CCPA Exemptions: Who Is Exempt and What Data Is Excluded
Understanding CCPA Exemptions: Two Layers of Exclusion
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most influential state privacy law in the United States. But not every organization or every piece of data falls under its scope. The CCPA provides two distinct layers of exemptions: entity-level exemptions (entire organizations excluded from the law) and data-level exemptions (specific categories of information excluded even when the organization is covered).
Understanding which exemptions apply to your business is critical. Misinterpreting an exemption can leave you exposed to fines of up to $7,988 per intentional violation. This guide covers every CCPA exemption category, explains common misconceptions, and helps you determine whether your organization or your data qualifies.
Use our Privacy Law Calculator to check whether the CCPA applies to your business based on your revenue, consumer count, and data practices.
Entity-Level Exemptions: Who Does Not Need to Comply?
The CCPA only applies to for-profit businesses operating in California that meet at least one of three thresholds. If your organization does not meet any threshold, or falls into an exempt category, the CCPA does not apply to you at the entity level.
Threshold Requirements
A for-profit entity is a covered business under the CCPA if it collects California residents' personal information AND meets at least one of these criteria:
- Annual gross revenue exceeds $25 million (adjusted annually for inflation; $28,275,000 for 2026)
- Annually buys, sells, or shares the personal information of 100,000 or more California consumers, households, or devices
- Derives 50% or more of annual revenue from selling or sharing California consumers' personal information
Businesses that fall below all three thresholds are not subject to the CCPA. However, they may still be subject to other state privacy laws with lower thresholds. Check our State Privacy Law Comparison Tool to see how thresholds differ across states.
Nonprofit Organizations
The CCPA explicitly applies only to for-profit entities. Nonprofit organizations are exempt from the CCPA, regardless of their size, revenue, or data practices. This includes 501(c)(3) charities, trade associations, educational nonprofits, and other tax-exempt organizations.
However, there are important caveats:
- A nonprofit that operates a for-profit subsidiary must comply with the CCPA for that subsidiary if it meets the thresholds
- Nonprofits are not exempt from other California privacy laws (such as the California Online Privacy Protection Act) or from federal laws like COPPA
- Some other state privacy laws do not have a nonprofit exemption — for example, Maryland's MODPA covers nonprofits
Government Agencies
State and local government agencies, as well as federal agencies, are not covered by the CCPA. The law targets private-sector commercial activity. Public entities are subject to other privacy frameworks, including the California Information Practices Act and federal privacy laws.
Insurance Companies (Partial Exemption)
Insurance institutions, agents, and support organizations that are subject to the Insurance Information and Privacy Protection Act (IIPPA) have a limited exemption from the CCPA. The exemption applies only to the activities and data already regulated under the IIPPA. Any personal information collected outside the scope of IIPPA compliance is still subject to the CCPA.
Data-Level Exemptions: What Information Is Excluded?
Even if your business is covered by the CCPA, certain categories of data are excluded from the law's requirements because they are already regulated by sector-specific federal or state statutes. These are data-level exemptions — the organization must still comply with the CCPA for all other personal information it collects.
HIPAA-Protected Health Information
Protected health information (PHI) collected by a covered entity or business associate governed by the Health Insurance Portability and Accountability Act (HIPAA) is exempt from the CCPA. This includes:
- Patient medical records maintained by healthcare providers
- Health insurance claims data
- Clinical trial data governed by the Common Rule
The exemption also covers medical information governed by the California Confidentiality of Medical Information Act (CMIA). However, health-related data collected outside the HIPAA framework — such as health data from fitness apps, wellness programs, or consumer health devices — is NOT exempt and is fully subject to the CCPA.
GLBA Financial Data
Personal information collected, processed, sold, or disclosed under the Gramm-Leach-Bliley Act (GLBA) is exempt from the CCPA. This covers nonpublic personal information handled by financial institutions in the course of providing financial products or services, including:
- Bank account information
- Loan application data
- Investment account details
- Credit card transaction records
Important: the exemption applies to the data, not the entity. A bank that also collects personal information for marketing purposes outside the scope of GLBA must comply with the CCPA for that non-financial data.
