The California Consumer Privacy Act or CCPA is a state-wide data privacy law that took effect on January 1st, 2020. CCPA applies to all for-profit California companies that make over $25 million annually or hold onto a minimum of 50,000 consumers’ data. Their laws protect and give California residents more control over how for-profit businesses handle their personal information. It requires businesses to provide better control and understanding of what they can and can’t do regarding the data they’re holding.
CCPA also includes parental consents over consumers under 13 years of age and affirmative consents for children between 13 and 16. Consumers would be given easier access to what they want to do regarding their data, including requesting data deletion and seeing what kind of information these businesses had collected, sold, or used.
If companies find ways of violating the rules, regulators will give the offending companies 30 days to comply. If not, they’ll be fined up to $7,500 per incident for intentional violation. If the violation were unintentional, they would be fined up to $2,500 per incident. CCPA also has statutory damages for companies under data breaches or preventable data theft. Affected consumers would be provided with up to $750 according to the damages from the company.
Before the existence of CCPA, Children’s Online Privacy Protection Act (COPPA) and The Family Educational Rights and Privacy Act (FERPA) have been providing services towards protecting data privacy for minors. COPPA has a primary goal to place parents in control over the data collected from their children online, mainly for those under 13. In comparison, FERPA gives parents access to their children’s education records. As long as the schools receive funds under the applicable program of the US Department of Education, they must abide by FERPA.
FERPA’s rights are given to parents before transferring to the students after they turn 18 or attend a school beyond the high school level. If the school needs to release any information about their students, they need written permission from parents or eligible students.
However, there are some exceptions where schools don’t need any consent to disclose their records. For example, they can share with schools officials with legitimate educational interests. They can also share to other schools if the students are transferring.
One of the critical roles in the CCPA is privacy protection for minors. This includes collecting geolocation, browsing history, and IP addresses from children under 13. Getting consent from COPPA won’t be considered the same as complying with CCPA. This ensures that the one authorizing consent for the child’s data on their behalf is actually their legal guardian. CCPA also extends to privacy protections for teens 13 to 16. This means that CCPA would include all students from preschool through most high schools.
For-profit schools must comply with the CCPA. In contrast, non-profit K-12 schools and universities don’t fall under CCPA’s purview. When non-profit schools buy data from profit businesses, they must abide by the CCPA.
Schools should exercise caution before assuming themselves as a non-profit school because it’s still unclear how to make the determination. Schools should take an interest in the CCPA because they might be using systems like school management software and working with, and sharing data with, companies through something like subject to the CCPA, such as Google, Microsoft, Amazon, and Apple.
Parents should also note that it’s true the CCPA gives them rights to request for data deletion. Still, federal law requires colleges and universities that receive federal financial assistance to hold onto specific data. These cases will be hard to tackle as there is no guidance yet on responding to such problems. Schools that receive federal financial assistance should thoroughly assess the types of data they need to keep before the issue arises
Schools can have many relationships with other schools or companies, besides their students and parents. They have to be aware of what’s in the contract of their vendors.
CCPA continues to improve and evolve. Several other states are also considering their privacy policies. California Privacy Protection Agency (CalPPA) had taken over rulemaking in 2021 and will begin to implement approved Proposition 24, the California Privacy Rights Act of 2020 (CPRA), in 2024.
As the first enforcement agency in the US that solely dedicates its services to privacy, CalPPA will strengthen the enforcement and compliance with CCPA. This is just the beginning for CCPA.