California Consumer Privacy Act of 2018: Considerations for Higher Education Institutions
By Michelle Donovan, Partner and Diane Byun, Diversity Fellow, Duane Morris LLP
On June 28, 2018, California passed the California Consumer Privacy Act (CCPA), establishing the strictest data privacy law in the United States. The CCPA’s scope is not limited to entities within California. Compliance obligations will be imposed on any business that collects personal information about California residents (Consumers) and meets one of the CCPA thresholds, regardless of where the business is located. Higher education institutions (Schools) covered by the new law must adopt new policies and procedures relating to the collection, use, and sharing of Consumers’ personal information.
The CCPA includes the Consumers’ right to know what personal information is collected and the purposes for which this information will be used, to whom this information is sold or disclosed, the right to opt out of the sale of personal information, and the right to access personal information and (with some exceptions) to delete personal information.
It also includes the Consumers’ right to bring a private right of action, seeking either statutory or actual damages, in the event of unauthorized access, theft, or disclosure as a result of a business’ violation of its duty to implement and maintain reasonable security measures.
California legislators acted quickly in passing the CCPA to deter a rigid anti-business voter initiative from appearing on the November 2018 ballot. The law goes into effective Jan. 1, 2020. Because this law was passed by legislative process instead of a ballot measure, it will be easier to review and amend the bill based on comments from stakeholders before its 2020 effective date. In its current state, the CCPA will require data privacy protections and requirements similar to those imposed by the European Union’s General Data Protection Regulation (GDPR), which became effective in late May. Despite its less than final form, this landmark policy may set a nationwide standard for privacy protection.
Key terms and definitions
The CCPA provides specific definitions to key terms that are essential in defining its scope. Schools should review the following terms with close scrutiny to determine which provisions may apply.
The CCPA defines “consumer” as any natural California resident, however identified, including any unique identifier.
The CCPA broadly defines “personal information” much broader than any other Federal or State privacy law and covers almost all Consumer information and activities except information lawfully made available to the general public from federal, state, or local government records.
Personal information means all information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular Consumer or household. This includes, but is not limited to, name, alias, mailing address, internet protocol address, email address, account name, Social Security number, driver’s license or state identification number, passport number or other similar identifiers. It also includes, physical characteristics or description, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information, biometric information, geolocation data, and educational information that consists of any not publicly available personal information as defined under FERPA.
The CCPA also protects categories of personal information never before seen in US privacy laws:
- Characteristics of protected classifications under California law.
- “Commercial information,” including “purchasing or consuming histories or tendencies;”
- Internet activity, such as browsing or search history or a consumer’s “interaction” with a website, application, or advertisement;
- Audio, electronic, visual, thermal, olfactory, or other similar information; and
- “Inferences drawn” from any of the CCPA’s enumerated categories of personal information.
The law applies to any for-profit business that either collects personal information or controls the purposes and means of processing personal information collected on its behalf and meets any one of the following thresholds:
- Has an annual gross revenue of $25 million or more;
- Buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of at least 50,000 Consumers, households, or devices annually; or
- Derives at least 50 percent of its annual revenues from selling Consumers’ personal information.
It is worth noting that the CCPA also applies to affiliated, co-branded entities of any businesses that meet the above criteria, whether or not the affiliate does business in California.
The CCPA defines the term “collect” as “buying, renting, gathering, obtaining, receiving, or accessing any personal information from the consumer, either actively, or passively, or by observing the consumer’s behavior.”
The CCPA defines “sale” as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to another business or third party, “for monetary compensation or other valuable consideration” (emphasis added). It is unclear how courts will interpret “valuable consideration.”
If interpreted broadly, a court could potentially find “sale” took place if a School provided covered data to a third party in exchange for any kind of economic advantage, which may include popular marketing techniques such as predictive solicitation or interest-based marketing.
