The California Consumer Privacy Act (CCPA) went into effect on Janurary 1, 2020. The law is intended to enhance the online data and privacy protections for California consumers. The CCPA covers for-profit entities that collect personal information, do business in California, and meet one of the following thresholds:

  1. Have an annual revenue over $25 million;
  2. Collect the information of over 50,000 consumers per year;
  3. Earn 50% or more of it's annual revenue from selling personal information.

The CCPA requires these businesses to implement several processes to help California consumers better control and understand their data that companies collect. Some of the key responsibilities that covered companies now have include:

  • Implementing a "Do Not Sell My Personal Information" link on their website's homepage that will allow users to opt out of the sale of their information;
  • Updating their privacy policies to reflect the new rights that California consumers have under the CCPA;
  • Implementing a process to obtain parental consent for children under 13 (similar to COPPA) and to obtain affirmative consent for children between the ages of 13 to 16;
  • Deleting consumers' personal data upon request (as long as it does not interfere with existing laws, such as FERPA); and
  • Allowing consumers to see what personal information the business has collected, bought, or sold.

Under the CCPA, state regulators will notify offending companies of their violation and give them 30 days to comply. If the issue is not resolved, then the company can be fined up to $7,500 per incident for intentional violations and up to $2,500 per incident for unintentional violations.

In addition, the CCPA enacts statutory damages on companies who suffer preventable data breaches or preventable instances of data theft. A consumer whose data is affected can collect $100 to $750, or actual damages (whichever is greater), from the company for each instance.

What does the CCPA mean for education?

As mentioned above, the CCPA covers for profit businesses that meet certain user or monetary thresholds. For-profit universities certainly meet this criteria and must comply with the CCPA. Meanwhile, K-12 schools and universities which operate as non-profit entities do not fall under the purview of the CCPA. However, their service providers, which may maintain and transfer student and faculty data, are for-profit entities. This means that schools have to be cognizant of how their service providers are complying with the CCPA. This will require a throughout understanding of the text of the law and how data is used between the school and the service provider.

Generally, CCPA regulations will not affect service providers who are contracted by a school to receive and store personal information for specific business purposes which are explicitly limited. For example, service providers that are already compliant with SOPIPA, FERPA, and COPPA, will likely be compliant with the CCPA, as well. However, schools that purchase consumer information from businesses must also abide by the CCPA.