5 answers to your most pressing questions on CCPA, the latest privacy law


5 answers to your most pressing questions on CCPA, the latest privacy law

What the California Consumer Privacy Act (CCPA) means for higher ed

On January 1, 2020 the California Consumer Privacy Act (CCPA) went into effect as the first general state law to give extensive privacy rights to consumers in the United States.

In the wake of the General Data Protection Regulation (GDPR), CCPA sets the precedent for future legislation as the federal government and state legislatures navigate the complex data privacy environment of today’s technology-driven world. As with any new legislation, the key is understanding who should be paying attention and how to best respond.

Given that the final regulations have not yet been issued and the law is still in progress, our IT Forum team hopes to help shed a light on what this means for higher education at this point in time. Below, we answer the questions everyone is asking about the latest privacy law and how higher education institutions can best prepare.  

What is CCPA?

CCPA is a privacy law that protects California consumers by allowing them to request to view all personal information a business has collected on them for commercial purposes in the past 12 months, including a list of third parties that also have access to that information.

In addition to the consumer right to know about information collected, sold, and disclosed about them, other key provisions under CCPA include the consumer right to request to have their information deleted and to opt-out of the sale of their information. For children under 13, covered businesses need permission from a parent or guardian to sell their information. Finally, CCPA prohibits covered businesses from discriminating against consumers for exercising their rights.

Who needs to comply with CCPA?

CCPA applies to any for-profit entity that does business in California and falls within at least one of the following categories:

  • Collects the personal information of 50,000 or more consumers, households, or devices in one year
  • Makes $25 million or more in annual revenue
  • Earns more than 50% of annual revenue selling personal data

How does CCPA affect higher education?

While non-profits are not obligated to comply with CCPA, non-profit higher education institutions do rely on vendors subject to the CCPA in their daily operations. For example, many technology providers are subject to CCPA as they collect, process, and sell personal data. However, not all vendors will be considered a “business” as some will qualify as a “service provider” and do not need to comply with many of the CCPA provisions. The key factor is whether the vendor is determining the purpose and means of processing the personal information, in which case such vendor would be subject to CCPA.

What is higher education’s responsibility under CPPA?

Despite not being obligated to comply with CCPA, non-profit higher education institutions are still responsible for understanding CCPA and should be ready to support users who have questions around the provisions and requests involving institutional data. Since CCPA will place a high standard on the protection of personal data, it is in higher education’s best interest to make sure their vendors are up to these standards and that institutional data is safe in vendor hands.

As of right now, there are currently 9 other states (Washington, Connecticut, Hawaii, Rhode Island, Maryland, Minnesota, Wisconsin, Illinois, and New Jersey) contemplating privacy laws. CCPA’s non-profit exemption may not apply to future laws, so institutions should be mindful of how the privacy landscape is changing and how best to prepare.

What should I be doing now?
Make sure you can track institutional data within your own systems and the flow of information to your vendors. For help cleaning up your data policies and management, see our Data Governance Center of Excellence.
Consider de-identifying data
Consider policies around de-identifying institutional data on campus and with vendors, where possible.
Don't hoard data
Delete legacy data that is no longer serving a business purpose and eliminate unnecessary paper copies of documents with personal information. Data can’t be private unless it is secure in the first place.
Review vendor contracts
Review existing and future vendor contracts with legal counsel to ensure vendors are responsible for complying with all applicable law.
Stay up to date
CCPA is a new and evolving law that is still not clearly defined in many areas, leaving a lot of questions unanswered. Staying on top of further development and future laws in other states will be critical moving forward.

You may also like

Carleton College’s Chief Technology Officer, Janet Scannell, sat down with EAB’s IT Strategy Advisory Services to share her strategies for diversifying the IT workforce. These strategies helped IT backfill half of FY22’s eight vacancies with BIPOC candidates. Read on to see three strategies that have made Carleton successful in increasing staff diversity in IT.

EAB asks you to accept cookies for authorization purposes, as well as to track usage data and for marketing purposes. To get more information about these cookies and the processing of your personal information, please see our Privacy Policy. Do you accept these cookies and the processing of your personal information involved?