Institutions of higher education can use these data privacy guidelines to ensure compliance with CCPA regulations, which are now being enforced.
Higher education institutions need to be able to collect and use data — but they must also comply with relevant regulations.The California Consumer Privacy Act (CCPA) grants California consumers robust data privacy rights and control over their personal information, including the right to know, the right to delete, and the right to opt-out of the sale of personal information that businesses collect, as well as additional protections for minors.
Under the CCPA, California residents have the right to know about how for-profit businesses are collecting and selling their personal information. They can also access that data, prevent its sale, or request that it be deleted. Of key concern to the rest of the world is that the CCPA does not apply solely to California-based businesses — it applies to any organization that interfaces with California residents or collects their information, including higher education institutions.
The enforcement period for CCPA began on July 1, 2020, posing a challenge for universities and colleges across the U.S. already in the midst of a transition into a school year disrupted by COVID-19. Despite the situation, California’s Attorney General has said he will not delay CCPA enforcement. In order to avoid potential legal action, it’s time for universities and colleges that are subject to CCPA regulations to reevaluate their data privacy protocols.
How Data Privacy Applies to Higher Education
Many colleges and universities may assume they are exempt from the CCPA due to their non-profit status. However, these institutions work with third-party vendors that provide a range of educational, financial, and administrative services, and may be required to be CCPA compliant. Whether directly or through these vendors, institutions of higher education collect a wide range of personal data, especially financial, demographic, and performance-related information, all of which may fall within CCPA’s guidelines. In this context, “consumer” data primarily translates to student data, although given some lack of clarity in the regulations, it is important to be careful when handling employee data as well.
Many U.S. institutions of higher education already have certain data privacy measures in place, and data privacy has been strengthened in recent years in large part due to the General Data Protection Regulation (GDPR), which affected U.S. institutions that recruit students in the European Union. Colleges and universities that have taken measures to remain compliant with the GDPR may be ahead of the game with new CCPR regulations — although there are some notable differences between the two statutes. Whether or not an institution has implemented policies and protocols in response to GDPR guidelines, it’s important to look at CCPA compliance with fresh eyes.
How Colleges and Universities Can Prepare for CCPA
Colleges and universities commonly leverage a range of personal data for programming, funding, and other critical purposes. As they collect and use this data, they can take the following measures to help ensure CCPA compliance and avoid potential fines:
1. Understand the laws. As professors often advise students, ignorance of a policy is not an excuse for not following it. Universities must invest time and resources to ensure their key policymakers understand not only the CCPA and GDPR, but other applicable regulations, such as the Family Educational Rights and Privacy Act (FERPA), that may overlap or potentially conflict with new CCPA requirements. To ensure compliance, the best course of action is typically to consult with outside experts.
2. Create a data overview. Many institutions lack a unified overview of data practices across departments, but performing a self-audit can help reveal how data is being collected, stored, and used. For instance, colleges and universities often collect more data than they need and store it for longer than regulations dictate, creating unnecessary vulnerabilities.
3. Vet both current and prospective vendors. Universities should not only understand how their vendors collect and use personal information, but they should also know what protocols vendors have in place for effectively identifying, retrieving, and deleting that data. Be proactive about limiting access. Contracts should stipulate that vendors can collect and use only a minimum amount of information and process it only in specific ways.
4. Set a reasonable budget. Institutions should set aside funds to train employees in data security, to hire experts or initiative leaders, and to implement new protocols. It’s possible to protect the bottom line while allocating sufficient resources for optimizing data privacy and security. The advisory services of an expert consultant will be useful in creating this balance.
5. Create new policies and processes. Colleges and universities should revise their data privacy protocols to align with new CCPA requirements. For instance, institutions may need to institute clear privacy policies that address both off- and online activities, and offer opt-out options at data collection points. Universities must also have processes in place for responding to privacy incidents and data requests.
6. Anticipate technology trends. Given the boom in remote learning due to COVID-19, many more universities are using collaboration platforms and video conferencing tools — but they should be cautious of how this software could lead to data privacy violations. Vet these platforms thoroughly before implementing them.
Looking Ahead at Higher Ed and Data Privacy
While the CCPA is focused on protecting California residents, universities and colleges across the world may risk legal action should they not adhere to these regulations. What’s more, institutions should be aware that other states are likely to follow suit with similar personal data protection laws of their own in the coming years. Universities and colleges that take a proactive approach to data privacy have an opportunity to position themselves as leaders in privacy culture. The key is to prepare now by working with an experienced consultant.
At SEI, we understand the unique data privacy challenges that modern colleges and universities face. Our consultants have years of experience in creating custom-tailored information security solutions for institutions of higher education. We adapt our approach to every project in accordance with an organization’s structure, culture, and specific project requirements. Marrying technical and humanistic skills, we provide 360-degree support to every client in their quest toward greater data privacy, empowering them to achieve ongoing compliance, garner and maintain consumer trust, and protect their bottom line.
