What Types of Collection Are Excluded Under the CCPA?
Certain PI collection practices are entirely excluded from regulation by the CCPA because they are already regulated under other state or federal laws. If your business’s collection of PI is subject to certain state and federal laws listed below, those collection practices can be excluded from your information map in the steps that follow.
If you do not collect any information subject to the laws listed in the table below, which generally relate to health/medical information and certain financial information, you can skip to the next section.
| State or Federal Law | What’s Excluded |
|---|---|
| California Confidentiality of Medical Information Act (CMIA) |
|
| Health Insurance Portability and Accountability Act (HIPAA) |
|
| Federal Policy for the Protection of Human Subjects (the “Common Rule”) | PI collected as part of a clinical trial subject to the Common Rule, as long as certain other stipulations are met |
| Fair Credit Reporting Act (FCRA)* | The collection, use, sale or disclosure of PI by an agency, furnisher or user subject to FCRA regulation |
| Gramm-Leach-Bliley Act (GLBA)* | The collection, maintenance or disclosure of PI pursuant to GLBA |
| California Financial Information Privacy Act (CFIPA) | The collection, maintenance or disclosure of PI pursuant to CFIPA |
| Driver’s Privacy Protection Act of 1994 (DPPA)* | PI collected, processed, sold or disclosed pursuant to DPPA |
*Note: The exclusions related to FCRA, GLBA and DPPA do not apply to the private right of action established by the CCPA. Learn more about the CCPA’s private right of action.
If you are unsure whether any of the laws above apply to your business’s collection of PI, you should consult an attorney who is familiar with the facts of your specific situation and the laws referenced above.