Does California’s Consumer Data Protection law apply to your educational institution (even if you are not in California)?
By Bill Miles | February 15, 2019
More news on the state law privacy landscape from last year. On June 28, 2018, the California legislature passed and the governor signed the California Consumer Privacy Act (CCPA) into law.
The CCPA is a broad law protecting the personal data of California residents (defined as “Consumers” in the law) and is modelled after the EU’s sweeping privacy protection law, the General Data Protection Regulation (GDPR), which came into effect in May 2018. The GDPR protects personal data, defined broadly, beyond what any current state or federal law provides today.
Because the CCPA protects the privacy of all California “Residents”, defined as either California residents living in California or temporarily outside the state (attending, teaching, or traveling to a school), the law potentially applies to virtually all EdTech companies and any school with a California “Resident” in their community, whether teacher, donor, alumni, parent, staff member or student. This is often most relevant to boarding and private schools.
However, it is important identify some limitations on CCPA’s reach. First of all, the CCPA does not apply to nonprofits (unlike the GDPR). Secondly, for an organization to fall under the regulation, it must have a revenue of $25,000,000 or more annually, hold the data of 50,000 or more “Residents”, or, make half their revenue or more from the sales of personal data.
While many schools will avoid the CCPA due to these limitations, some for-profit schools will hold data of 50,000 or more “residents” and, thus, will be subject to the CCPA. This likely ensnares some of the boarding school community and the larger private schools. The law applies on its face internationally, but it’s unclear at this time how it would be enforced. If you are one of those schools, you have until January 1, 2020 to come into compliance.
All schools, however, have an interest in CCPA, because, almost certainty, their technology providers will be subject to CCPA. The School Information System providers, the Learning Management System providers, and many other companies that collect student, staff, parent, alumni and donor data will be subject to the CCPA. Because of this, every school should add an inquiry to its list of diligent questions as to whether the provider is compliant with the CCPA. Not only is this important for legal compliance purposes, but the CCPA enforces a high standard on companies that collect, process, sell and hold personal data. So, by making this a requirement from your vendors, the personal data you share with them will be better protected.
There are many great resources currently published on the CCPA and the the California Attorney General’s office plans to publish clarifying regulations in the Fall of 2019. In the meantime, please reach out to firstname.lastname@example.org if you have questions or comments.
About Bill Miles: Bill began his career as an attorney-at-law. Driven by technology and innovation, he has worked with several start-ups to lead innovation. Now, as CEO of Vidigami, Bill is leading the Vidigami Private Social Platform and Picaboo Yearbooks Editor to provide schools with a one-stop-shop solution that enables them to securely centralize, intelligently organize, privately share, and utilize media in a way that is responsible and rewarding.