Exceptions
The CPRA shall not restrict a business's ability to do the
following.
- Comply with federal, state, or local laws or comply with a court order or
subpoena to provide information
- Collect, use, retain, sell, share, or disclose consumers' personal
information that is deidentified or aggregate consumer information
- Collect, sell, or share a consumer's personal information if every
aspect of that commercial conduct takes place wholly outside of
California
The CPRA is intended to supplement federal and state law, where permissible,
but shall not apply where such application is preempted by, or in conflict
with, federal law or the California Constitution. The provisions of the CPRA
relating to children under 16 years of age shall only apply to the extent not
in conflict with Children's Online Privacy Protection Act.
The CPRA is intended to further the constitutional right of privacy and to
supplement existing laws relating to consumers' personal information,
including, but not limited to, Chapter 22 (commencing with section 22575) of
Division 8 of the California Business and Professions Code and Title 1.81
(commencing with section 1798.80). The provisions of the CPRA are not limited
to information collected electronically or over the Internet but apply to the
collection and sale of all personal information collected by a business from
consumers. Wherever possible, law relating to consumers' personal
information should be construed to harmonize with the provisions of the CPRA,
but in the event of a conflict between other laws and the provisions of the
CPRA, the provisions of the law that afford the greatest protection for the
right of privacy for consumers shall control.
The provisions of the CPRA shall prevail over any conflicting legislation
enacted after January 1, 2020.
The CPRA shall not apply to the following.
- Medical information governed by the California Confidentiality of Medical
Information Act or protected health information that is collected by a
covered entity or business associate governed by the privacy, security, and
breach notification rules issued by the US Department of Health and Human
Services, 45 C.F.R., parts 160 and 164, established pursuant to the Health
Insurance Portability and Accountability Act (HIPAA) and the Health
Information Technology for Economic and Clinical Health Act or a provider of
health care governed by the California Confidentiality of Medical Information
Act or a covered entity governed by the privacy, security, and breach
notification rules issued by the US Department of Health and Human Services,
45 C.F.R., parts 160 and 164, established pursuant to HIPAA, to the extent
the provider or covered entity maintains patient information in the same
manner as medical information or protected health information as described in
this bullet point (the definitions of "medical information" and
"provider of health care" in section 56.05 of the California
Confidentiality of Medical Information Act shall apply, and the definitions
of "business associate," "covered entity," and
"protected health information" in 45 C.F.R. 160.103 shall
apply).
- Personal information collected as part of a clinical trial or other
biomedical research study subject to or conducted in accordance with
the Federal Policy for the Protection of Human
Subjects, also known as the Common Rule, pursuant to good clinical practice
guidelines issued by the International Council for Harmonisation or pursuant
to human subject protection requirements of the US Food and Drug
Administration, provided that such information is not sold or shared in a
manner not permitted by this bullet point, and if it is inconsistent, that
participants be informed of such use and provide consent.
- An activity involving the collection, maintenance, disclosure, sale,
communication, or use of any personal information bearing on a consumer's
credit worthiness, credit standing, credit capacity, character, general
reputation, personal characteristics, or mode of living by a consumer
reporting agency by a furnisher of information that provides information for
use in a consumer report, and by a user of a consumer report, only to the
extent that such activity involving the collection, maintenance, disclosure,
sale, communication, or use of such information by that agency, furnisher, or
user is subject to regulation under the Fair Credit Reporting Act and the
information is not collected, maintained, used, communicated, disclosed, or
sold except as authorized by the Fair Credit Reporting Act.
- Personal information collected, processed, sold, or disclosed subject to
the federal Gramm-Leach-Bliley Act and implementing regulations or the
California Financial Information Privacy Act or the Federal Farm Credit Act
and implementing regulations.
- Personal information collected, processed, sold, or disclosed pursuant to
the Driver's Privacy Protection Act.
Cal. Civ. Code section 1798.120 shall not apply to vehicle information or
ownership information retained or shared between a new motor vehicle dealer and
the vehicle's manufacturer if the vehicle or ownership information is
shared for the purpose of (or in anticipation of) effectuating a vehicle repair
covered by a vehicle warranty or a recall, provided that the new motor vehicle
dealer or vehicle manufacturer with which that vehicle information or ownership
information is shared does not sell, share, or use that information for any
other purpose.
