California Privacy Rights Act Exemptions – Explained

California Privacy Rights Act (CPRA) will be one of the most comprehensive and strict state privacy laws in the US. The legislation will come into effect on January 1, 2023, empowering consumers with added privacy protection rights and responsibilities for covered businesses.

However, certain entities and certain data or data processing activities which comply with other US Federal or State laws or the use of personal information for certain purposes are exempt from the application of the CPRA.

Wholly Outside of California Exemption

The provisions of the CPRA do not apply to the collection, sharing, and selling of personal information if the commercial activity of the personal information is wholly conducted outside California.

Conducting business outside of California entails that:

• the personal information of the consumer was collected by the business when the consumer was outside of California,
• no part of the sale of personal data took place within California, and no information collected is sold whilst the consumer is in California.
• Nothing prevents a business from storing a consumer's personal data, including on a device, while he/she is in California and subsequently collecting that data while the consumer and his/her stored data are outside of California.

Criminal or Legal Investigation & Evidentiary Purposes

Businesses are exempted from the restrictions of collecting, storing, and sharing the personal information of consumers if they are required to comply with a criminal, civil, or regulatory investigation. In fact, businesses must cooperate with law enforcement agencies if it is believed that the business, service provider, or third party may be in violation of federal, state, or local law.

Additionally, businesses are also exempted from disclosing a consumer’s personal information to a person who is entitled to an evidentiary privilege under California law as part of a privileged communication.

Furthermore, under section 1798.145 of the CPRA, the legislation shall not limit a business’s ability to:

• Comply with any local law or state, or federal law;
• Comply with any court order or subpoena to provide personal information; and
• Exercise of defending legal claims.

Law enforcement agencies can further direct businesses not to delete the personal information of any consumer - even if the consumer has requested - pursuant to any law enforcement-approved investigation having an active case number.

After receiving such direction, businesses are required to retain the information for up to 90 days, giving agencies enough time to obtain a subpoena, a warrant, or a court order to obtain the personal information of the consumer.

The 90-day period may be extended by additional 90 days at the request of the law enforcement agency if necessary for the investigative procedure. Businesses must ensure that the concerned information may not be used for any other purpose than the said investigation.

Businesses are further exempted from obliging with the following consumers' rights:

• right to know what and to whom personal information is shared and sold,
• right to limit use and disclosure and methods relating to limiting sharing and disclosure of sensitive personal information,
• right to disclosure, correction, and deletion requirement.

Access Request by Government Agencies

Businesses must entertain access requests for consumer personal data by government agencies for the purpose of the safety of a natural person. During an emergency situation that involves serious risk, physical injury, or danger of death of any natural person, businesses can share information with a government agency, providing that:

• The personal information access request is approved by a high-ranking officer.
• The request is based on the “agency’s good faith determination” and has a “lawful basis.”
• The agency agrees to petition a court for an order and destroys the information if the order is not granted.

Deidentified or Aggregated Data

As per CPRA Section 1798.145(a)(6), businesses that collect, retain, share, or sell the “deidentified” or “aggregated” personal information of consumers are exempt from the CPRA. However, it is critical for businesses to understand what type of personal information CPRA deems as deidentified or aggregated consumer information.

Deidentified

As per Section 1798.140(m), deidentified information is the one which cannot reasonably be linked to, or used to infer information about, a specific consumer, provided that the business:

• Ensures that they do not reidentify the information,
• Establishes strict technical security measures that prohibit reidentification,
• Implements processes that prohibit specific reidentification or release of deidentified information.

Aggregated Consumer Information

CPRA Section 1798.140(b) defines aggregated information as any piece of information that is associated with a group of individuals or a category of individuals whose information has been de-identified, which means that all identifiers have been removed from their information that could be linked or likely be linked, describe, relate to or directly/ indirectly identify that particular individuals consumer.

Unfounded or Excessive Exercise of Individual Privacy Rights

Businesses are exempted from honoring a consumer’s privacy right if it deems that the request is “manifestly unfounded” or “excessive” under CPRA Section 1798.145(h)(3). Should a business refuse to act to a consumer’s right, it should be responsible for providing any evidence or reasonable justification that the request is manifestly unfounded or excessive.

If a business deems to honor any privacy right which is manifestly unfounded or excessive, it may “either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking action requested.”

If a business does not take any action against a consumer’s privacy right, it should inform the consumer about the delay within the provided time period, which is 90 days, along with a reasonable justification regarding the delay.

Violations by Service Providers

Businesses that disclose consumer’s personal information to contractors/service providers in accordance with the CPRA are also exempt from liability for any CPRA violations carried out by the contractors/service providers, so long as the business was not aware of any knowledge or possibility that the contractor or service provider intended to violate the CPRA.

