What Types of Collection Are Excluded Under U.S. Privacy Laws?

Under U.S. Privacy Laws?

Certain PI collection practices are excluded from regulation by U.S. privacy laws because they are already regulated under other state or federal laws. If your business’s collection of PI is subject to certain state and federal laws listed below, you will still add it to your data map, but that PI can be excluded from future privacy requests.

If you do not collect any information subject to the laws listed in the table below, you can skip to the next section.


State or Federal Law What’s Excluded
California Confidentiality of Medical Information Act (CMIA)*
  • Medical information governed by CMIA
  • A provider of healthcare governed by CMIA
Health Insurance Portability and Accountability Act (HIPAA)
  • Protected health information collected by a covered entity or a business associate governed by HIPAA
  • A covered entity governed by the privacy, security, and breach notification rules established under HIPAA, to the extent it maintains patient information in the same manner as protected health information governed by CMIA
Federal Policy for the Protection of Human Subjects (the “Common Rule”) PI collected as part of a clinical trial subject to the Common Rule, as long as certain other stipulations are met
Fair Credit Reporting Act (FCRA)** The collection, use, sale or disclosure of PI by an agency, furnisher or user subject to FCRA regulation 
Gramm-Leach-Bliley Act (GLBA)** The collection, maintenance or disclosure of PI pursuant to GLBA
California Financial Information Privacy Act (CFIPA)** The collection, maintenance or disclosure of PI pursuant to CFIPA
Driver’s Privacy Protection Act of 1994 (DPPA)** PI collected, processed, sold or disclosed pursuant to DPPA
Farm Credit Act (FCA)** PI collected, processed, sold or disclosed pursuant to FCA
Family Educational Rights and Privacy Act (FERPA)*** PI collected, processed, sold or disclosed pursuant to FERPA***

If you are unsure whether any of the laws above apply to your business’s collection of PI, you should consult an attorney who is familiar with the facts of your specific situation and the laws referenced above. 

* CCPA only

** Note: These exclusions do not apply to the private right of action established by the CCPA, meaning if data collected pursuant to these laws is subject to a security breach, consumers can still sue the business. Learn more about the CCPA’s private right of action.

*** Does not apply to CCPA

This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.