If your institution operates or conducts business in California, and collects a large amount of personal information, then you should be aware of the new privacy law that’s been implemented to avoid a hefty fine. As of January 1, the landmark data privacy law officially came into effect, providing new rights around commercial data collection that have never existed before in the US. 

The California Consumer Privacy Act, or CCPA, is the first law in the US to set up a comprehensive set of rules around consumer data, somewhat similar to the European Union’s General Data Protection Regulation, or GDPR. So, you’ll want to be aware of the key changes.

What constitutes personal data?

Technology advancement has allowed companies to collect much more than just your name, address, and email. Applications and websites have the ability, using pixels, to track what you buy and where you go, giving them the ability to assemble detailed consumer personas that describe exactly who consumers are. 

The CCPA has a non-exhaustive list of "personal data" that a company must disclose—and delete upon request. To name a few, here’s what’s considered personal data.

  • Biometric information

  • Characteristics of protected classifications under California or federal law

  • Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies

  • Geolocation data

  • Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act

  • Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes

How does the law affect prospective students? 

Under the CCPA, students that reside in California may be entitled to know the categories of information collected and even see the specific bits of info an institution has on them. However, the CCPA is interpreted to not cover colleges and universities as they are often considered not-for-profit entities, it lacks guidance on how to determine whether a business is indeed for-profit or not. Therefore, this is still a grey area that lawmakers need to clarify. Keep in mind that institutions don’t have to ask permission to sell your data but only have to stop selling if you explicitly tell them to. If your institution is covered by the CCPA, here are the new rights your prospective students can assert 

  • Right to access information –prospective students in California, will be able to know the “what, who, and why” surrounding their personal information. Specifically, they can request the following, which must be provided in a digestible format:

    • Which categories of information were collected and sold

    • From whom this information was collected, with whom it was shared, and to whom it was sold

    • Why it was collected

  • Right to deletion – prospective students in California will be able to request that an institution delete the personal information it has collected about them.

  • Right to opt-out – prospective students in California will be able to direct an institution to not sell their personal information to third parties (although the definition of “sell” in the bill is broader than simply monetary exchange).

How does the law affect Higher Education?

The law applies to any for-profit institutions that operate in California that meets one of the following

  • Have an annual gross revenue of $25 million or more

  • Deals with the personal information of 50,000 or more students a year

  • Generates half of their revenues from the sale of personal data

There is a six-month enforcement grace period to July 1, 2020, and institutions have 30 days to comply with the law once regulators notify them of a violation. If you fail to comply, there could be financial penalties up to $7,500 per record for intentional violations. This may seem like a relatively small amount considering the revenue stream of large tech companies, but if the breach affects all its users, the costs can quickly skyrocket. Meanwhile, individual students can sue for $100 to $750 in the event an institution gets hacked due to negligence. 

How could HE institutions prepare? 

  • Don’t assume exemption - If you work with third-party vendors that process students’ personal information, more than likely it will be subject to the CCPA

  • Not-for-profit institutions - Although the CCPA is interpreted to not cover colleges and universities as they are often considered nonprofit entities, it lacks guidance on how to determine whether a business is indeed for-profit or not. So, make sure you exercise caution and not assume you’re exempt. 

  • For-profit institutions - Based on the business definition of the CCPA, for-profit institutions may likely be subject to its requirements if they hold personal data of 50,000 or more. 

Be prepared!

Regardless of whether the CCPA applies to your institution or not, you should take an interest in it because it’s very likely that your technology providers, such as your CRM, student record software or marketing platform, will be subject to the CCPA. And it is your responsibility to conduct the required due diligence to ensure that your providers are compliant.

Although the CCPA provides a general exception that the obligations imposed upon a business shall not restrict a business’s ability to “comply with federal, state, or local laws,there are still questions as to what types of data may be necessary to comply with federal law and what types of data may be erased in compliance with CCPA requirements. 

Here at Natives, we’ll be continuing to keep an eye on how this unfolds for the rest of 2020. 


Article by

Kevin Hsu Author Image

Kevin Hsu

Marketing Executive