Are You Impacted by the CCPA?

The CCPA impacts businesses, independent of where their operations are located, that collect, share or sell personal information of California residents. These individuals could be consumers as well as possibly employees or independent contractors.

The CCPA also lists a number of exemptions that need to be considered when determining the act's applicability to a business. These exemptions relate to existing U.S. privacy laws. Subject to certain exemptions discussed below, the following decision tree outlines the initial determination of whether CCPA will impact a business:


Even though a business may appear to be covered under the CCPA, there are a number of exemptions that limit the act’s applicability. Covered businesses under existing privacy-related regulations need first to determine the extent to which the CCPA applies.


Entities Covered Under

  1. CCPA

  2. CFIPA

  3. HIPAA

  4. DDPA

  5. CMIA

  6. Common Rule

Do Not Have to Comply with the CCPA for Personal Information Falling into the Scope of:

  1. Non Public Information (NPI). i.e. Financial Information

  2. Non Public Information (NPI). i.e. Financial Information

  3. Protected Health Information (PHI)

  4. Personal Information in connection with a motor vehicle record

  5. Medical Information

  6. Information collected as part of trial subject

The success of the CCPA compliance project relies on an organization’s ability to mobilize its workforce and create a long-term solution based on a sound corporate culture and effective governance.

GLBA, CFIPA, or DDPA-regulated entities, however remain impacted by the right of action for consumers to seek statutory damages

HIPAA-regulated entities do not have to comply with CCPA if they are a Health Care Provider, Health Plan or Health Care Clearinghouse defined in the Privacy, Security, and Breach Notification established pursuant to the HIPAA


CMIA-regulated entities do not have to comply with CCPA if they are health care providers, health insurers, and individuals or businesses they contract with that have access to medical information, including IT companies (called contractors)


Performing an analysis will help organizations determine the CCPA’s applicability to their business. For instance, a financial institution governed by existing privacy laws, such as the GLBA, will likely have to comply with the CCPA’s new privacy rights for the categories or specific pieces of personal information that are not already covered by existing U.S. privacy laws.

Need more information?