Exemptions to the California Privacy Rights Act (CPRA)

There are some organizations and types of information that are exempt from compliance with CPRA. In this chapter we will take a brief look at some of these unique situations and what information is considered to be exempt.

Organizations and Information Exempt from CPRA

There are certain organizations and types of information that are exempt from compliance with CPRA law. Organizations that do not collect personal information from California residents are exempt. Financial information that is collected according to the California Financial Information Privacy Act (CalFIPA) or the Gramm Leach-Billey Act (GLBA) is also exempt, as well as consumer reporting information that is also subject to the Fair Credit Reporting Act (FCRA).

Healthcare Information Exempt from the CPRA

Personal health information (PHI) collected by a covered entity or business associate as defined by the Health Insurance Portability and Accountability Act (HIPAA) is exempt, however, any information that is not considered PHI will be subject to CPRA. Clinical trial data and information covered under the Federal Policy for the Protection of Human Subjects is also exempt.

Get started today in 5 minutes

Nonprofit Compliance with the CPRA

While many nonprofit organizations are exempt from CPRA, there are cases where a nonprofit would fall under the scope of the law. A nonprofit may be required to comply with CPRA if it meets any of the following guidelines:

Commercial Activity

If a nonprofit engages in commercial activity, its revenue-generating activities may be required to be CPRA compliant, or if the nonprofit enters into a joint venture with a for-profit company, both may need to evaluate whether or not the venture will require CPRA compliance.

Contractual For-Profit Relationships

If the nonprofit has contractual relationships with for-profit entities, CPRA may also require subsidiaries of the for-profit company to comply with CPRA, and that would include nonprofit organizations.

For-Profit Subsidiaries

If a nonprofit has a for-profit subsidiary, it would need to ensure that the data collected by that subsidiary was CPRA compliant.

CPRA Exempt Information

The following information may be exempt from CPRA law. If you think your organization or certain types of data collected are exempt from CPRA, it is best to consult a legal expert to ensure compliance with the law.

Here are some myths to look out for:

-
Clinical trial data and information covered under the Federal Policy for the Protection of Human Subjects
-
Financial information collected according to CalFIPA or GLBA
-
Personal health information (PHI) collected under HIPAA
-
Consumer reporting information subject to the FCRA
-
Certain types of driver information data

See why 8,000+ businesses love EasyLlama

The most comprehensive CPRA training available for employers & Employees

The purpose of EasyLlama’s CPRA course is to educate staff members on the collection, utilization, and sharing of data in accordance with regulations, so that protecting customer information can be achieved more effectively. Additionally, interactive quizzes and simulated scenarios will help increase understanding and make compliance management more convenient.

Helping over 8,000+ organizations create a safer, more inclusive company culture.

Get more from easyLlama

The Most Comprehensive online CPRA Training

Any organization that gathers personal data from California residents can benefit this course. The purpose is to educate employees to understand the regulations that govern how data is gathered, utilized, and shared in order to better advise them in protecting consumer data. The course covers: