Are Privacy Policies everyone’s favorite topic?
Not really. (Maybe a few legalese junkies out there get excited.)
Are there a lot of acronyms involved?
Yes. (Makes everything so much easier to understand, right?)
Is privacy compliance vitally important to your institution?
Absolutely. (The confluence of ethics, legal protections, and digital efficiency).
Back in 2018 with the implementation of the EU’s General Data Protection Regulation (GDPR), our inboxes were full of privacy policy updates. While it was a nuisance to sort through the deluge of policy update emails from Facebook, Apple, and companies to whom we didn’t even remember signing away our personal information (ah, the 21st Century), these policy changes were even more of a headache for those who actually managed this personal data — college admissions departments, for example. Our introduction to GDPR has got you covered if you need a refresher on the basics of these regulations.
Now there’s a new kid on the block: The California Consumer Privacy Act (CCPA) which rolled out on January 1st, 2020. Fear not, the enforcement grace period through July 1st, 2020 means there’s still time to review your compliance with the new policies before they fully go into effect.
How does CCPA differ from GDPR, and what does it mean for your admissions department? Read on...
Let’s Call Legal
Though some call it a mini-GDPR, CCPA casts a much wider net in its definition of private data.
According to Chief Security Officers (CSO) Online, while the CCPA loses “the narrow 72-hour window in which a company must report a breach” in other respects, “it goes even farther.”
Personal information under the CCPA is now defined as “anything that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
That’s broad.
What Are The Big Ideas?
California consumers will have access to all of the whos and whys of their data—at least from the last twelve months. Marketers must provide the following comprehensive information upon request:
- Which information was collected and sold?
- With whom was it shared or sold?
- And, why?
Furthermore, contacts can request their collected information be deleted, and they can dictate that their information not be sold to/shared with third parties. Should the guidelines be violated, under this law, consumers can now sue—with or without a data breach.
How Will CCPA Affect Admissions Offices?
Yes, this means another privacy policy revision for you. Your legal team is likely already on it. If not, raise a flag there.
The CCPA applies to any for-profit entity that:
- Has a gross annual revenue of at least $25 million per year
- Makes over 50% of its gross annual revenue from selling personal information OR
- Annually buys, sells, receives or shares personal information from at least 50,000 consumers.
Important: Before you assume CCPA exemption based on your institution’s non-profit status, chances are, your institution partners with a third-party vendor for data management, digital marketing or the like, that will be subject to CCPA.
And even though CCPA is a California state policy, it doesn’t just apply to institutions located in California, but rather any organization that collects protected information from California residents.
Considerations:
- Be prepared to provide or delete students’ data upon request.
- Know where all your data is and with whom it is shared.
- Know who on your team will be point person for these inquiries.
Your website must also have a clearly visible footer offering the choice to opt out of any data sharing. Refer to CSO’s footer and updated privacy policy to see the CCPA in action.
The Bottom Line
GDPR and CCPA are just the start of new data privacy laws. Once the EU’s GDPR gained traction, it set the ball rolling for laws around the world. This year we will see Brazil’s Lei Geral de Proteção de Dados Pessaoais (General Data Privacy Law or LGPD) put into effect. That’s just one more thing for international education marketers to learn about. Other countries won’t be far behind in their legislation either.
Your admissions team and legal counsel will have to be vigilant about watching for new laws, seeing how they may be amended, and learning how to comply. In the first six months of CCPA, there are bound to be some kinks to work out, too.
However, if you are in GDPR compliance, rest assured, though it will take additional work, you’re already on your way to CCPA compliance.