by Tracy Locklin, Attorney, National Student Clearinghouse
In the wake of the European Union's General Data Protection Regulation (GDPR), a growing number of states across the country are considering comprehensive privacy legislation of their own. The first of these to go into effect is in California.
The California Consumer Privacy Act, or CCPA, was enacted in June 2018 and went into effect on January 1st of this year. It requires legal entities that meet certain criteria (referred to as “businesses”) to take steps to protect the privacy of California residents (referred to as “consumers”). To qualify as a business subject to the CCPA, an entity must be organized as a for-profit entity, do business in California, collect the personal information (“PI”) of consumers, and meets certain revenue or data processing thresholds.
Most significantly, a for-profit institution of higher education that qualifies as a “business” under the CCPA must, among other obligations:
At or before the collection of PI, inform consumers of the categories of PI to be collected and the purpose for which PI will be used.
Make disclosures in its privacy policy about its consumer PI, the sources of the PI, the purposes for collecting or selling the PI, the categories of third parties to whom it shares the PI, and that a consumer has a right to request their PI from the business.
Disclose that the consumer has the right to request deletion of their PI (although there are several exceptions regarding which data are subject to this deletion requirement).
Upon a consumer’s request, provide the consumer with the consumer’s PI, as well as certain information about the PI (e.g. its source and purpose) and about its disclosure or sale.
If the business sells consumer PI (under a broad definition of “sell”), provide notice to consumers that their PI may be sold, offer them a right to opt-out of such sales, and respect a consumer’s exercise of their opt-out right.
The CCPA also applies in various ways to service providers and other third parties that receive consumer PI from businesses.
The law is enforced by the California Attorney General, who can penalize businesses up to $2,500 per unintentional violation, and up to $7,500 for each intentional violation. The Attorney General can also seek injunctive relief to stop violations of the CCPA. In addition, individuals have a private right of action to bring a lawsuit under the CCPA against a business, but only if the individual’s non-encrypted and nonredacted PI has been stolen, disclosed or exfiltrated in an unauthorized manner as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.
For-profit institutions of higher education should keep in mind that the CCPA is a moving target, for two reasons. First, the California Attorney General is in the process of issuing regulations which will further clarify the law. These regulations will be published at least by July 1st, but could come much sooner. More information about this process, and a copy of the proposed regulations, can be found here. Second, Californians for Consumer Privacy, an advocacy group which was the driving force behind the enactment of the CCPA, is in the process of gathering signatures to place a revised version of CCPA on the ballot in California this November. This “CCPA 2.0” would, among other things:
Create a new state privacy agency to enforce the law.
Provide additional protections for PI deemed “sensitive” (like SSNs, biometric data, health information, genetic data, and religious or philosophical beliefs).
Add several new requirements for service providers and other third parties.
Provide a consumer right to correct inaccurate PI.
More information about this ballot initiative can be found here.