CCPA Updates: Exemptions Signed into Law
Governor Newsom of California recently signed into law two new bills that provide clarity on two major exemptions to California’s comprehensive privacy law, the California Consumer Privacy Act (“CCPA”). These exemptions provide clarity for business assessing their compliance obligations. The CCPA applies to for-profit entities, located anywhere in the world, that do business in California, collect (or engage a third party to collect) the personal information of California residents and satisfy at least one of the following: (1) have over $25 million in annual gross revenue; or (2) buy, sell, receive or share for commercial purposes, the personal information of 50,000 or more California residents, households or devices on an annual basis; or (3) derive 50 percent or more of their revenue from the sale of personal information of California residents –unless an exemption applies.
AB 713 addresses and provides clarity to the exemption the CCPA provides for protected health information as defined by the Health Insurance Portability and Accountability Act (“HIPAA”) and medical information as defined under the California Confidentiality of Medical Information Act (“CMIA”). To this end, AB 713 clarifies the following:
- The CCPA does not apply to business associates of a covered entity governed by HIPAA, to the extent that the business associate maintains, uses, and discloses patient information in the same manner as protected health information covered by HIPAA.
Finally, last month we detailed the extension of the business-to-business exemption from the CCPA under AB1281, here, which has now been signed into law. We will continue to monitor updates to California’s privacy laws, including whether the CPRA passes in the upcoming election, which we previously summarized here.