Enacted on New Year’s Day 2020, the California Consumer Privacy Act gives residents of the nation’s most populous state the right to know what of their personal information is being collected, along with whether it’s been sold and to whom.
Applicable to companies based both in and out of California, CCPA also ensures residents can access their personal data, prevent their personal data from being sold, request their personal data be deleted, and not be retaliated against for exercising their privacy rights.
“What all these regulations mandate is that a California resident has the right to know his or her information is being collected by, at or before the point of collection,” said Hassan Khan, managing director of risk and advisory services at Grant Thornton.
While CCPA isn’t intended to apply directly to colleges (most nonprofits are exempt, with some exceptions), institutions will likely work with technology vendors that are subject to these requirements.
For-profit enterprises are subject to the law if they have $25 million or more in gross revenue; buy or sell the personal information of 50,000 or more consumers or households; or earn more than half of their annual revenue from selling consumers’ personal financial information.
Higher education CIOs and CTOs should talk to current and prospective vendors about how they use personal information, Khan says. Ask how they classify it, how they identify it and how quickly they can retrieve and remove that information if a California resident asks. They should also have a plan for responding to opt-out requests by California residents and consider investing more in data security capabilities — whether by hiring additional staff or upgrading existing technology. Khan also suggests appointing a data protection officer to work directly with regulators.
Institutions should also “make sure that tech vendors are limited in what they can do and how they process the information they receive,” said Adam Adler, senior associate at compliance advisory firm Schellman. Contracts should specify what information vendors are collecting and that they should only process it to the extent necessary to achieve the intended business purpose.
Privacy Is a Continuous Effort
Compliance is an ongoing process, Adler says: “It’s not like you do a sprint to get ready, and on day one when the law goes live, you’re suddenly compliant, then wash your hands and walk away.” Instead, he says, it should be a continuous effort and maintenance process.
CCPA has been called “GDPR lite,” referring to the European Union’s General Data Protection Regulation, a privacy law enacted in 2018. Like GDPR, companies subject to CCPA won’t be audited for what they’re doing with personal information. Instead, companies will be fined if regulators (in this case, the California state attorney general) find they have misused information. In the first nine months of GDPR, fines issued totaled more than €55 million (though most of that was a fine assessed against Google by France’s data protection agency). Fines average about €66,000, according GDPR.eu.
While California is the first state to enact this type of personal data privacy law, it likely won’t be the last. More than half of states are considering some kind of consumer data privacy legislation in 2019. Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, Vermont and Washington are all poised to pass similar legislation in the near future, Khan says. He expects that all 50 states will enact some sort of privacy legislation in the next five years.
In November, four Senate Commerce Committee members introduced new federal privacy legislation, the Consumer Online Privacy Rights Act, or COPRA. Khan doubts the proposed law will go far before the 2020 presidential election, but, he adds, the bill reflects the emerging outline of federal privacy laws to come.
“GDPR and CCPA,” he says, “will not be the last data privacy regulations colleges and universities will have to address.”