or nonstandardized quiz, test, or other assessment to evaluate students in/for entry to:
- K-12 schools
- Postsecondary institutions (accredited)
- Vocational programs (accredited)
- Postgraduate programs (accredited)
- Certification and licensure examinations for government certification
"Jeopardize validity and reliability" defined (Section 1798.145(q)(3)(B)):
Releasing information that would provide an advantage to the consumer or another natural person.
Physical Item Production (Section 1798.145(r))
Sections 1798.105 (deletion) and 1798.120 (opt-out) do not apply to a business's use, disclosure, or sale of particular pieces of PI if:
Conditions:
- (1) Consumer has consented to use/disclosure/sale to produce a physical item (e.g., school yearbook with consumer's photograph)
- (2) Business has incurred significant expense in reliance on consent
- (3) Compliance with deletion or opt-out request would not be commercially reasonable
- (4) Business complies with request as soon as commercially reasonable
This exemption prevents disruption of long-lead production processes like yearbook printing.
Exemption Summary Table
| Exemption | Applies To | Does NOT Apply To | Status |
|---|---|---|---|
| HIPAA/CMIA (1798.145(c), 1798.146) | Medical information, protected health information, clinical trials | N/A | Active |
| FCRA (1798.145(d)) | Credit reporting activities | Section 1798.150 (data breach) | Active |
| GLBA (1798.145(e)) | Financial information subject to GLBA/CFIPA/Farm Credit Act | Section 1798.150 (data breach) | Active |
| DPPA (1798.145(f)) | Driver information under DPPA | Section 1798.150 (data breach) | Active |
| Vehicle/Vessel Warranty (1798.145(g)) | Section 1798.120 only (warranty repairs) | All other CCPA sections | Active |
| Employment (1798.145(m)) | HR/employment data | Sections 1798.100(a), 1798.150 | Inoperative 2023 |
| B2B Communications (1798.145(n)) | Business contact data in B2B context | N/A | Inoperative 2023 |
| Commercial Credit (1798.145(o)) | Sections 1798.105, 1798.120 (business controller info) | All other CCPA sections | Active |
| Household Data (1798.145(p)) | Sections 1798.105, 1798.106, 1798.110, 1798.115 | All other CCPA sections | Active |
| Student Records (1798.145(q)) | Deletion of grades, disclosure of assessments | All other CCPA sections | Active |
| Yearbooks (1798.145(r)) | Sections 1798.105, 1798.120 (physical item production) | All other CCPA sections | Active |
For enforcement authority and penalties, see /enforcement-and-penalties/penalties-and-damages.