What is CCPA and How Does it Impact Education?

The CCPA lists for-profit entities that collect personal information, do business in California, and meet one of the following thresholds:

  1. Have an annual revenue over $25 million;
  2. Collected the information of over 50,000 consumers per year;
  3. Earn 50% or more of it's annual revenue from selling personal information.

The CCPA demands businesses that meet these requires to implement several processes to help California consumers better control and understand the data that companies collect. Some of the key responsibilities that these companies now have include:

  • Implementing a "Do Not Sell My Personal Information" link on their website's homepage that will allow users to opt out of the sale of their information.
  • Updating their privacy policies to reflect the new rights that California consumers have under the CCPA.
  • Implementing a process to obtain parental consent for children under 13 (similar to COPPA) and to obtain affirmative consent for children between the ages of 13 to 16.
  • Deleting consumers' personal data upon request (as long as it does not interfere with existing laws, such as FERPA).
  • Allowing consumers to see what personal information the business has collected, bought, or sold.

Under the CCPA, state regulators will notify offending companies of their violation and give them 30 days to comply. If the issue is not resolved, then the company can be fined up to $7,500 per incident for intentional violations and up to $2,500 per incident for unintentional violations.

In addition, the CCPA enacts statutory damages on companies who suffer preventable data breaches or preventable instances of data theft. A consumer whose data is affected can collect $100 to $750, or actual damages (whichever is greater), from the company for each instance.

What does the CCPA mean for education?

As mentioned above, the CCPA affects for-profit businesses that meet certain user or monetary thresholds. For-profit universities certainly meet this criteria and must comply with the CCPA. Meanwhile, K12 schools and universities which operate as non-profit entities do not fall under the purview of the CCPA. However, their service providers, which may maintain and transfer student and faculty data, are for-profit entities. This means that schools have to be aware of how service providers are complying with CCPA. This requires a deep understanding of the text of the law and how data is used between the school and the service provider.

Generally, CCPA regulations will not affect service providers who are contracted by a school to receive and store personal information for specific business purposes which are explicitly limited. For example, service providers that are already compliant with SOPIPA, FERPA, and COPPA, will likely be compliant with the CCPA, as well. However, schools that purchase consumer information from businesses must also abide by the CCPA.


If you’re interested to learn more about Edlink’s Unified API, here’re other articles we’ve written.

If you're looking for a partner to guide you through developing integrations, then let us introduce ourselves. We're Edlink!