Cal. Civ. Code section 1798.120 shall not apply to vessel information or
ownership information retained or shared between a vessel dealer and the
vessel's manufacturer, as defined in Cal. Harbors and Navigation Code
section 651, if the vessel information or ownership information is shared for
the purpose of (or in anticipation of) effectuating a vessel repair covered by
a vessel warranty or a recall, provided that the vessel dealer or vessel
manufacturer with which that vessel information or ownership information is
shared does not sell, share, or use that information for any other purpose.
The obligations imposed on businesses in Cal. Civ. Code sections 1798.105,
1798.106, 1798.110, and 1798.115 inclusive shall not apply to household
data.
The CPRA does not require a business to comply with a verifiable consumer
request to delete a consumer's personal information under Cal. Civ. Code
section 1798.105 to the extent the verifiable consumer request applies to a
student's grades, educational scores, or educational test results that the
business holds on behalf of a local educational agency at which the student is
currently enrolled.
The CPRA does not require in response to a request pursuant to Cal. Civ.
Code section 1798.110 that a business disclose an educational standardized
assessment or educational assessment or a consumer's specific responses to
the educational standardized assessment or educational assessment where
consumer access, possession, or control would jeopardize the validity and
reliability of that educational standardized assessment or educational
assessment.
Cal. Civ. Code sections 1798.105 and 1798.120 shall not apply to a
business's use, disclosure, or sale of particular pieces of a
consumer's personal information if the consumer has consented to the
business's use, disclosure, or sale of that information to produce a
physical item such as a school yearbook containing the consumer's
photograph if the business has incurred significant expense in reliance on the
consumer's consent; compliance with the consumer's request to opt-out
of the sale of the consumer's personal information or to delete the
consumer's personal information would not be commercially reasonable; and
the business complies with the consumer's request as soon as it is
commercially reasonable to do so.
Cal. Civ. Code sections 1798.105 and 1798.120 shall not apply to a
commercial credit reporting agency's collection, processing, sale, or
disclosure of business controller information to the extent the commercial
credit reporting agency uses the business controller information solely to
identify the relationship of a consumer to a business that the consumer owns or
contact the consumer only in the consumer's role as the owner, director,
officer, or management employee of the business.
Before January 1, 2023, the CPRA shall not apply to the following.
- Personal information that is collected by a business about a natural
person in the course of the natural person acting as a job applicant to, an
employee of, owner of, director of, officer of, medical staff member of, or
independent contractor of that business to the extent that the natural
person's personal information is collected and used by the business
solely within the context of the natural person's role or former role as
a job applicant to, an employee of, owner of, director of, officer of,
medical staff member of, or an independent contractor of that business
- Personal information that is collected by a business that is an emergency
contact information of the natural person acting as a job applicant to, an
employee of, owner of, director of, officer of, medical staff member of, or
independent contractor of that business to the extent that the personal
information is collected and used solely within the context of having an
emergency contact on file
- Personal information that is necessary for the business to retain to
administer benefits for another natural person relating to the natural person
acting as a job applicant to, an employee of, owner of, director of, officer
of, medical staff member of, or independent contractor of that business to
the extent that the personal information is collected and used solely within
the context of administering those benefits.
Before January 1, 2023, the obligations imposed on businesses by Cal. Civ.
Code sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121,
1798.130, and 1798.135 shall not apply to personal information reflecting a
written or verbal communication or a transaction between the business and the
consumer where the consumer is a natural person who acted or is acting as an
employee, owner, director, officer, or independent contractor of a company,
partnership, sole proprietorship, nonprofit, or government agency and whose
communications or transaction with the business occur solely within the context
of the business conducting due diligence regarding or providing or receiving a
product or service to or from such company, partnership, sole proprietorship,
nonprofit, or government agency.
The CPRA shall not be construed to require a business, service provider, or
contractor to reidentify or otherwise link information that in the ordinary
course of business is not maintained in a manner that would be considered
personal information; to retain any personal information about a consumer if,
in the ordinary course of business, that information about the consumer would
not be retained; or to maintain information in identifiable, linkable, or
associable form or to collect, obtain, retain, or access any data or technology
in order to be capable of linking or associating a verifiable consumer request
with personal information.
Finally, the rights afforded to consumers and the obligations imposed on any
business under the CPRA shall not apply to the extent that they infringe on the
noncommercial activities of a person or entity described in subdivision (b) of
section 2 of Article I of the California Constitution.