US Data Privacy Law High-Water Mark: Entity Exemptions
We continue our series on the high-water marks in US Privacy Laws. Previously, we looked at the applicability of the three laws under review, the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA) and the types of data that were exempted. Read the previous articles here: Applicability and Exempted Data. To close the circle on the circumstances in which the laws will apply we need to review the exempted entities within each law.
The following entities have exemptions from applying to one or more of the US data privacy laws: Air carriers, national securities associations, state institutions of higher education, financial institutions that are subject to the Gramm-Leach-Bliley Act (GLBA), affiliates of financial institution under the GLBA, the bodies, commissions, authorities, boards, bureaus, districts, or agencies, of the state or its political subdivisions, nonprofit organizations, covered entities under HIPAA, health-care providers, consumer reporting agencies, furnishers of information under the Fair Credit Reporting Act (FCRA), users of consumer reports under the FCRA, and public utilities.
These exemptions consist of two primary categories of exemptions. First, as a means to defer to other laws. Second, as a means of allowing certain entities to continue to function as they have historically.
Within the first category are exemptions for financial institutions and their affiliates subject to GLBA, covered entities under HIPAA, and consumer reporting agencies, furnishers of information, and users of information, all under the FCRA.
The second category, allowing certain entities to continue to function properly, covers the remaining entity exemptions. The exemption for each entity is particular to its circumstances.
Air carriers may need to maintain no-fly lists, which would certainly include personal information, and simply wouldn’t work properly if unruly passengers could refuse to consent to the air carrier maintaining information about them.
State institutions of higher education maintain academic and disciplinary records for students. It’s not absolutely imperative that they be allowed to keep that information, but if they weren’t, it would vastly change the resume/job-finding landscape.
There are plenty of reasons to not disturb the status quo, especially for particular entities. California has been the most rigid in focusing on consumer privacy by exempting the fewest categories of entities from its data privacy protections. Colorado, perhaps having benefited from following in California’s path has most wholeheartedly deferred to the status quo and to other relevant laws. As trailblazers, it was hard for the propounders of the CCPA to consider all of the impacts the law would have on entities. Colorado on the other hand, had more opportunity to think about niche cases like air carriers and national securities associations.
In terms of entity exemptions, California’s CCPA makes the high-water mark.
Look for future articles taking a deep dive in comparing these US privacy laws.
Hopefully, you have a better understanding of whether any of the US-based data privacy laws may apply to your organization. If they do, you are in the right place for help. We handle data subject requests, data mapping, vendor management, consent management, data risk intelligence, and much, much more. Visit www.clarip.com or call 1-888-252-5653 for a demo.