Expert Commentary

California Privacy Rights Act: Exceptions

The California Privacy Rights Act (CPRA) will become operative on January 1, 2023, subject to certain exceptions. This article discusses exceptions to the CPRA. Also, see "California Privacy Rights Act: Background, Application, and Definitions" and "California Privacy Rights Act: Consumer Rights, Enforcement, Security."

Cyber and Privacy Risk and Insurance
January 2021

Exceptions

The CPRA shall not restrict a business's ability to do the following.

  • Comply with federal, state, or local laws or comply with a court order or subpoena to provide information
  • Collect, use, retain, sell, share, or disclose consumers' personal information that is deidentified or aggregate consumer information 
  • Collect, sell, or share a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of California

The CPRA is intended to supplement federal and state law, where permissible, but shall not apply where such application is preempted by, or in conflict with, federal law or the California Constitution. The provisions of the CPRA relating to children under 16 years of age shall only apply to the extent not in conflict with Children's Online Privacy Protection Act.

The CPRA is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers' personal information, including, but not limited to, Chapter 22 (commencing with section 22575) of Division 8 of the California Business and Professions Code and Title 1.81 (commencing with section 1798.80). The provisions of the CPRA are not limited to information collected electronically or over the Internet but apply to the collection and sale of all personal information collected by a business from consumers. Wherever possible, law relating to consumers' personal information should be construed to harmonize with the provisions of the CPRA, but in the event of a conflict between other laws and the provisions of the CPRA, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.  

The provisions of the CPRA shall prevail over any conflicting legislation enacted after January 1, 2020.

The CPRA shall not apply to the following.

  • Medical information governed by the California Confidentiality of Medical Information Act or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the US Department of Health and Human Services, 45 C.F.R., parts 160 and 164, established pursuant to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act or a provider of health care governed by the California Confidentiality of Medical Information Act or a covered entity governed by the privacy, security, and breach notification rules issued by the US Department of Health and Human Services, 45 C.F.R., parts 160 and 164, established pursuant to HIPAA, to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in this bullet point (the definitions of "medical information" and "provider of health care" in section 56.05 of the California Confidentiality of Medical Information Act shall apply, and the definitions of "business associate," "covered entity," and "protected health information" in 45 C.F.R. 160.103 shall apply). 
  • Personal information collected as part of a clinical trial or other biomedical research study subject to or conducted in accordance with the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the US Food and Drug Administration, provided that such information is not sold or shared in a manner not permitted by this bullet point, and if it is inconsistent, that participants be informed of such use and provide consent.  
  • An activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency by a furnisher of information that provides information for use in a consumer report, and by a user of a consumer report, only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act. 
  • Personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act and implementing regulations or the California Financial Information Privacy Act or the Federal Farm Credit Act and implementing regulations. 
  • Personal information collected, processed, sold, or disclosed pursuant to the Driver's Privacy Protection Act.  

Cal. Civ. Code section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle's manufacturer if the vehicle or ownership information is shared for the purpose of (or in anticipation of) effectuating a vehicle repair covered by a vehicle warranty or a recall, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose. 

The obligations imposed on businesses in Cal. Civ. Code sections 1798.105, 1798.106, 1798.110, and 1798.115 inclusive shall not apply to household data. 

The CPRA does not require a business to comply with a verifiable consumer request to delete a consumer's personal information under Cal. Civ. Code section 1798.105 to the extent the verifiable consumer request applies to a student's grades, educational scores, or educational test results that the business holds on behalf of a local educational agency at which the student is currently enrolled. 

The CPRA does not require in response to a request pursuant to Cal. Civ. Code section 1798.110 that a business disclose an educational standardized assessment or educational assessment or a consumer's specific responses to the educational standardized assessment or educational assessment where consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. 

Cal. Civ. Code sections 1798.105 and 1798.120 shall not apply to a business's use, disclosure, or sale of particular pieces of a consumer's personal information if the consumer has consented to the business's use, disclosure, or sale of that information to produce a physical item such as a school yearbook containing the consumer's photograph if the business has incurred significant expense in reliance on the consumer's consent; compliance with the consumer's request to opt-out of the sale of the consumer's personal information or to delete the consumer's personal information would not be commercially reasonable; and the business complies with the consumer's request as soon as it is commercially reasonable to do so. 

Cal. Civ. Code sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agency's collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumer's role as the owner, director, officer, or management employee of the business. 

Before January 1, 2023, the CPRA shall not apply to the following.

  • Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of that business to the extent that the natural person's personal information is collected and used by the business solely within the context of the natural person's role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business
  • Personal information that is collected by a business that is an emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file
  • Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits. 

Before January 1, 2023, the obligations imposed on businesses by Cal. Civ. Code sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency. 

The CPRA shall not be construed to require a business, service provider, or contractor to reidentify or otherwise link information that in the ordinary course of business is not maintained in a manner that would be considered personal information; to retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained; or to maintain information in identifiable, linkable, or associable form or to collect, obtain, retain, or access any data or technology in order to be capable of linking or associating a verifiable consumer request with personal information. 

Finally, the rights afforded to consumers and the obligations imposed on any business under the CPRA shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of section 2 of Article I of the California Constitution.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More