Consumer privacy rights under the CCPA
Rights granted under the CCPA include the right for a Consumer to:
- Be aware of all their data a business has collected (annually and free of charge at the Consumer’s request);
- Opt-out of the sale of their personal information;
- Delete their data from a business’ database (with exceptions as discussed below);
- Receive the same service and price, even if they exercise their privacy rights;
- Be informed of which categories of their data will be collected by a business prior to collection;
- Be informed of any changes to categories of their data a business collects;
- Know the categories of the third parties with whom their data is being shared;
- Know the categories of sources of information from whom their data is acquired; and
- Know the business purpose for collecting their data.
The CCPA also includes the first mandatory “opt-in” requirement in the United States data privacy law, requiring an opt-in prior to the sale of personal information relating to minors under the age of 16.
Californians will have the right to delete their personal information in certain circumstances (also known as the right to be forgotten). This means a business must delete personal information upon request unless one of the enumerated exceptions applies. For example, the request may be denied if the data is found necessary for the business to:
- Complete the transaction for which the data was collected;
- Detect or protect against security incidents or illegal activity, or prosecute individuals responsible for illegal activity;
- Identify and repair errors that impair intended functionality;
- Exercise free speech or ensure the right of another to exercise free speech;
- Comply with laws and legal obligations;
- Engage in public or peer-reviewed research; or
- For internal purposes.
Exceptions for certain data categories
There are a few important exceptions to the sweeping privacy protections under the CCPA.
Publicly available information from government records
Excluded from the definition of “personal information” is any information that is lawfully made available to the general public from federal, state, or local government records. It does not appear to exclude information that a Consumer makes publicly available.
Non-California commercial conduct
The CCPA will not restrict the collection or sale of Consumer information provided every aspect of the commercial conduct takes place outside of California. This means that the data was collected while the Consumer was physically outside of the state and that no part of the sale occurred within California.
Aggregate or anonymized data
The CCPA provides it shall not restrict the collection, use, retention, or disclosure of aggregate or anonymized Consumer information, defined as data “not linked or reasonably linkable to any consumer or household, including via a device.” Businesses are likely to attempt achieving this exception through technology capable of anonymizing information (e.g., software programs that combine information sets from various sources). To fall within this exception, a business must implement technical safeguards and business practices that specifically prohibit reidentification and the inadvertent release of anonymized data. There must be no attempt to reidentify the aggregate or anonymized data.
CCPA’s effects on existing privacy laws
HIPAA and FCRA
The law does not apply to health information governed by Health Insurance Portability and Accountability Act (HIPAA) nor does it affect the sale of information to or from a consumer reporting agency covered by the Fair Credit Reporting Act (FCRA).
California privacy laws
The CCPA does not replace but, rather, supplements California’s existing privacy laws. Where possible the CCPA is to be construed to harmonize with other California law but, if a conflict arises, the law that affords the greatest privacy protections shall control.
No exception for FERPA compliance
Schools should assume that they are subject to both FERPA and the CCPA since the new law currently provides no FERPA exemptions. The CCPA’s sweeping purview of “personal information” includes “[e]ducation information,” defined as “information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act.”
Although data protection overlaps exist, it is unclear if a preemption argument exists for FERPA compliant Schools.
Schools typically focus on the protection of student records and financial aid data. However, Schools should note that the scope of the CCPA covers all California residents regardless of the relationship to the School, and will include employees and prospective students in addition to current and past students.
GLBA exemption – Limited only if CCPA conflicts
The CCPA does not apply to nonpublic personal information pursuant to the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations, but only to the extent the CCPA conflicts with federal standards. This exception may not provide significant relief unless a court concludes a significant conflict exists. If narrowly construed, “conflict” could mean that a School is unable to comply both with the CCPA and the GLBA’s standards because a conflict in application exists. However, it is possible the courts may find that there is no conflict for the purpose of ensuring CCPA compliance since many of the CCPA’s privacy requirements are not covered by the GLBA, such as the right to delete personal information. Until we have some clarification from the courts as to how this exception should be applied, Schools should assume that both the GLBA regulations and the CCPA requirements apply.
