Melissa Krasnow | January 29, 2021
The California Privacy Rights Act (CPRA) will become operative on January 1, 2023, subject to certain exceptions. This article discusses exceptions to the CPRA. Also, see "California Privacy Rights Act: Background, Application, and Definitions" and "California Privacy Rights Act: Consumer Rights, Enforcement, Security."
Exceptions
The CPRA shall not restrict a business's ability to do the following.
The CPRA is intended to supplement federal and state law, where permissible, but shall not apply where such application is preempted by, or in conflict with, federal law or the California Constitution. The provisions of the CPRA relating to children under 16 years of age shall only apply to the extent not in conflict with Children's Online Privacy Protection Act.
The CPRA is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers' personal information, including, but not limited to, Chapter 22 (commencing with section 22575) of Division 8 of the California Business and Professions Code and Title 1.81 (commencing with section 1798.80). The provisions of the CPRA are not limited to information collected electronically or over the Internet but apply to the collection and sale of all personal information collected by a business from consumers. Wherever possible, law relating to consumers' personal information should be construed to harmonize with the provisions of the CPRA, but in the event of a conflict between other laws and the provisions of the CPRA, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.
The provisions of the CPRA shall prevail over any conflicting legislation enacted after January 1, 2020.
The CPRA shall not apply to the following.
Cal. Civ. Code section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle's manufacturer if the vehicle or ownership information is shared for the purpose of (or in anticipation of) effectuating a vehicle repair covered by a vehicle warranty or a recall, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.
Cal. Civ. Code section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessel's manufacturer, as defined in Cal. Harbors and Navigation Code section 651, if the vessel information or ownership information is shared for the purpose of (or in anticipation of) effectuating a vessel repair covered by a vessel warranty or a recall, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.
The obligations imposed on businesses in Cal. Civ. Code sections 1798.105, 1798.106, 1798.110, and 1798.115 inclusive shall not apply to household data.
The CPRA does not require a business to comply with a verifiable consumer request to delete a consumer's personal information under Cal. Civ. Code section 1798.105 to the extent the verifiable consumer request applies to a student's grades, educational scores, or educational test results that the business holds on behalf of a local educational agency at which the student is currently enrolled.
The CPRA does not require in response to a request pursuant to Cal. Civ. Code section 1798.110 that a business disclose an educational standardized assessment or educational assessment or a consumer's specific responses to the educational standardized assessment or educational assessment where consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment.
Cal. Civ. Code sections 1798.105 and 1798.120 shall not apply to a business's use, disclosure, or sale of particular pieces of a consumer's personal information if the consumer has consented to the business's use, disclosure, or sale of that information to produce a physical item such as a school yearbook containing the consumer's photograph if the business has incurred significant expense in reliance on the consumer's consent; compliance with the consumer's request to opt-out of the sale of the consumer's personal information or to delete the consumer's personal information would not be commercially reasonable; and the business complies with the consumer's request as soon as it is commercially reasonable to do so.
Cal. Civ. Code sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agency's collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumer's role as the owner, director, officer, or management employee of the business.
Before January 1, 2023, the CPRA shall not apply to the following.
Before January 1, 2023, the obligations imposed on businesses by Cal. Civ. Code sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.
The CPRA shall not be construed to require a business, service provider, or contractor to reidentify or otherwise link information that in the ordinary course of business is not maintained in a manner that would be considered personal information; to retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained; or to maintain information in identifiable, linkable, or associable form or to collect, obtain, retain, or access any data or technology in order to be capable of linking or associating a verifiable consumer request with personal information.
Finally, the rights afforded to consumers and the obligations imposed on any business under the CPRA shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of section 2 of Article I of the California Constitution.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.