December 9, 2022

CPRA Exemptions

The California Privacy Rights Act (CPRA) exemptions align with those of the California Consumer Privacy Act (CCPA). The requirements of the two laws complement each other, and so do the exemptions. Learn about the CPRA Exemptions here.

The California Privacy Rights Act (CPRA) explicitly lists the CPRA requirements for businesses. Code Section 1798.145 also explicitly lists the exemptions to the law (CPRA Full Text Summary).

The CPRA exemptions align with those of the California Consumer Privacy Act (CCPA). The requirements of the two laws complement each other, and so do the exemptions.

Section 1798.145 is a very long article in legalese and requires a significant effort by the business owner to read it and understand it well, not to mention implement it. In this article, we broke it down into little pieces and grouped them into groups to allow you to understand it better.

We grouped the existing CPRA exemptions into:

Applicability of the CPRA

CPRA does not apply to:

  • Deidentified information. Personal information is de-identified if it cannot be reasonably connected to an individual or household. Such information is exempt from CPRA as long as the business:
    - Takes reasonable measures to ensure that the information cannot identify a consumer or household,
    - Publicly commits to maintain and use the information de-identified and not to attempt to reidentify the information, except to determine whether its deidentification processes satisfy the requirements of this exemption, and
    - Contractually obligates any recipients of the information to comply with this exemption.
  • Aggregate information. CPRA defines aggregate information as “information that relates to a group or category of consumers, from which individual consumer identities have been removed, and that is not linked or reasonably linkable to any consumer or household, including via a device.” In most cases, aggregate information will be statistical information in some form where the consumers cannot be identified, such as website visit analytics data provided by a privacy-friendly tool.
  • Personal information collected, shared, or sold wholly outside of California. Three criteria must be met for the commercial conduct to be wholly outside of California:
    - The business collected that information while the consumer was outside of California
    - No part of the sale of the consumer’s personal information occurred in California, and
    - No personal information collected while the consumer was in California is sold.
  • If the business stores the personal information while the consumer is in California, but collects it while they are outside, the commercial activity is still considered wholly outside of California.

Compliance with Law Enforcement

The CPRA does not apply where compliance with the CPRA interferes with an investigation or compliance with other federal, state, or local laws. Whenever the CPRA stands in the way of law enforcement, it doesn’t apply.

As a result, CPRA does not apply where:

  • The business must comply with federal laws, state laws, or local laws or comply with a court order or subpoena to provide information.
  • Comply with criminal investigation requirements. A government agency or a law enforcement body can order the business to retain a consumer’s personal information even if the consumer has submitted a deletion request. You’ll have to retain the information for a 90-day period, which could be extended for additional 90 days. You must not use such information for any other purpose while retaining it.
  • Cooperate with enforcement bodies regarding processing activities that may constitute violations of federal, state, or local laws. You must cooperate regarding any alleged violation by you, service providers, or other third parties.
  • Exercising or defending legal claims
  • Cooperate with a government agency request for emergency access to a consumer’s personal information if the person’s life or health is in danger. Such a request must meet all of the following criteria:
    - Approved by a high-ranking agency officer,
    - Based on the agency’s good faith that it has a lawful basis to access the information on a nonemergency basis, and
    - The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.

Activities Regulated by Other Laws

The CPRA and CCPA were not enacted to interfere with what was already governed by other laws. Some industry sectors, such as finance and health, have already been subject to data privacy provisions.

