Jul 15 2020

How the CCPA Affects California School Districts

The California Consumer Privacy Act extends privacy protections for minors.

This month, the state of California began enforcing its latest consumer privacy law. Known as the California Consumer Privacy Act, or CCPA, the comprehensive law protects the personal consumer data that businesses collect and increases transparency around it.

Under the law, California residents can ask companies what personal information they have collected and how they are using and sharing that data, according to the Office of the Attorney General. Additionally, residents can ask companies to delete and not sell personal data they have collected.

The law applies directly to for-profit companies in California that make over $25 million annually, buy or sell the personal data of 50,000 or more consumers, or earn 50 percent or more of their annual revenue selling that data.

Yet there are aspects of the new law that K–12 schools should be aware of, especially because students generate enormous amounts of sensitive data online. Plus, student data privacy remains a hot-button issue in education amid the growing number of cyberthreats and the increased use of digital tools for remote learning, such as learning management systems and videoconferencing platforms.

“Schools are in the business of educating students, but they need to be very aware of what is in their contracts and make sure they are holding vendors to what is in their contracts,” Daniel Greene, a member of the Beckage law firm, told EdTech.

DISCOVER: Find out how to address data privacy during remote learning.

How CCPA Reinforces Student Data Privacy

One of the key provisions in the CCPA is the privacy protection of minors. The National Law Review notes that the CCPA extends requirements on companies collecting personally identifiable information, or PII — including geolocation, IP addresses and browsing history — from children under 13 years of age.

For example, compliance with the Children’s Online Privacy Protection Act (COPPA), which requires online operators to notify and get consent from parents before collecting information on kids, will not be enough to ensure CCPA compliance. Businesses such as educational technology companies will have to take “reasonable steps to ensure that the person authorizing consent for the sale of a child’s data on his or her behalf is actually their parent or legal guardian,” according to The National Law Review.

The Future of Privacy Forum (FPF), a nonprofit organization that promotes responsible data practices, notes that the CCPA also extends child privacy protections to teens — 13- to 16-year-olds have the right to consent to the collection and selling of their own data.

“This means that students’ PII is protected from preschool through most of high school — so companies and districts should align their compliance plans for the entire PK–12 student population,” writes Katie Onstad, vice president and co-founder of Education Framework, which helps K–12 school districts proactively protect student data privacy, in a blog post.

However, CCPA’s privacy protections for minors only apply to the sale of data. An initiative on the ballot in November will also protect the sharing of children’s data if approved, according to FPF.

DOWNLOAD: This white paper covers best practices for overcoming compliance challenges.

Additionally, experts note that issues may emerge if a parent or student asks a company to delete any personal data that schools are required to collect and maintain for federal and state reporting purposes, Education Week reports. Andrea Bennett, executive director of California IT in Education, tells the publication that there is no provision that addresses that concern.

Experts also say that even though the CCPA’s enactment is a sign of future data privacy laws to come, many educators are still confused about these types of laws, which means that adequate compliance training is still very much needed. “You can pass all the laws that you want in the world,” Leonie Haimson, an advocate for student data privacy, tells Education Week. “If no one’s paying attention to them, they have no real impact on what’s happening in the classroom.”

Cristian Storto Fotografia/Getty Images