Likewise, contractors/service providers will not be held accountable for carrying out any duties owed to the business; however, they will be held accountable for any CPRA violations committed while rendering services to the business.

Violations by Third-Party

Businesses which sell or share personal information with a third party (under a contract that requires the third party to undertake appropriate measures to protect the sold or shared personal information) will not be liable for any violations of the CPRA committed by the third party unless it shares personal information of consumers who have opted out or limited the use of their sensitive personal information or of minor consumers who did not opt-in to the sale of their personal information. Provided that, at the time of disclosing the personal information, the business does not have actual knowledge or reason to believe that the third party intends to commit such a violation.

Medical Information

The CPRA provisions aren’t applicable to medical information or healthcare providers, governed by the California Confidentiality of Medical Information Act (CMIA). Similarly, the provision isn’t further applicable to any protected health information (PHI) or covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Health Insurance Portability and Accountability Act (HIPAA), and Health Information Technology for Economic and Clinical Health Act (HITECH Act).

CPRA provisions also do not apply to clinical trials or other biomedical research studies conducted in accordance with the Federal Policy for the Protection of Human Subjects or human subject protection requirements stipulated by the Food and Drug Authority (FDA) or good clinical practice guidelines issued by the International Council for Harmonisation.

Businesses must ensure that personal information is not shared or sold contrary to the rules and requirements stipulated above, and if there is any inconsistency, consent of the consumer is obtained.

State & Federal Legislation

The CPRA provisions do not apply to the collection, processing, selling, or disclosure of personal information that is subject to the Gramm-Leach-Bliley Act (GLBA), Driver’s Privacy Protection Act, the California Financial Information Privacy Act (CalFIPA), or the federal Farm Credit Act, except the CPRA section 1798.150 (which are provisions pertaining to statutory penalties for breaches of personal information due to lax security standards of covered businesses).

Additionally, collection, maintenance, disclosure, sale, communication, or use of any personal information bearing a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency is also exempted.

Except the section 1798.150, the CPRA provisions also do not apply to the vehicle information or ownership information shared between the vehicle manufacturers and new motor vehicle dealers subject to the Code of Section 426 and Section 672 of the Vehicle Code.

Exemptions in Employment Context

In the business and employment context, sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 of the CPRA aren’t applicable to any personal information that reflects the written or verbal transaction or communication made by a natural person who acted or is acting in the role of an employee, owner, or independent contractor.

Moreover, CPRA also does not apply to any personal information collected by the businesses in the event that a natural person provides personal information to a business while acting as a job applicant, an employee, an independent contractor, an owner, a director, an officer, a member of the business's medical staff, or as an owner of the business.

It is important to note that provisions pertaining to exemptions in the employment context will become inoperative on January 1, 2023.

Exemptions in Education Context

Covered businesses are exempted from complying with a verifiable consumer request if the request is made to delete a consumer’s personal information with regard to a student’s grades or educational tests that a business holds subject to subdivision (d) of Section 49073.1 of the Education Code. Should a business refuse to honor the request, it should notify the consumer about the said exception.

Consumer’s right to delete or right to sale (as per 1798.105 and 1798.120, respectively) under CPRA won’t apply in cases where the consumer has consented to the business's use, disclosure, or sale of that information to produce a physical item such as a school yearbook containing the consumer's photograph, etc., and complying with the consumer’s right request is not commercially viable.

Furthermore, a business may refuse to honor any consumer request for access to an educational standardized assessment if such access may affect the credibility and validity of such assessment.

Non-Commercial Activities

As per CPRA Section 1798.145(i), the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution are exempt from CPRA obligations.

How Securiti Can Help with CPRA Compliance

Securiti supports enterprises in their journey toward developing compliance with the CPRA. In this respect, Securiti’s AI-driven Data Controls Cloud, among other functionalities, enables organizations to:

• gain full visibility and control over the personal information of consumers (not just within the organization but also externally);
• map data to their owners, create privacy notices, and incorporate data intelligence in an automated fashion to help organizations achieve privacy compliance across all data processing activities and projects;
• honor all data subject rights by automating the process of rights fulfillment;
• enable Assessment Automation (PIAs, DPIAs, Readiness Assessments, Transfer Impact Assessments) to trigger and conduct risk-based assessments;
• conduct effective cross-border data transfer risk assessments and remediate discovered risks;
• identify compromised data and impacted data subjects in breach incidents, and automate the breach notification process;
• create automated processing activity reports;
• maintain updated and comprehensive consent records; and
• assess vendors based on a predefined risk score and offer a centralized process to assess third-party vendors' compliance with the CPRA.

Through the help of the aforementioned features, businesses can seamlessly transition towards achieving CPRA compliance.

Take a quick CPRA assessment now or request a demo to learn more about how Securiti can help you be CPRA compliant.