That’s why some activities are exempt from the CPRA scope. These include:

  • Medical information governed by the Confidentiality of Medical Information Act or protected health information governed by the data privacy rules issued by the United States Department of Health and Human Service established pursuant to the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act. This provision excludes personal information in health files and other medical information.
  • A provider of health care governed by the Confidentiality of Medical Information Act or other entities handling medical information as described above is also exempt.
  • Personal information is collected as part of a clinical trial or other biomedical research studies as long as the information is not sold or shared against the applicable laws and the participants is informed of that use and provide consent.
  • Personal information used for the determination of a consumer’s creditworthiness by an information furnisher who provides information for use in a consumer report under the Fair Credit Reporting Act
  • Personal information collected, processed, sold, or disclosed under the federal Gramm-Leach-Bliley Act. This law requires companies that offer consumer financial services, such as loans, investment advice, or insurance, to inform consumers about how they share their sensitive personal information. That’s regulated by this act; hence the CPRA does not apply.
  • Personal information collected under the California Financial Information Privacy Act or the federal Farm Credit Act of 1971, both of which protect financial information.
  • Personal information under the scope of the Driver’s Privacy Protection Act of 1994, which already prohibits disclosing personal information derived from a personal vehicle. In addition, the right to opt-out does not apply in cases where the share of information is necessary for repairing a vehicle covered by a warranty, as long as the information is not sold or shared for another purpose.
  • Personal information is processed by a commercial credit reporting agency as long as the agency uses the information solely to identify the consumer’s relationship to a business that the consumer owns or contact the consumer only in the consumer’s role as the owner or a similar role related to the business.
  • Personal information that is under an evidentiary privilege under California law, such as the physician-patient relationship or attorney-client relationship.

Consumer Rights and Requests

All the exemptions applying to CPRA, in general, also apply to consumer requests. However, it starts with some clarifications related to consumer requests. The business:

  • Must verify requester’s identity,
  • Must respond within the deadline,
  • Must inform the consumer in the case of a delay
  • It does not have to respond to excessive or unfounded consumer requests that interfere with the ordinary course of business or could charge a reasonable fee to respond to the request, and
  • It can refuse a request that would

In addition, household data is exempt from the CPRA's rights to delete, correct, know, and access.

Personal data related to educational grades, standardized tests, or similar educational assessments are exempt from the right to delete. People don't have the right to delete or opt out of having their personal information in physical items, like the school yearbook.

Business-to-Business Relationships

In the business-service provider relationship, liability for each other’s violations of the CPRA is exempt. The business is not liable for the violations of the service provider about their data, and the service provider is not liable for the violations of the business either. The exemption does not apply to the personal information of consumers who have opted out of or limited the sale or sharing of their data or minors’ data.

In addition, the service provider is not obliged to retain personal information obtained by a business for longer than necessary.

Employee Personal Information - Inoperative from 1 January 2023

Personal information processed in an employment context is exempt from the CPRA until 1 January 2023. Personal information is exempt from the CPRA's scope.

  • Personal information of job applicants, employees, independent contractors, directors, officers, medical staff members, or business owners in an employment context
  • The information necessary to administer benefits to these natural persons, and
  • The emergency contacts of these persons.

In addition, CPRA explicitly exempts itself from applying to business communications or transactions where employees, non-profits, government agencies, or businesses are involved in conducting due diligence about a product or a service.

Starting from 1 January 2023, these exemptions will cease to apply.

How to Comply with the CPRA?

We have a comprehensive guide on CPRA requirements available at this link, where you can get familiar with what you need to do.

The effective date of CPRA is 1 January 2023, but it has a lookback period from 1 January 2022, so you have to consider that as well.

The California Privacy Protection Agency (CPPA) and the California Attorney General may add a few more exemptions to the law through the CPRA regulations, so you should be prepared to adjust along the way. As you may have noticed, CPRA does not exempt certain parts of the law from enforcement, such as information security, data breaches, data retention, or privacy notices. You should comply with these provisions as soon as you can.

Your CPRA compliance program shall rely on all the applicable privacy laws of the Golden State, such as CalOPPA, CCPA, and CPRA, as well as the California constitution. These laws are not as strict as the EU GDPR, for example, but that doesn’t mean that you shouldn't be aware of the requirements and the enforcement efforts of California law enforcement agencies.

Schedule a call to learn more