Education institutions have always had a vested interest in protecting data privacy. Whether it’s test scores, health records, IEPs or financial aid, protecting personal data is critical to the integrity and trust an education institution has with its constituents. On January 1, 2020, California codifies a practice that public education institutions have long coveted— protection from for-profit entities that seek to collect personal data— with the implementation of the California Consumer Privacy Act, or CCPA.
So what does the new law mean if you are an institution or a company that provides digital learning content, assessment solutions, or learning management systems (LMS)? As one privacy organization points out: “a third-party vendor for a school may be subject to the requirements of the CCPA even if the vendor is simply processing students’ personal information on behalf of the school.”
Luckily for some, companies must be in compliance only if they meet or exceed one of the following three thresholds:
- Have annual gross revenues of $25 million;
- Obtain personal information from 50,000 or more California residents, households, or devices annually; or,
- Generate 50 percent or more annual revenue (regardless of the amount of total revenue) from selling California residents’ personal information.
If you fall into one of these categories, you must determine what level of exposure you have and how to remediate it.
The new law has implications for both legacy and newly implemented systems. For example, the “right to deletion” clause, which requires that systems provide a mechanism by which any and all information about a person be removed from databases, presents some thorny problems. Most database systems and designs are intended to preserve data, and rely heavily on interconnected pieces of information. Untangling the design of such systems will not always be easy, and being thorough about removing all of the information pertaining to an individual while preserving the remaining data’s integrity is no small task. This requirement, amongst others, puts a premium on database design skills.
For new or rebuilt data storage systems, there are some key principles that will help align your systems with the requirements of the CCPA:
- Do not collect data you do not require
- Do not send data over the wire if you can keep it locally
- Do not store data that you only need ephemerally
Following these principles, you’ll be far more likely to be in compliance.
Principle #1: If you aren’t collecting data, then you do not have to worry about scrubbing it from your systems at a later date.
While this principle is fairly self-explanatory, it is very common that organizations violate it. In fact, in the early phases of “big data” implementations, many organizations sought to capture as much data as possible, based on the idea that they did not yet know what they might need, so why not gather it all for later? If this strategy describes how you have approached designing your systems in the past, be prepared to jettison it. While it was never a particularly sophisticated or useful way to go about collecting information, it is now clearly in opposition to the intent of laws like the CCPA.
Principle #2: Consider strongly where you keep the data you collect and who retains control over it.
The second point is a bit more subtle, but not too hard to grasp. For example, do you need to pull data into your system or platform, or can you leave it locally within the user-facing application?
Principle #3: Think not only about whether data can be local, but also ask if can be discarded after you have used it.
The last point is related to the second one. This can apply anywhere in your system, from the front end to the back end. Consider whether data needs to be kept around and why. Can you get rid of it before the user explicitly requests that it be removed? Why do you need to hold onto it?
For all of these principles, you also need to consider the systems you integrate with. For example, does your LMS integrate with a provider via LTI? If so, what data are you sharing with them? And if a user asks to be deleted, how will you remove their data from those third-party systems?
To properly prepare for what’s coming with the CCPA, you should plan an audit of your data usage and retention policies and practices.
Take a deep look at all of the systems you have and be ready to make modifications to both the application and database layers. Get in touch with vendors and partners, and get them to clarify what they are doing in response to the new law. Find out how they are modifying their APIs and systems to reduce the exposure of personal information, or enable its deletion as needed.
Complying with the CCPA will require an intentional review of business practices and systems. If you need support, Cantina can help. Reach out to learn how.