Enforcement and penalties
Private right of action (Consumers)
The CCPA gives Consumers a private right of action against businesses with respect to data security breaches. Consumers can seek either statutory damages up to $750 per incident or actual damages in the event that their unencrypted or nonredacted personal data is subject to unauthorized access, exfiltration, theft, or disclosure as a result of a covered business’ violation of its duty to implement and maintain reasonable security measures. For purposes of the private right of action, “personal information” is restricted to traditional identifiers included in California’s data security statute (e.g., name, Social Security number, credit card information) rather than the broad definition used prevalently in the CCPA. Prior to bringing a private right of action for statutory damages, Consumers must provide notice and a 30-day opportunity to cure the alleged violation, though it is unclear how a data breach can be cured. No notice is required for a suit seeking actual damages (instead of statutory). The Consumer must also provide notice to the Attorney General within 30 days after the action has been filed.
Civil actions (California Attorney General)
Civil penalties for violations of the CCPA will be exclusively assessed and recovered in civil actions brought by the California Attorney General. For actions commenced by the Attorney General, the CCPA allows imposition of penalties for intentional violations of any provision of the CCPA of up to $7,500 per violation, or $2,500 for unintentional violations in cases of breach or violation of the CCPA that is not cured within 30 days after being notified of noncompliance.
Implications for higher education
Schools within the CCPA’s scope must amend data management policies and practices regardless of FERPA and/or GLBA compliance. If covered by the CCPA, a School must:
- Reassess its data practices to identify (i) what personal information is collected under the broader definition of “personal information,” (ii) whether and how personal information is shared with third parties; and (iii) for what purpose was it shared;
- Implement policies and procedures for responding to Consumer requests to access and/or delete their personal information and identify which categories of information should be excluded from deletion requests;
- Train employees responsible for handling Consumer requests on CCPA rules;
- Provide two methods for Consumers to submit data disclosure requests (e.g., toll-free telephone number and website address;
- Respond within 45 days to Consumer data disclosure requests; and
- Review contracts with service providers to prohibit noncompliant retention, use, or disclosure of personal information.
Depending on how the law is interpreted, Schools may also be required to explicitly tell Consumers that their personal information is being “sold” and provide a means of opting out via a link on the homepage titled “Do Not Sell My Personal Information.”
Given the new statutory damages and civil penalties, the CCPA will undeniably result in an increase of data breach-related litigation. Institutions must start thinking of a comprehensive approach to potential violations – identifying noncompliance early on will ease the burden of meeting CCPA’s obligations.
California has effectively set the stage for change in how businesses engage with Consumers and personal information. Over the next 18 months, there will be much debate over this new law and stakeholders will seek to make amendments, which are expected to provide some clarification and reasonableness to this sweeping legislation.
But even amended, the CCPA will likely affect the core operations of many Schools. Those subject to the CCPA should identify areas of noncompliance now to prioritize and remedy gaps before the effective date.
It is important to keep in mind that this article is meant to provide a broad overview of the CCPA. It is not intended to be taken as legal advice, and Schools looking to ensure that they are fully compliant with the CCPA should seek the advice of qualified legal counsel.
MICHELLE DONOVAN is a Partner at Duane Morris, LLP. She serves on the firm’s Diversity and Inclusion committee and chairs the San Diego Diversity and Inclusion Initiative. Ms. Donovan’s practice is largely focused on the career college sector and the specialized legal issues that arise for schools in the sector, including issues related to the protection of student records, privacy, online marketing, lead generation, trademarks, copyrights, and domain names. Duane Morris serves all sectors of postsecondary education and the businesses that support postsecondary education, providing deep experience and guidance in all legal aspects of this complex industry, as well as strategy, operations, finance and policy.
Diane Byun is working as a Diversity Fellow in the San Diego office of Duane Morris LLP. Ms. Byun holds a B.A. in English Literature from the University of California, Santa Barbara and is currently pursuing her Juris Doctor at the University of San Diego, School of Law.
Contact Information: Michelle Donovan // Partner // Duane Morris LLP // 619-889-8296 // firstname.lastname@example.org // www.duanemorris.com