The California Consumer Privacy Act (CCPA) takes effect January 1, 2020. This regulation, much like GDPR, provides greater protection to an individual’s personal information and how this information is collected. This act is the strongest data privacy measure enacted in the United States to date and others states will enact similar measures in the near future. Higher education institutions are affected by CCPA, especially if they are for-profit, have students that are residents of California or do data sharing with for profit vendors. This post will briefly cover highlights of the legislation, some of the differences with GDPR and areas to assist with CCPA compliance.
Just a note that we are not lawyers and your legal council should be contacted regarding CCPA when necessary.
Data governance provides a framework for compliance with GDPR and CCPA. And if in compliance with GDPR it will help with CCPA compliance. CCPA is based on three principles:
- Control - Consumers should have control over who can access their information.
- Transparency - Consumers should know how institutions will use their information. Transparency is what drives trust.
- Accountability - Institutions should be held responsible for the misuse of consumer information.
A few differences between the two acts:
- CCPA has a more narrow geography focus than GDPR.
- GDPR covers non-profit and for-profit organizations while CCPA applies to certain for profit organizations (and non-profits that deal with for-profit companies).
- CCPA compliance only requires data collected within the last 12 months to be shared upon request while GDPR requires any personal data collected.
- GDPR requires informed consent before an institution sells an individual's information, under CCPA institutions, can still assume consent.
- Understanding the definitions involved in privacy – Research and get educated about CCPA. Brainstorm with a group to determine the CCPA specifics for your institutions. And finally, create a CCPA document that is specific for your institution so that everyone is on the same page. Decide on ways to increase awareness of data protection and privacy at your institution (remember that for profit institutions are affected differently than non-profit institutions). Train your staff on CCPA.
- Identifying and defining the CCPA applicable individuals – Determine what current students and staff, what alumni and previous staff, applicants for admission, marketing target individuals, etc. that are applicable to CCPA. Or make the decision that everyone fits under CCPA. If so, provide everyone with the same protection and processes. Can you easily identify the students and alumni that are California residents?
- Inventory of your data systems – To understand how to meet data regulations you must first understand the involved data systems and its data.
Find answers to the following questions:
* Where is your data?
* Who owns and manages the data (make note of outside vendors)?
* Do external systems you source data from have consent?
* Do external systems you share data with have privacy controls and a lawful basis to process the data?
Then create an inventory of data models in all systems. Finally, identify CCPA applicable data (personal, financial and educational data). Doing a data systems inventory is probably the most important first step that you can do in data governance. Take control of the information you hold.
- Track data movements and data lineage – First, document the system-to-system data flow at a high-level such as CRM to SIS. Then start documenting the specific data moving in each transaction. While doing this documentation, determine if a data sharing agreement is necessary.
- Review process for data requests that includes private data – If you have a data request process in place see if it handles CCPA data requests properly. If no data request system in place, then get one implemented. This goes along with the inventory of data systems but make sure that your data request system factors in CCPA during requests.
- Data sharing agreements and review of external vendors – Manage the internal data sharing and make sure you know who at your institution has access to the data. Manage the data sharing with those outside your institution (state government, federal government, compliance agencies, rating groups, billing processors, etc.). Make sure you review the policies of external vendors that have your data especially those that might profit from the data. Create a policy on when you need a data sharing agreement that your institution understands.
- Make sure all your sourcing systems have a process for consent – Determine if you need to retroactively ask for consent, such as in a marketing list that you purchased. Make sure that folks can opt out of your marketing emails easily.
- Process for consumer requests – Make sure that you have processes that can handle consumer requests for viewing of the information instituiton has about them, deletion of information the institution has and no selling of data. These requests can be electronic, verbal or in writing.
- Allocate resources and money - Make sure you have the right budget and team for the CCPA task. Show the institute the committment to compliance.
Many states in the United States and countries are working on their own data privacy laws so now is the time to create a foundation and policies regarding data compliance. With this foundation and these policies you will improve your customer's (such as students, staff and alumni) experience. And also risk is reduced and enables the institution to respond to requests quickly and effectively. This builds trust with customers which can become a key differntiator. Institutions that do not put a focus on data could soon find themselves left behind. Higher education institutions should take a higher ground over private business in regards to data privacy. Protecting student privacy adheres to higher education's core values. Hope that this post will assist with your higher education institution’s CCPA efforts.
(image credit StockSnap_L8TKYPYZ2G_Agreement #1002)