While the CCPA does not apply to nonprofit educational institutions, it may apply to certain for-profit educational institutions, third-party service providers, and others in the education space. If an educational entity meets the threshold requirements below or it processes information on behalf of such an entity, it should prepare for CCPA implementation by January 2020.
The CCPA applies to for-profit businesses that collect the personal information of California consumers, and meets at least one of the following criteria: 1) annual gross revenue over US$25 million; 2) buys, receives, sells, or shares the data of over 50,000 California residents annually for commercial purposes; or 3) derives over 50 percent of its annual revenue from selling consumer information. The CCPA also applies to service providers that process consumer information on behalf of qualifying business entities.
The CCPA covers several different activities related to consumer information. First, the CCPA regulates the disclosures businesses must provide consumers before their personal information is collected and what businesses can do with the personal information. Second, the CCPA governs the sale of personal information, with “sale” defined very broadly to include data transfers in exchange for any valuable consideration. Finally, the CCPA oversees disclosure of personal information for business purposes.
Regulated educational entities should be wary of the following key requirements of the CCPA:
- Maintain public disclosures that outline the rights listed in the CCPA and the categories of personal information that are collected, sold, or disclosed for business purposes (e.g., a for-profit university would post a disclaimer on its website that it purchases phone numbers of prospective students).
- Allow consumers to receive information detailing what personal information has been collected, sold, or disclosed by the business in question (e.g., if requested by a student, an online program management (OPM) provider would disclose to students that it has distributed student email addresses to partner institutions).
- Delete consumers’ personal information upon request, subject to a number of exceptions (e.g., a for-profit computer programming “boot camp” would delete a student’s mailing address from its database after a request is sent).
- Allow consumers to opt out of the sale of personal information (e.g., a for-profit university would place a “do not sell my personal information” link on its homepage).
Business entities are not allowed to discriminate against consumers who exercise their rights under the CCPA. However, businesses are permitted to offer financial incentives for consumers to provide consent for the collection, sale, or deletion of their personal information.
Once in effect, the California attorney general’s office will have jurisdiction over enforcement. Businesses have 30 days to cure alleged violations, if these are not cured, then the attorney general’s office can levy civil penalties of up to US$7,500 per intentional violation. Unlike the Family Educational Rights and Privacy Act (FERPA), the CCPA authorizes a limited private right of action for consumers whose personal information is subject to unauthorized disclosure. But this private right of action only applies to disclosure of sensitive personal information that includes social security numbers, passwords, and medical information.
The CCPA provides consumers broad privacy rights. Though it is not applicable to all educational entities, many businesses in the education sector, including large education technology companies, should be aware of its requirements.
Authored by Bret Cohen, Greg Ferenbach, Ray Li, Julian Flamant and Filippo Raso