Does California’s Consumer Data Protection Law Apply To Your Educational Institution?

Does California’s Consumer Data Protection law apply to your educational institution (even if you are not in California)?

By Bill Miles | February 15, 2019

More news on the state law privacy landscape from last year. On June 28, 2018, the California legislature passed and the governor signed the California Consumer Privacy Act (CCPA) into law.

The CCPA is a broad law protecting the personal data of California residents (defined as “Consumers” in the law) and is modelled after the EU’s sweeping privacy protection law, the General Data Protection Regulation (GDPR), which came into effect in May 2018. The GDPR protects personal data, defined broadly, beyond what any current state or federal law provides today.

Because the CCPA protects the privacy of all California “Residents”, defined as either California residents living in California or temporarily outside the state (attending, teaching, or traveling to a school), the law potentially applies to virtually all EdTech companies and any school with a California “Resident” in their community, whether teacher, donor, alumni, parent, staff member or student. This is often most relevant to boarding and private schools.

However, it is important identify some limitations on CCPA’s reach. First of all, the CCPA does not apply to nonprofits (unlike the GDPR). Secondly, for an organization to fall under the regulation, it must have a revenue of $25,000,000 or more annually, hold the data of 50,000 or more “Residents”, or, make half their revenue or more from the sales of personal data.  

While many schools will avoid the CCPA due to these limitations, some for-profit schools will hold data of 50,000 or more “residents” and, thus, will be subject to the CCPA. This likely ensnares some of the boarding school community and the larger private schools. The law applies on its face internationally, but it’s unclear at this time how it would be enforced. If you are one of those schools, you have until January 1, 2020 to come into compliance.

All schools, however, have an interest in CCPA, because, almost certainty, their technology providers will be subject to CCPA. The School Information System providers, the Learning Management System providers, and many other companies that collect student, staff, parent, alumni and donor data will be subject to the CCPA. Because of this, every school should add an inquiry to its list of diligent questions as to whether the provider is compliant with the CCPA. Not only is this important for legal compliance purposes, but the CCPA enforces a high standard on companies that collect, process, sell and hold personal data. So, by making this a requirement from your vendors, the personal data you share with them will be better protected.

There are many great resources currently published on the CCPA and the the California Attorney General’s office plans to publish clarifying regulations in the Fall of 2019. In the meantime, please reach out to if you have questions or comments.

About Bill Miles: Bill began his career as an attorney-at-law. Driven by technology and innovation, he has worked with several start-ups to lead innovation. Now, as CEO of Vidigami, Bill is leading the Vidigami Private Social Platform and Picaboo Yearbooks Editor to provide schools with a one-stop-shop solution that enables them to securely centralize, intelligently organize, privately share, and utilize media in a way that is responsible and rewarding. 

By |2019-03-06T16:45:19+00:00February 15th, 2019|Privacy and Security, What We Think|1 Comment

About the Author:

One Comment

  1. Bill Miles March 6, 2019 at 5:06 pm

    Question: Good day Bill, I recently ran across an article you wrote on Feb 15,2019 in regards to the CCPA.
    I was wondering if you have any clarification if students attending College in California fall under the protection of CCPA?
    I’m referring to student that come from outside of the state of CA and attend college in CA.
    Thanks for any info you could provide.

    Response: So as I read your question, you are asking if the CCPA extends to a student who is from another state but living in California (i.e. going to school). Let’s start with the definition of a California residents under the law.

    Section 17014 defines a California resident to include “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.” Cal. Code Regs. tit. 18, § 17014.

    As you can see from the definition, the student in your example is “enjoying the benefits and protections of the laws and government of California”. So the question is whether that student’s stay is “temporary or transitory” under the law. The law does not provide any further guidance on what these terms mean, and ultimately, this will be a fact specific inquiry that a court will eventually clarify (if the legislature or California government does not clarify first). My guess, from reading out and asking questions in this area, that the CCPA would apply to an enrolled student for a full year program at a school in California. I think “temporary” is meant to be more short term and with less of a commitment to being present in the state. Recognize also, that students can be of all types with many fact patterns – visiting for a semester, 2 year programs, 4 year programs, medical school, high school, living on campus, off campus, CA driver’s license or not, CA voter or not etc.

Leave A Comment