FCRA Consumer Report Information
Data governed by the Fair Credit Reporting Act (FCRA) is exempt from the CCPA. This includes consumer credit reports, background check data, and tenant screening information collected and used by consumer reporting agencies in accordance with FCRA requirements.
However, the FCRA exemption applies only when the data is actually being used and maintained in compliance with the FCRA. If a company collects credit information but uses it for purposes outside the FCRA's scope, that data is subject to the CCPA.
DPPA Driver Information
Personal information collected under the Driver's Privacy Protection Act (DPPA) is exempt. This primarily affects state motor vehicle departments and entities that obtain driver's license information from them.
Other Federal Data Exemptions
- FERPA — Student education records protected under the Family Educational Rights and Privacy Act
- Farm Credit Act — Data regulated under agricultural lending frameworks
- Voter registration data — Information collected and maintained under election law
- Publicly available information — Data lawfully made available from federal, state, or local government records, although this has a narrow definition under CCPA regulations
The B2B and Employee Data Exemptions: Expired Since January 2023
One of the most common misconceptions about CCPA exemptions involves business-to-business contacts and employee data. When the original CCPA took effect in 2020, it included temporary exemptions for:
- Employee and job applicant personal information — HR data, payroll information, benefits records
- B2B contact information — Business email addresses, work phone numbers, and job titles collected in commercial transactions
Both exemptions expired on January 1, 2023, when the CPRA took full effect. Since then, the CCPA fully applies to employee data and B2B contacts collected by covered businesses. This means:
- Employees and job applicants have the full suite of CCPA rights (access, deletion, correction, opt-out)
- B2B contacts can exercise their CCPA rights, including requesting deletion of their business contact information
- Businesses must include employee and B2B data in their privacy policy disclosures
- HR departments must respond to data subject access requests (DSARs) for employee records — use our Deletion Request Generator to understand the process
If your compliance program still treats employee or B2B data as exempt, update it immediately. This is one of the most common compliance gaps found during CPPA investigations. See our CCPA vs CPRA guide for a complete breakdown of changes.
Quick Reference: CCPA Exemption Summary
| Exemption Category | Type | Status | Key Conditions |
|---|---|---|---|
| Below-threshold businesses | Entity | Active | Must be below all three thresholds (revenue, consumer count, data sale revenue) |
| Nonprofit organizations | Entity | Active | Must be a bona fide nonprofit; for-profit subsidiaries are covered |
| Government agencies | Entity | Active | Federal, state, and local government entities |
| HIPAA / CMIA data | Data | Active | Only PHI handled by HIPAA-covered entities; consumer health app data is NOT exempt |
| GLBA financial data | Data | Active | Only nonpublic personal info in financial product context; marketing data is NOT exempt |
| FCRA consumer reports | Data | Active | Only data used in compliance with FCRA; other uses are NOT exempt |
| Insurance (IIPPA) | Partial entity | Active | Only activities regulated under IIPPA; other data is covered |
| Employee / HR data | Data | EXPIRED Jan 2023 | Fully covered by CCPA since CPRA took effect |
| B2B contact data | Data | EXPIRED Jan 2023 | Fully covered by CCPA since CPRA took effect |
| Publicly available info | Data | Active (narrow) | Government records only; narrowly defined by CPPA regulations |
Common Misconceptions About CCPA Exemptions
1. "We are a small business, so we are exempt"
Size alone does not create an exemption. A business with $10 million in revenue that processes the personal information of 150,000 California consumers is covered by the CCPA. The thresholds are alternative — meeting any one of the three triggers applicability.
2. "We are a healthcare company, so all our data is exempt"
The HIPAA exemption applies only to protected health information handled in the HIPAA-regulated context. If a healthcare company collects data through its website (cookies, analytics, marketing data), that information is subject to the CCPA. Fitness trackers, health apps, and telehealth platforms that are not HIPAA-covered entities receive no exemption.
