On January 1, 2020, the California Consumer Privacy Act (CCPA) took effect in California. These new regulations make it increasingly difficult for brands to collect and leverage user data. Unlike GDPR, this new law does not apply to not-for-profit organizations. So are colleges and universities in the clear? Let’s look!
Does the CCPA Apply to Universities?
According to the CCPA Fact Sheet, businesses are subject to the law if one or more of the following are true:
- Has gross annual revenues in excess of $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
The short answer is, NO. The CCPA does NOT apply to most universities. However, for-profit universities that meet at least one of the criteria need to take action.
Grey Area
While this might sound like a relief, universities might not be totally in the clear.
The law is somewhat vague and open to interpretation. For instance, universities that work with third-party vendors who meet one of the criteria may be subject to the regulation.
The CCPA could also apply to universities that are controlled by a for-profit organization, operate for-profit foundations, or “enter a joint-venture with a for-profit organization.”
How does the law define a resident?
Another area up for interpretation is the law’s use of the word ‘resident.’ As many students come from out of state to attend a university, you might think that they are not considered a resident.
Section 17014 of Title 18 of the California Code of Regulations states:
“The term “resident,” as defined in the law, includes (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.”
According to this definition, a student enrolled in a traditional program AND residing in the state for most of the year would likely be considered a resident.
Conclusion
For-profit universities are businesses and must comply to the full CCPA regulations.
If you’re in charge of a not-for-profit university, you don’t need to worry about the CCPA regulations unless you’re operating for-profit foundations, partnerships, joint ventures, etc.
If your school is impacted by the CCPA, update your privacy policy for the impacted organizations.
See if UNINCORPORATED is the best higher education marketing company for your next campaign.
