Are Privacy Policies everyone’s favorite topic?
Not really. (Maybe a few legalese junkies out there get excited.)
Are there a lot of acronyms involved?
Yes. (Makes everything so much easier to understand, right?)
Is privacy compliance vitally important to your institution?
Absolutely. (The confluence of ethics, legal protections, and digital efficiency).
Now there’s a new kid on the block: The California Consumer Privacy Act (CCPA) which rolled out on January 1st, 2020. Fear not, the enforcement grace period through July 1st, 2020 means there’s still time to review your compliance with the new policies before they fully go into effect.
How does CCPA differ from GDPR, and what does it mean for your admissions department? Read on...
Let’s Call Legal
Though some call it a mini-GDPR, CCPA casts a much wider net in its definition of private data.
According to Chief Security Officers (CSO) Online, while the CCPA loses “the narrow 72-hour window in which a company must report a breach” in other respects, “it goes even farther.”
Personal information under the CCPA is now defined as “anything that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
What Are The Big Ideas?
California consumers will have access to all of the whos and whys of their data—at least from the last twelve months. Marketers must provide the following comprehensive information upon request:
- Which information was collected and sold?
- With whom was it shared or sold?
- And, why?
Furthermore, contacts can request their collected information be deleted, and they can dictate that their information not be sold to/shared with third parties. Should the guidelines be violated, under this law, consumers can now sue—with or without a data breach.
How Will CCPA Affect Admissions Offices?
The CCPA applies to any for-profit entity that:
- Has a gross annual revenue of at least $25 million per year
- Makes over 50% of its gross annual revenue from selling personal information OR
- Annually buys, sells, receives or shares personal information from at least 50,000 consumers.
Important: Before you assume CCPA exemption based on your institution’s non-profit status, chances are, your institution partners with a third-party vendor for data management, digital marketing or the like, that will be subject to CCPA.
And even though CCPA is a California state policy, it doesn’t just apply to institutions located in California, but rather any organization that collects protected information from California residents.
- Be prepared to provide or delete students’ data upon request.
- Know where all your data is and with whom it is shared.
- Know who on your team will be point person for these inquiries.
The Bottom Line
GDPR and CCPA are just the start of new data privacy laws. Once the EU’s GDPR gained traction, it set the ball rolling for laws around the world. This year we will see Brazil’s Lei Geral de Proteção de Dados Pessaoais (General Data Privacy Law or LGPD) put into effect. That’s just one more thing for international education marketers to learn about. Other countries won’t be far behind in their legislation either.
Your admissions team and legal counsel will have to be vigilant about watching for new laws, seeing how they may be amended, and learning how to comply. In the first six months of CCPA, there are bound to be some kinks to work out, too.
However, if you are in GDPR compliance, rest assured, though it will take additional work, you’re already on your way to CCPA compliance.