California Consumer Privacy Act Compliance and Higher Education Institutions
On January 1, 2020, AB 375 of the California Consumer Privacy Act officially went into effect.
Essentially, this law was designed to protect the personal online information of California consumers. Any for-profit California businesses (including higher education institutions) are affected if one or more of the following are true. The institution:
- has $25+ million in annual revenue
- collects information of 50,000+ consumers
- makes more than half its income from the sale of personal information
Most for-profit institutions that were affected by this law have already made the necessary changes. But should non-profit higher education institutions be prepared?
The answer: Probably.
Non-Profit Higher Ed and the CCPA
If your institution is a non-profit, you likely aren’t directly affected by the CCPA – but you may partner with CCPA-covered entities that are. Businesses that help you process payments or ERPs that help you manage student information will need to make sure they adhere to guidelines set by the new law.
These businesses will need to:
- Disclose how and where personal info is collected, share the business purpose for that collection, and the category of third parties of which the information is shared.
- Give consumers the right to request deletion of their personal information from these databases and offer them the chance to opt out of having their personal information sold. (Though, if the consumer is over 16, businesses can offer financial incentives for consumer information sales.)
What Counts as Personal Information?
For the most part, the information deemed “personal” by the new law isn’t full of too many surprises, though there are a few newer additions. They include:
- Real name, alias, address, IP addresses, emails, account names, SSN, driver’s license #, etc.
- Record of property, products/services purchased, or other purchasing or consuming histories
- Fingerprints, facial patterns, vocal tendencies
- Internet browsing history, search history, website activity, applications
- Geolocation (typically taken from a computer or mobile device)
- Audio/visual, electronic, thermal, olfactory
- Professional/employment-related information
- Any non-public PII as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
Steps You Can Take
First, gather as much information as you can concerning the data that your institution collects and manages. Keep this separate from any information managed by a third party.
Second, perform a business partner audit. How many third-party CCPA-covered businesses does your institution partner with? Have they taken the proper steps needed to be CCPA-compliant?
Third, keep an eye on the news. Even if you aren’t a California-based institution, monitor state and federal legislatures for privacy laws similar to this one.