Skip navigation
EAB Logo Navigate to the EAB Homepage Navigate to EAB home

5 answers to your most pressing questions on CCPA, the latest privacy law

March 13, 2020, By Maggie Dwyer, Strategic Leader, Data and Analytics

On January 1, 2020 the California Consumer Privacy Act (CCPA) went into effect as the first general state law to give extensive privacy rights to consumers in the United States.

In the wake of the General Data Protection Regulation (GDPR), CCPA sets the precedent for future legislation as the federal government and state legislatures navigate the complex data privacy environment of today’s technology-driven world. As with any new legislation, the key is understanding who should be paying attention and how to best respond.

Given that the final regulations have not yet been issued and the law is still in progress, our IT Forum team hopes to help shed a light on what this means for higher education at this point in time. Below, we answer the questions everyone is asking about the latest privacy law and how higher education institutions can best prepare.

What is CCPA?

CCPA is a privacy law that protects California consumers by allowing them to request to view all personal information a business has collected on them for commercial purposes in the past 12 months, including a list of third parties that also have access to that information.

In addition to the consumer right to know about information collected, sold, and disclosed about them, other key provisions under CCPA include the consumer right to request to have their information deleted and to opt-out of the sale of their information. For children under 13, covered businesses need permission from a parent or guardian to sell their information. Finally, CCPA prohibits covered businesses from discriminating against consumers for exercising their rights.

Who needs to comply with CCPA?

CCPA applies to any for-profit entity that does business in California and falls within at least one of the following categories:

  • Collects the personal information of 50,000 or more consumers, households, or devices in one year
  • Makes $25 million or more in annual revenue
  • Earns more than 50% of annual revenue selling personal data

How does CCPA affect higher education?

While non-profits are not obligated to comply with CCPA, non-profit higher education institutions do rely on vendors subject to the CCPA in their daily operations. For example, many technology providers are subject to CCPA as they collect, process, and sell personal data. However, not all vendors will be considered a “business” as some will qualify as a “service provider” and do not need to comply with many of the CCPA provisions. The key factor is whether the vendor is determining the purpose and means of processing the personal information, in which case such vendor would be subject to CCPA.

What is higher education’s responsibility under CPPA?

Despite not being obligated to comply with CCPA, non-profit higher education institutions are still responsible for understanding CCPA and should be ready to support users who have questions around the provisions and requests involving institutional data. Since CCPA will place a high standard on the protection of personal data, it is in higher education’s best interest to make sure their vendors are up to these standards and that institutional data is safe in vendor hands.

As of right now, there are currently 9 other states (Washington, Connecticut, Hawaii, Rhode Island, Maryland, Minnesota, Wisconsin, Illinois, and New Jersey) contemplating privacy laws. CCPA’s non-profit exemption may not apply to future laws, so institutions should be mindful of how the privacy landscape is changing and how best to prepare.

What should I be doing now?

1. Ensure your ability to track data

Make sure you can track institutional data within your own systems and the flow of information to your vendors. For help cleaning up your data policies and management, see our Data Governance Center of Excellence.

2. Consider de-identifying data

Consider policies around de-identifying institutional data on campus and with vendors, where possible.

3. Don't hoard data

Delete legacy data that is no longer serving a business purpose and eliminate unnecessary paper copies of documents with personal information. Data can’t be private unless it is secure in the first place.

4. Review vendor contracts

Review existing and future vendor contracts with legal counsel to ensure vendors are responsible for complying with all applicable law.

5. Stay up to date

CCPA is a new and evolving law that is still not clearly defined in many areas, leaving a lot of questions unanswered. Staying on top of further development and future laws in other states will be critical moving forward.

Maggie Dwyer

Maggie Dwyer

Strategic Leader, Data and Analytics

Read Bio

More Blogs


Inspire better data stewardship across campus. This university shows us how.

See four lessons to inspire better data stewardship across campus.
Data & Analytics Blog

Getting your data efforts in order

Our back to school webconference series covers best practices for data governance and quality, data accessibility, and information…
Data & Analytics Blog

Weighing the benefits and risks of enterprise CRM

Review lessons from institutions that are implementing an enterprise-wide CRM solution, aiming to consolidate data within a unified…
Data & Analytics Blog