On January 1, 2020 the California Consumer Privacy Act (CCPA) went into effect as the first general state law to give extensive privacy rights to consumers in the United States.
In the wake of the General Data Protection Regulation (GDPR), CCPA sets the precedent for future legislation as the federal government and state legislatures navigate the complex data privacy environment of today’s technology-driven world. As with any new legislation, the key is understanding who should be paying attention and how to best respond.
Given that the final regulations have not yet been issued and the law is still in progress, our IT Forum team hopes to help shed a light on what this means for higher education at this point in time. Below, we answer the questions everyone is asking about the latest privacy law and how higher education institutions can best prepare.
What is CCPA?
CCPA is a privacy law that protects California consumers by allowing them to request to view all personal information a business has collected on them for commercial purposes in the past 12 months, including a list of third parties that also have access to that information.
In addition to the consumer right to know about information collected, sold, and disclosed about them, other key provisions under CCPA include the consumer right to request to have their information deleted and to opt-out of the sale of their information. For children under 13, covered businesses need permission from a parent or guardian to sell their information. Finally, CCPA prohibits covered businesses from discriminating against consumers for exercising their rights.
Who needs to comply with CCPA?
CCPA applies to any for-profit entity that does business in California and falls within at least one of the following categories:
- Collects the personal information of 50,000 or more consumers, households, or devices in one year
- Makes $25 million or more in annual revenue
- Earns more than 50% of annual revenue selling personal data
How does CCPA affect higher education?
While non-profits are not obligated to comply with CCPA, non-profit higher education institutions do rely on vendors subject to the CCPA in their daily operations. For example, many technology providers are subject to CCPA as they collect, process, and sell personal data. However, not all vendors will be considered a “business” as some will qualify as a “service provider” and do not need to comply with many of the CCPA provisions. The key factor is whether the vendor is determining the purpose and means of processing the personal information, in which case such vendor would be subject to CCPA.
What is higher education’s responsibility under CPPA?
Despite not being obligated to comply with CCPA, non-profit higher education institutions are still responsible for understanding CCPA and should be ready to support users who have questions around the provisions and requests involving institutional data. Since CCPA will place a high standard on the protection of personal data, it is in higher education’s best interest to make sure their vendors are up to these standards and that institutional data is safe in vendor hands.
As of right now, there are currently 9 other states (Washington, Connecticut, Hawaii, Rhode Island, Maryland, Minnesota, Wisconsin, Illinois, and New Jersey) contemplating privacy laws. CCPA’s non-profit exemption may not apply to future laws, so institutions should be mindful of how the privacy landscape is changing and how best to prepare.
You may also like
How to get the most out of your security incident tabletop exercises: 3 lessons from the University of Auckland
Universities worldwide are scrambling to strengthen their security incident response planning as cyber-attacks targeting higher education rapidly escalate.
See three transformative changes that happen on campus when you start viewing digital transformation as an investment in growth.