If an institution does meet the consumer volume threshold, two more exceptions are still likely relevant for higher ed.
First, the CPA excludes any data regulated by FERPA. Therefore, most student records processed in the ordinary course of business are likely to fall outside the scope of the CPA.
Second, the CPA does not apply to any data maintained by a state higher ed institution, as long as the data is processed in accordance with any authorizations under state or federal law and is used for noncommercial purposes.
There is no general nonprofit exemption in the CPA. So, some private or for-profit higher ed institutions may be subject to the CPA’s requirements, whereas public institutions are not.
In light of these exceptions, most higher ed institutions’ data processing operations relating to students, employees, and commercial/B2B relationships are likely out of scope. However, it is possible that certain marketing activities (such as online advertising, marketing, ticketing and events/athletics) could remain in scope if the institution meets the volume requirements. These would involve data processing related to consumers, and the relevant data would not be classified as a student record.
EDTECH: What are some common issues that universities and colleges might encounter during enforcement?
HOWITT: As of now, it is unclear what specific elements of the new law will most likely be enforced. Looking at how the GDPR and similar laws are enforced, key focus areas will likely be:
- The handling of sensitive categories of information
- Vendor management issues and security compliance
- Noncompliance with rights requests (in particular, opt-out rights)
If enforcement occurs, institutions are likely to be subject to regulatory reviews of internal policies, procedures and their general compliance practices, with a focus on institutional understanding of the risks and obligations relating to their handling of personal data.
As the laws continue to evolve, there will be uncertainties and a learning curve for many institutions. That said, regulators are likely to take into account the amount of effort that organizations put into compliance, especially the effort to understand data flows and data processing risks. They want to see there are procedures in place to mitigate risk and ensure data is used appropriately and securely.
EDTECH: Colorado is not nearly as overwhelmed with enforcement as California and Europe are, which raises the chances of enforcement. Do you have any insights on that?
HOWITT: For now, Colorado’s enforcement is limited, and the scope and reach of Colorado’s laws may not be as broad as privacy laws in California and Europe. We anticipate that the Colorado Attorney General’s office will increase its data privacy staff.
It is important to note that district attorneys in Colorado can also enforce the CPA, which could result in greater enforcement.
However, there may be an increase in coordinated actions by the state attorneys general to enforce common state law provisions against multistate actors, following similar multistate approaches seen in state consumer protection and antitrust actions.
Since most of these state laws are new, we have yet to see how common enforcement will be. Many laws are either not in force or have been in force for only a limited time, so aggressive action is less likely. If enforcement proves to be popular with consumers or the public, then we may see an increase in enforcement across the board.
Austin Chambers, an associate attorney at Dorsey & Whitney, contributed to research and analysis.