US Data Privacy Law High-Water Mark: Data Exemptions
We continue our series on the high-water marks in US Privacy Laws. Previously, we looked at the applicability of the three laws under review, the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA). A necessary corollary to any discussion of applicability is a review of the exemptions. The law would generally apply to this circumstance, but not this specific carve-out.
There are many categorical data exemptions under the US privacy laws. Broadly, they are all exemptions in deference to either pre-existing laws or important public policy goals.
Within the category of deference to other laws, are data covered under HIPAA, the Driver’s Privacy Protection Act of 1994, the Farm Credit Act, the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, 45 CFR 46 (Protection of Human Subjects),
Within the category of furthering public policy goals are exemptions for employment data, customer data collected by public utilities, vessel ownership information, vehicle ownership information, information necessary to administer benefits, and information collected about employees.
All three of the data privacy laws exempt data that is covered by HIPAA, the Driver’s Privacy Protection Act of 1964, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, the Gramm-Leach-Bliley Act, and 45 CFR 46 for the Protection of Human Subjects. COPPA data isn’t exempted by CCPA, but is exempted by the other two laws. Farm Credit Act data isn’t covered by CPA, but is exempted by the other two laws.
In light of this, VCDPA gives the greatest deference to pre-existing laws. It effectively says, ‘keep complying with other laws, but in otherwise unregulated areas, comply with the VCDPA.’
What then are CCPA and CPA saying about the Children’s Online Privacy Protection Act and the Farm Credit Act, respectively? They are saying keep complying with these laws, but make sure you comply with them in a way that complies with the CCPA/CPA.
The public policy data exemptions are exemptions in the laws, because of a public interest in certain things that aren’t wholly compatible the new data privacy laws. For interest, emergency contact information is an exemption in both the CCPA and the VCDPA. That is information that some entity, such as an employer may gather from you about your emergency contact. You consent to giving your employer that information, but the actual subject of the information, your emergency contact doesn’t explicitly consent to you providing their name, phone number, mailing address, and possibly e-mail address to the employer.
Should entities such as employers, then have to destroy emergency contact information or get consent from the third-party emergency contact? California and Virginia say no. Colorado says yes.
Colorado also deviates from the other two states by not exempting information that is used for the administration of benefits. California and Virginia allow administrators to have necessary information about third-party beneficiaries so that they can receive those benefits, Colorado requires getting consent from those beneficiaries or destroying the information.
All three states recognize the public policy benefit in allowing consumers to collect data about their employees, but only California exempts the collection of vessel ownership information and vehicle ownership information.
With public policy exemptions, its tough to say which law is better for the public. Colorado seems to take a harder pro-privacy stance. California takes the most pragmatic approach balancing privacy with other necessary public policy goals.
That’s all for now. Next review we’ll compare the entities that are exempted by the laws. Hopefully, you have a better understanding of whether any of the US-based data privacy laws may apply to the data collected by your organization. If they do, you are in the right place for help. We handle data subject requests, data mapping, vendor management, consent management, data risk intelligence, and much, much more. Visit www.clarip.com or call 1-888-252-5653 for a demo.