The Baseline Requirements for Businesses
The California Consumer Privacy Act imposes strict rules on how businesses handle the personal data of state residents. Many organisations assume these rules apply uniformly to all data they collect.
This assumption often leads to wasted resources and overcomplicated privacy programs. The regulation includes specific exemptions based on the type of business you operate and the specific data categories you process. Identifying these exclusions helps you tailor your compliance strategy. You can focus your efforts entirely on the data that actually falls under regulatory scrutiny.
Before analysing exemptions, you must determine if your company meets the baseline regulatory thresholds. The law only targets for-profit entities doing business in California that meet specific size criteria.
A business must comply if it exceeds 25 million USD in gross annual revenue. Alternatively, compliance is mandatory if the company buys, sells, or shares the personal information of 100,000 or more California residents or households. The final trigger applies to businesses deriving 50 percent or more of their annual revenue from selling or sharing personal information. If you do not meet any of these three conditions, you are entirely exempt from the statute.
Non-profit organisations and government agencies enjoy blanket exclusions from these rules.
Federal Preemption and Entity-Level Exemptions
Federal laws often preempt state regulations in specific sectors. This preemption creates safe harbours for entities already subject to stringent federal privacy mandates.
Healthcare providers and financial institutions frequently rely on these overlapping frameworks to manage their obligations. A bank handling mortgage applications must adhere to federal financial regulations. The state privacy law acknowledges this existing burden and steps back. You do not need to apply consumer privacy requests to information governed by these federal statutes.
The Gramm-Leach-Bliley Act (GLBA) and the California Financial Information Privacy Act (CFIPA) govern how financial institutions handle non-public personal information. Data collected, processed, sold, or disclosed under these financial acts is entirely exempt from the California privacy rules.
Similarly, the Health Insurance Portability and Accountability Act (HIPAA) protects medical records. Protected Health Information (PHI) collected by a covered entity or business associate falls outside the scope of state consumer privacy mandates. California's own Confidentiality of Medical Information Act (CMIA) provides identical protections.
However, an exemption for one data type does not grant your entire business immunity.
The Partial Exemption Trap
Many organisations fundamentally misunderstand how these exclusions apply in practice. They assume that being a regulated entity, such as a hospital or a bank, means they can ignore the CCPA entirely.
The exemptions apply to the specific data, not the whole corporate entity. A hospital is exempt regarding its patient health records, but it remains fully liable for the data it collects through its public-facing marketing website. If that hospital tracks anonymous website visitors to optimise digital ad spending, those visitors have full rights under state law.
The California Attorney General enforces these boundaries strictly. In 2022, regulators issued a 1.2 million USD penalty to Sephora for failing to process opt-out requests and improperly managing third-party tracking. Regulators expect businesses to know exactly which data streams are regulated and which are exempt.
You must maintain separate data governance tracks for different types of information. Your privacy policy must clearly delineate your practices for general consumer data versus federally regulated information.
Data-Level Exemptions
Beyond healthcare and finance, the law carves out exceptions for several other specific categories of information.
| Exemption Type | Governing Law | What It Covers |
|---|---|---|
| Credit Reporting | FCRA | Consumer credit history and background check reports |
| Vehicle Records | DPPA | Motor vehicle ownership and driver license records |
| Public Information | State/Federal | Lawfully obtained government records |
| De-identified Data | None | Data stripped of all identifying characteristics |
The Fair Credit Reporting Act (FCRA) regulates consumer credit information. Credit bureaus and businesses supplying data to them do not have to provide state-level access or deletion rights for that specific credit data. The Driver's Privacy Protection Act (DPPA) provides a similar carve-out for vehicle records.
Publicly available information forms another major exemption category. The state defines this narrowly as information lawfully made available from federal, state, or local government records. It also includes information a business has a reasonable basis to believe the consumer lawfully made available to the general public.
De-identified or aggregated consumer information sits outside the legal definition of personal data entirely. If you strip data of identifiers so it cannot reasonably be linked back to a specific consumer, the statutory requirements no longer apply.
Unlike the GDPR, which relies on a broader concept of anonymisation, California provides specific technical safe harbours for de-identification processes.
The Expiration of HR and B2B Exemptions
California previously offered temporary relief for employee data and business-to-business communications. These exceptions expired on the first of January 2023.
Human resources data and B2B contacts now carry the full weight of consumer privacy rights. Your employees, job applicants, and independent contractors can submit access and deletion requests just like any retail customer. You must provide them with mandatory notices at collection.
This expiration dramatically expanded the compliance burden for purely B2B companies. A software vendor selling exclusively to other corporations might have ignored the law in 2021. Today, the contact details of their corporate clients qualify as protected personal information.
You must map your internal HR databases and vendor management systems to ensure they can accommodate data subject requests. The administrative processes you built for retail consumers must now scale to handle employee data.
How Exemptions Affect Your Cookie Strategy
Managing partial exemptions requires precise control over your digital infrastructure. If your business qualifies for a partial exclusion, your cookie banner setup requires careful configuration.
A financial institution might be exempt for data submitted through its secure customer portal but fully regulated when using marketing cookies on its public homepage. You must separate regulated marketing activity from exempt operational data. This prevents non-compliant tracking scripts from firing on regulated pages.
Running a cookie scanner helps map exactly where personal information flows before applying exemptions. You can identify third-party trackers and restrict their data collection based on the specific page the user visits.
Proper categorisation ensures you do not over-comply and break necessary site functionality. It also guarantees you do not under-comply and expose your marketing pages to regulatory fines.
Frequently Asked Questions
Do non-profit organisations have to comply with California privacy laws?
Most non-profit organisations are exempt. The law specifically targets for-profit entities that meet specific revenue or data processing thresholds.
Are government agencies exempt from these rules?
Yes. State and local government agencies do not fall under the definition of a business and are entirely excluded from these requirements.
Is employee data still exempt from the CCPA?
No. The temporary exemption for human resources data expired in 2023. Employees now have the exact same privacy rights as standard consumers.
Does HIPAA compliance mean my entire business is exempt?
It provides a partial exemption. Protected Health Information governed by HIPAA is excluded, but standard marketing data collected on your main website still requires full compliance.
What counts as publicly available information?
Information lawfully made available from government records falls into this category. It also includes information a consumer intentionally makes available to the general public without restrictions.
Take Control of Your Cookie Compliance
If you operate a partially exempt business, tracking which data needs consent requires exact technical controls. Kukie.io detects, categorises, and manages your website trackers to match your specific legal obligations. You can apply compliance settings only where the law demands them.
