September 20, 2024
Broader Protections for Kids Under New CCPA Amendment
California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
The California Consumer Privacy Act (CCPA) has had a big impact on businesses all over the world regarding how they handle consumer data, but its application is not universal. In many ways, the CCPA is not as all-encompassing as its EU counterpart, the General Data Protection Regulation (GDPR). Though this may lessen the overall burden on businesses as they become compliant, it can create some confusion about when the CCPA does and does not apply.
Here we’ll cover the most important situations where the CCPA doesn’t apply.
The first dividing line that determines whether the CCPA applies is the law’s definition of a “business,” because only businesses are required to be in compliance. Under the CCPA, a business is a for-profit entity that collects consumers’ personal information, does business in California, and meets at least one of these criteria:
Using this definition, the CCPA does not apply to many companies because they do not meet these threshold requirements. Also, because of the for-profit requirement, the CCPA does not apply to government entities or most nonprofits. Some nonprofits may still be bound by the data privacy law if they share common branding with and are controlled by a business to which the CCPA applies.
Learn more about what is personal information under the CCPA.
When it comes to data protection and privacy, some industries are already regulated by state and federal law. The CCPA exempts data to which these laws apply, to avoid conflicting rules and obligations. These laws include:
The Health Insurance Portability and Accountability Act (HIPAA) – HIPAA typically relates to medical information, and already provides for the confidentiality and security of this data. The CCPA therefore does not apply to many healthcare providers and related businesses, at least to the extent the data collected is covered by HIPAA.
The Gramm-Leach-Bliley Act (GLBA) – The GLBA applies to banks and other financial institutions, and includes rules about how they must treat nonpublic personal information about their consumers. The CCPA does not apply to personal data that is already subject to the GLBA.
The Fair Credit Reporting Act (FCRA) – The FCRA deals with information that is collected and supplied to credit reporting agencies for the purpose of performing background checks. If the data is already covered by the FCRA, then the CCPA doesn’t apply.
Learn more about CCPA exemptions for HIPAA, the GLBA, and the FCRA.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
