- Implementing an intake and response process for data requests. People will have broad rights to access, correct, export and delete their personal data and to opt out of the “sale” of their personal data (broadly defined to include most forms of data monetization).
- Allowing individuals to exercise rights to opt-in or opt-out. This applies to the processing of various data, which differs under state laws. It includes targeted advertising and the handling of sensitive data categories such as race, sexual orientation, health, sex life and biometric data.
- Confirming that they have an incident response plan. This requires institutions to have appropriate data security policies and to be prepared for more requirements relating to security breaches and breach notification. This often means supplementing existing requirements under existing law.
EDTECH: What are some privacy legislation variations that institutions should be mindful of?
HOWITT: There remains some variation in the details of each of the state laws. For example, the opt-out of sale rights generally includes a right to opt out of certain types of advertising. But in Colorado, companies will also be required to support certain automated signals (such as a browser setting) that indicates a user’s desire to opt out.
Separately, the specifics of what is considered a “sale” under these state laws may continue to evolve. So will the specifics about how to comply with the right to opt out. And it is unclear how consistent this will be as other states pass new laws.
Additionally, there are specific requirements relating to AI and biometrics. As the definition of “sensitive” information continues to evolve, it may be increasingly subjected to diverse requirements that vary state by state.
EDTECH: What kind of enforcement considerations should institutions be mindful of?
HOWITT: Much of the data subject to specific federal regulation or long-standing state laws (such as the Family Educational Rights and Privacy Act, Health Insurance Portability and Accountability Act, mental health laws and the like) are likely excluded from new state consumer privacy laws.
Finally, most of the state consumer privacy laws do not allow individuals to sue when there are violations. Only the attorneys general or state agencies can enforce. That said, advocates are putting significant pressure on legislators to allow private lawsuits. There would be significant, additional risks if a state were to allow broad private enforcement rights.
What can higher education institutions do to prepare for these risks? Consider working with various internal stakeholders to determine what data is being handled and in what contexts. Understand what personal data is collected, how it is used, with whom it is shared and how it is protected. From there, institutions can develop appropriate policies and procedures that meet these common requirements — and get a head start on what will likely become the core of future state consumer privacy laws, as well as elements that will likely make their way into future iterations of education privacy laws.