The California Consumer Privacy Act (CCPA) takes effect on January 1, 2020. When it does, it will be the strictest privacy law in the country, and may be a model for other states as well.
The CCPA applies to any for-profit entity that does business in California, collects the information of California consumers and satisfies any one of the following three criteria: (1) has more than $25 million in annual revenue; (2) collects the information or 50,000 or more consumers, households or devices; or (3) derives more than half of its income from the sale of consumers’ personal information. Although the statute lacks any definition of “doing business in California,” it is not a requirement that the business be a California entity or have its principal operations in the state. If a business would be subject to personal jurisdiction in California based on its activities within the state (including, for example, recruitment and advertising), it is likely that the CCPA would apply. The statute also specifically grants rights to California consumers, which would include California students attending out-of-state schools.
Many of the country’s for-profit schools will be subject to the CCPA based on either the annual revenue or number-of-records-collected provisions (or both). These entities will need to comply with all of the CCPA’s provisions, and, if they haven’t already, must take immediate steps to comply.
Perhaps less obviously, the CCPA has important implications for non-profit institutions as well. While non-profit institutions are not covered “businesses” as defined in the CCPA, non-profit schools rely on businesses that are subject to the CCPA to operate. Non-profit colleges and universities will therefore need to fully understand the CCPA even if they are not covered “businesses” themselves.
For-profit schools collect massive amounts of consumer data—which includes information collected from students. An existing federal law, the Family Educational Rights and Privacy Act (FERPA), partly addresses students’ privacy rights in their educational records, and for-profit schools must already comply. The CCPA, however, imposes significant new obligations on covered for-profit schools regarding the student data they collect and hold.
So what will covered for-profit schools need to do when the statute takes effect? In general terms, the CCPA grants California consumers certain rights with respect to their data. Starting on January 1, California consumers will have the right to ask covered entities what data they collect and what they do with it. Consumers will also have the right to ask covered business to delete their data, or to stop selling it.
To comply with the CCPA, covered for-profit schools will need to develop (1) notices to inform consumers of these rights, (2) processes to verify the identity of consumers making requests, and (3) processes to implement consumers’ requests. Covered for-profit schools will also need to maintain accurate records of compliance, and train employees whose responsibilities involve the CCPA.
In addition to understanding the key provisions of the CCPA, for-profit schools will also need to understand the exemptions that may apply to some of the consumer information they hold. The CCPA contains an exemption, for example, for data already covered by the federal Gramm-Leach-Bliley Act (GLBA). The GLBA, in very general terms, applies to information collected by a financial institution for purposes of providing a financial service or product. But while for-profit schools are generally considered to be subject to the GLBA, not all of the information they collect is GLBA-covered (for example, because it’s not collected for the purpose of providing a financial service or product). For-profit schools will need to understand what consumer data in their files is subject to the GLBA, and therefore arguably exempt from the CCPA.
The CCPA is enforceable by California’s Attorney General. Enforcement will begin on July 1, 2020. The CCPA is also privately-actionable for data breaches, with statutory penalties of $100 to $750 per consumer, per incident. The CCPA is privately-actionable immediately when the statute takes effect on January 1, 2020.
The CCPA applies to “businesses,” which are defined (in part) as for-profit entities. The statute was not intended to apply to non-profit colleges and universities, which do not need to comply with most of the statute’s provisions. That does not mean, however, that non-profit schools can ignore the CCPA entirely, as the CCPA will impact non-profit schools’ daily operations in key ways.
First, non-profit schools utilize CCPA-covered entities to operate every day. As just a few examples, schools utilize covered entities to advertise to prospective students, collect and process students’ financial information, analyze student data, and implement learning management systems.
The CCPA and its draft implementing regulations, issued on October 10, 2019, provide some guidance regarding non-profits that engage for-profit (and CCPA-covered) service providers to process consumer information. Importantly, a “service provider” under the CCPA (as opposed to a “business”) does not need to comply with most of the CCPA’s provisions regarding notices to consumers or compliance with consumers’ requests. Because non-profit schools are not “businesses” either, they likewise do not need to comply.
Ensuring that non-profit schools and their for-profit service providers can avoid many of the CCPA’s provisions will require a solid understanding of the CCPA. Most importantly, whether a third party is a “service provider” depends largely on the language of its contract with the entity that supplies the consumer information (i.e. the non-profit school). Generally, if an entity receives consumer information for a “business purpose,” and receives it pursuant to a contract that limits the information’s use to that purpose, the recipient will be deemed a “service provider” and not a covered “business” itself. Non-profit schools must therefore be very careful that their outside contracts comply with the CCPA’s provisions allowing their outside vendors to remain “service providers.”
Second, non-profit schools may purchase consumer information from CCPA-covered entities—and in so doing subject themselves to certain provisions of the CCPA (for example, schools may purchase mailing lists for recruitment purposes) If the sellers of this consumer information are CCPA-covered entities, then non-profit schools will still need to address consumers’ right-to-know and deletion requests made to the sellers.
The CCPA takes effect in less than a month. If they haven’t already, educational institutions—including both for-profit and non-profit schools—should take immediate steps to familiarize themselves with the statute and develop a plan to comply.
Aaron Lacey is the leader of Thompson Coburn’s Higher Education practice, host of the Firm’s popular Higher Education Webinar Series, and editorial director of REGucation, the Firm’s higher education law and policy blog. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about the California Consumer Privacy Act (CCPA). Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years.