3. "We only sell to other businesses, so B2B data is exempt"
The B2B exemption expired in January 2023. All personal information of individuals acting in a business capacity — work emails, business phone numbers, job titles — is now covered by the CCPA if collected by a covered business.
4. "We are based outside California, so we are exempt"
The CCPA applies to any business that collects personal information from California residents, regardless of where the business is located. A company headquartered in Texas or New York that sells products online to Californians must comply if it meets the thresholds.
5. "The GLBA exemption covers all data we collect"
Financial institutions often assume all their data is GLBA-exempt. In reality, the exemption applies only to nonpublic personal information used in providing financial products and services. Customer data used for marketing, website analytics, or non-financial services is fully subject to the CCPA.
How to Determine If Your Business Is Exempt
- Check entity type — Are you a for-profit business? If not, you are likely exempt at the entity level.
- Check thresholds — Do you meet any one of the three CCPA thresholds (revenue, consumer count, data sale percentage)? Use our Privacy Law Calculator to check.
- Identify data categories — Even if covered, map your data inventory against the data-level exemptions. Which data falls under HIPAA, GLBA, FCRA, or other sector-specific laws?
- Separate exempt from non-exempt data — Build internal processes to handle exempt and non-exempt data differently. Respond to CCPA requests for non-exempt data even if some of your data is exempt.
- Document your analysis — If you claim an exemption, document the legal basis. Regulators may request justification during an investigation.
For a complete compliance walkthrough, see our What Is CCPA Compliance? guide and our CCPA Opt-Out Requirements overview.
Exemptions vs. Other State Privacy Laws
The CCPA's exemption structure is unique. Other state privacy laws handle exemptions differently:
- Most state laws exempt nonprofits — but Maryland's MODPA is a notable exception
- HIPAA and GLBA data exemptions are standard across nearly all state privacy laws
- Employee data — most states other than California exempt employee data entirely, though this varies. Check our Employee Data Privacy Guide for details
- Revenue thresholds — California is the only state that uses a revenue threshold. Most states use consumer count thresholds only, often starting at 100,000 consumers
Use the comparison tool to see exactly which exemptions each state provides.
Frequently Asked Questions
Are nonprofits exempt from the CCPA?
Yes. The CCPA applies only to for-profit businesses. Nonprofit organizations, including 501(c)(3) charities, trade associations, and educational nonprofits, are exempt from the CCPA regardless of their size or data practices. However, for-profit subsidiaries of nonprofits must comply if they meet the CCPA thresholds, and nonprofits may be subject to other California and state privacy laws.
Is employee data covered by the CCPA?
Yes, since January 1, 2023. The temporary employee data exemption expired when the CPRA took effect. Covered businesses must now provide employees and job applicants with all CCPA rights, including access, deletion, correction, and opt-out. HR departments must be prepared to handle DSARs for employee records within the 45-day response window.
Does the CCPA apply to healthcare companies?
It depends on what data is involved. Protected health information handled by HIPAA-covered entities and their business associates is exempt from the CCPA. However, any personal information a healthcare company collects outside the HIPAA context — such as website visitor data, marketing analytics, or consumer health app data — is subject to the CCPA if the company meets the applicability thresholds.
Are banks and financial institutions exempt from the CCPA?
Not entirely. The CCPA exempts personal information that is collected, processed, sold, or disclosed under the GLBA. This means financial data used in providing banking and investment services is exempt. However, any personal information a financial institution collects outside the GLBA context — website analytics, marketing data, non-financial customer information — remains subject to the CCPA.
Does the CCPA apply to B2B companies?
Yes. Since the B2B exemption expired on January 1, 2023, the CCPA fully applies to personal information collected in B2B transactions, including business email addresses, work phone numbers, and professional titles. B2B companies that meet the CCPA thresholds must honor consumer rights requests from their business contacts, maintain a compliant privacy policy, and implement opt-out mechanisms for any sale or sharing of this data.
Last updated: March 29, 2026.Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.