In education, CCPA likely applies to your company. If you're a for-profit edtech vendor that collects personal data from California users, you're probably subject to the law's requirements.

What Is the CCPA?

The CCPA stands for the California Consumer Privacy Act. It grants residents of California:

  • The right to know what personal information is being collected about them.
  • The right to delete personal information held by businesses.
  • The right to opt out of the sale of their personal information.
  • Protection against discrimination for exercising these rights.

Businesses must comply with CCPA if they do business in California and meet at least one of these criteria:

  • Have gross annual revenues over $25 million, or
  • Buy, receive, sell, or share the personal information of 100,000 or more consumers, households, or devices, or
  • Earn 50% or more of annual revenue from selling personal information.

How Does CCPA Impact Edtech Vendors?

This means if your edtech company meets one or more of the previously mentioned requirements and collects personal data from users in California (think: students, parents, teachers, or administrators) CCPA likely applies to you. Even though CCPA doesn’t apply to most non-profits (like most public schools and universities), the burden of compliance is placed on the vendor (read: their for-profit partners).

Here’s what that means in practice:

  • You need to disclose what data you collect, how you use it, and who you share it with.
  • If you allow users to create accounts, you need a "Do Not Sell My Personal Information" link.
  • You must implement processes to respond to access and deletion requests.
  • If you collect data from users under 16, consent requirements apply (under 13: parental consent; 13-16: direct consent).

While schools are often covered under FERPA, CCPA applies in addition to FERPA and other data privacy or security laws (both domestic and international). If your practices fall under the scope of broader consumer protection laws like the GDPR or CCPA, additional compliance obligations may apply.

CCPA Compliance for Edtech Companies

Compliance isn’t just about checking a legal box. It requires planning across teams. Here are some conceptual areas edtech companies should focus on:

1. Understand Your Data Flows

  • Map out what personal data you collect, from whom, and for what purposes. You need to know:
  • What data comes in (e.g., names, email addresses, login timestamps, IP addresses)
  • Where it’s stored
  • Who has access to it (including third-party vendors)
  • How long you keep it

2. Build a Clear Privacy Policy

Your privacy policy should be written in plain language and include:

  • A list of data types collected
  • How data is used and shared
  • Users’ rights under CCPA
  • How users can exercise those rights

3. Provide Easy Opt-Outs

You must offer a way for users to opt out of the sale of their personal information, even if you don’t "sell" data in the traditional sense (e.g., sharing with advertisers).

4. Prepare for Consumer Requests

You’ll need internal processes to:

  • Respond to user data access and deletion requests
  • Verify user identity before disclosing or deleting information
  • Track and log all requests and responses

How the CPRA Changed the CCPA in 2023

In 2020, California passed the California Privacy Rights Act (CPRA), which amended and expanded the CCPA. It became enforceable on January 1, 2023. Here’s what changed:

  1. A new enforcement agency was created: the California Privacy Protection Agency (CPPA)
  2. The threshold for regulated businesses remained, but more obligations were added
  3. New rights for consumers:
  • The right to correct inaccurate personal information
  • The right to limit the use of sensitive personal information

4. New obligations for businesses:

  • Conducting regular risk assessments
  • Establishing contracts with third-party data processors that meet specific legal requirements

These changes make it even more important for edtech vendors to treat data transparency and protection as ongoing practices.

The California Attorney General and CPPA have ramped up enforcement since 2020. While there have been no high-profile CCPA actions against edtech vendors yet, recent actions taken in other industries signal what’s possible:

  • Healthline was fined $1.55M for failing to honor opt-outs related to behavioral advertising[Source]
  • Honda received a notice of violation over data practices tied to online tracking
  • The CPPA has launched investigations into location data collection and cross-context behavioral advertising

Final Thoughts

The CCPA sets a bar for how data should be collected, processed, and shared. For edtech companies, that bar is worth meeting. Not just to avoid fines, but to build trust with schools, districts, and users.

*updated | July 24, 2025

If you’re interested, here are some other resources to check out.

Want to Get Started?

If you're looking for a partner to guide you through developing integrations, then let us introduce ourselves. We're Edlink!