Chapter 6: State Comprehensive Privacy Laws
Which Entities Are Excluded from Business
All five states exempt governments, nonprofits, and FCRA-covered entities. But the states diverge on higher education, securities associations, and especially HIPAA and GLBA entity-level exemptions.
| Exclusion | States that exempt |
|---|---|
| Governments and nonprofits | All five (typically) |
| Entities covered by the FCRA | All five |
| Entities covered by the GLBA | Colorado, Connecticut, Utah, Virginia |
| HIPAA entities | Connecticut, Utah, Virginia |
| Institutions of higher education | Connecticut, Utah, Virginia |
| Registered national securities associations | Colorado, Connecticut |
FCRA is the only universal federal exemption
All five states exempt FCRA entities. Note the gaps: California does NOT grant a GLBA or HIPAA entity-level exemption in this list, and California is not listed for the higher-education exemption. Watch which state is missing.
Key terms - quick answers
What is “FCRA”?
The Fair Credit Reporting Act; all five state comprehensive laws exempt FCRA-covered entities.
What is “GLBA”?
The Gramm-Leach-Bliley Act governing financial privacy; four of the five states grant a GLBA entity-level exemption.