The Devil Is In The Details - Part III: Exemptions Within U.S. State Data Privacy Laws
There’s always a “but.” There are very few absolutes in life and the U.S. Data Privacy Laws are no different. To date, five states have enacted comprehensive privacy laws: California, Colorado, Connecticut, Utah, and Virginia, but that doesn’t mean the laws apply to all data or all entities doing business in those states.
In Part I of this series, we discussed key differences in these laws. That article briefly touched on the myriad of exclusions under the laws, but deeper analysis is warranted. In Part II, we addressed distinctions between consumer rights in each of the five state laws. Here, we analyze the various exemptions under each state’s law, again underscoring the need for attention to detail when ensuring applicability and compliance with the new state consumer privacy laws going into effect in 2023.
The California Consumer Privacy Act (CCPA) has been in effect since 2020. The California Privacy Rights Act (CPRA), which amends and expands the CCPA, Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), and Virginia Consumer Data Protection Act (VCDPA) will all take effect in 2023. [NOTE: Like the CCPA, the CPRA will have a one-year lookback adding urgency to ensuring compliance.]
The five state privacy laws apply to a broad number of businesses, covering nearly all commercial entities that do business in the respective state, regardless of whether the business has a physical location or employees in the state. However, there are some important exemptions. Generally, the exemptions are based on the types of information that a business collects (information-based exemption), or on the industry of the business collecting the information (entity-based exemption).
Specifically, excluded categories of personal information and entities include:
- Employee Information: The VCDPA, CPA, UCPA, and CTDPA do not apply to the personal information of individuals acting in a commercial or employment context, while the CCPA and CPRA provide a limited exemption for personal information collected in employment and business-to-business contexts that is set to expire on January 1, 2023.
- Non-Profit and Government Entities: The CPA is the only state that does not exempt non-profit or government entities. However, the CPA does exempt data collected by government entities.
- Data Subject to Other US Laws:
- Protected Health Information (PHI):PHI collected by covered entities and business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA”) and the State of California’s Confidentiality of Medical Information Act (“CMIA”),
- Financial Information:information processed pursuant to the Gramm-Leach-Bliley Act (“GLBA”), the Fair Credit Reporting Act (“FCRA”), and SEC-Regulated Securities Associations,
- Driver Information: information and data processed pursuant to the Driver’s Privacy Protection Act (“DPPA”),
- Child/Minor Information: information and data that is collected and processed in compliance with the Children’s Online Privacy Protection Act (“COPPA”),
- Educational Information: information regulated by the Family Educational Rights and Privacy Act (“FERPA”).
The chart below provides a comparison of the common exemptions by state.
NOTE: This chart discusses explicit exemptions. To the extent that the laws do not specifically exempt an entity (and, by extension, its data), it is possible that it may not fall within the definition of a “business.” The entity would not be governed by the respective state law. See Part I of the series for a discussion on what businesses are covered under each state’s law.
Looking Ahead
As with any change in the law, attention to detail is the key to success. Preparation is essential to compliance and avoiding allegations of violations. Every organization has an obligation to conduct a detailed review of each law they may be subject to. Further, the rulemaking process is ongoing in some states which means there may be new or different substantive obligations forthcoming. Redgrave LLP will continue to monitor the changing landscape of U.S. data privacy legislation and is available to consult and assist in the development and implementation of successful information governance and privacy policies and practices.
For additional information on this topic, please contact Martin Tully at mtully@redgravellp.com.
The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.
By Stacy Forsythe and Aviva Surugeon