CCPA Exemptions: HIPAA, GLBA, and FCRA


The California Consumer Privacy Act (CCPA) gives consumers more control over how their personal information is collected and used, but it makes a number of exemptions where there are already existing data privacy laws in place. The purpose of these exemptions is to avoid interfering with those regulatory schemes and placing undue burdens on businesses. The most significant exemptions are tied to three federal laws: the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Fair Credit Reporting Act (FCRA).

Critically, these are not blanket exemptions, but are tied to specific types of data collection and usage. A business that is regulated by the GLBA, for example, may still have obligations under the CCPA.

Health Insurance Portability and Accountability Act

HIPAA is a federal health-care law that regulates, among other things, the disclosure and security of protected health information (PHI). Under the CCPA exemption, the California law does not apply to PHI collected by a covered entity or business associate (similar to a CCPA service provider) that is governed by the privacy, security, and breach notification rules of HIPAA.

Notice that this exemption only covers PHI; these businesses could potentially be collecting and using other personal information that is subject to CCPA requirements. However, the California law also has a total exemption for covered entities to the extent they maintain patient information in the same manner as PHI.

The HIPAA exemption covers all provisions of the CCPA, including the private right of action for data breaches. This is likely because HIPAA already has its own data-protection requirements and the California Confidentiality of Medical Information Act (CMIA) grants a similar right of action to consumers.

Gramm-Leach-Bliley Act

The GLBA imposes privacy rules on financial institutions regarding the collection and sharing of consumers’ nonpublic personal information (NPI). NPI is “personally identifiable financial information” collected in connection with providing financial products or services. Under the GLBA’s Privacy Rule, financial institutions must disclose how NPI is collected and shared, as well as provide consumers with the opportunity to opt out of sharing their NPI with third parties.

Because the GLBA already has its own data privacy rules in place, the CCPA includes an exemption for personal information that is subject to the GLBA (i.e., NPI). It is not an entity-level exemption, though. If financial institutions are collecting personal information that is not subject to the GLBA, that personal information may be subject to the CCPA. For example, if a financial institution also provides non-financial products, personal information collected while providing those products could be covered by the CCPA.

Businesses that have already implemented a GLBA-compliance system should have a good idea as to what is or is not NPI. For any personal data that has been determined not to be NPI, businesses should evaluate their obligations under the CCPA.

Importantly, the CCPA does not exempt financial institutions from its private right of action concerning data breaches. Under this provision, California residents can sue businesses when their non-encrypted and non-redacted personal information is subject to unauthorized access, theft, or disclosure due to a business’s failure to implement and maintain reasonable data security procedures.

Fair Credit Reporting Act

The FCRA governs how personal information can be used by consumer reporting agencies such as credit bureaus and background-screening companies. It also gives consumers certain rights regarding the accuracy and privacy of their information.

The CCPA has an exemption for personal information that is collected, maintained, used, sold, or shared by consumer reporting agencies and furnishers of information (as defined by the FCRA). It is not an entity-level exemption; it only applies to the extent that the personal information is subject to the FCRA and is used as authorized by that law. If the CCPA did not have this exemption, it would be very disruptive to the overall credit-reporting system. Otherwise California residents could, for example, request the deletion of their entire credit history.

As with the GLBA exemption, this does not apply to the CCPA’s private right of action. Businesses can still be sued by consumers for a cybersecurity breach caused by the business’s failure to implement and maintain reasonable security procedures.


The CCPA takes care to stay out of the way of HIPAA, the GLBA, and the FCRA, but it doesn’t mean businesses that are subject to these laws can completely ignore the CCPA. These businesses should carefully evaluate their practices to determine whether there are any areas where federal compliance ends and CCPA compliance begins.

Learn more about CCPA compliance and what actions your business must take. Contact our expert team today.

Schedule Call