State comprehensive laws use two exemption types: entity-level exemptions (a whole organization is exempt) and data-based exemptions (only a class of data is exempt). The distinction matters because under a data-based exemption a business may have some exempt data and other regulated data (like HR records).
These laws generally have two exemption types. An entity-level exemption exempts a whole type of organization - typically nonprofits, institutions of higher education, and local governments. A data-based exemption exempts only a class of data, such as data covered by a federal law like the DPPA.
For federally regulated data (HIPAA, GLBA), states vary: some grant an entity-level exemption (the whole entity escapes the state law) and others grant only a data-based exemption (only the federally covered data is exempt).
🧩 Why the distinction bites
Under a data-based exemption, a company's HIPAA-covered records may be exempt, but its human resources records remain subject to the state law. The same company can hold both exempt and regulated data at once.
Key terms - quick answers
What is “Entity-level exemption”?
An exemption where an entire type of organization is exempt from the law (e.g., nonprofits, higher education, local governments).
What is “Data-based exemption”?
An exemption where only a class of data is exempt (e.g., data already covered by a federal law), leaving the rest of the entity's data regulated.
What is “DPPA”?
The Driver's Privacy Protection Act, a federal law whose covered data is an example of a data-based exemption under state comprehensive laws.