The European Union has GDPR. But the United States has not yet passed a comprehensive national data privacy law at the federal level. That means that higher education advertisers should monitor state privacy laws, like the California Consumer Privacy Act (CCPA), to ensure that they avoid legal penalties and maintain consumer confidence. The challenge: Keeping up with the multiple state-level regulations and figuring out which ones to comply with.
Why data privacy matters
The tide of data privacy concerns has been rising for years. Institutions are using an array of digital tools to amass data, which allows them to better recruit prospective students and interact more efficiently with current and prior students. All of that sounds great, but it comes with an element of risk. Prospective and current students are concerned about their data falling into the wrong hands or being used in questionable ways.
Pretty much everyone, prospective students included, is calling for more transparency in how higher education collects and uses data. When data breaches happen, or students feel their data is being used irresponsibly, it damages your relationship with the student. They may elect to enroll elsewhere, or worse. The onus is on institutions of higher education to diligently protect their student and prospective students data.
Data privacy rules by state
While only three states in the U.S. have signed privacy regulations, nearly half of all states have introduced potential legislation in this area. Some of the more influential and impactful regulations are listed below.
California Consumer Privacy Act
The CCPA went into effect in January 2020, and it likely marked a turning point in US data privacy regulation. It offered broad protections for consumers in the most populous state in the US. The act set up guidelines for how for-profit organizations must handle data such as biometrics, family info, financial information, and location. The act set up guidelines for how for-profit organizations must handle data such as biometrics, family info, financial information, and location belonging to any resident of California. Any for-profit organization that fits any of the following criteria is subject to the act:
- Has an annual gross revenue of more than 25 million;
- buys, receives, sells or shares the personal information of 50,000 or more residents;
- or makes at least half their annual revenue from the sales of personal information.
If your institution is a non-profit, you might be exempt, but your vendors and third-party service providers probably are not. Your LMS, email service provider, web host or marketing agency could be subject to these regulations. If they are processing information on behalf of your institution, responsibility for their compliance falls, at least in part, on your organization. In short, you could be liable if you contract with a business that does not follow CCPA. That is why it is so important for higher education institutions to understand the regulations and thoroughly vett partners and service providers that may have access to user’s data on behalf of the institution.
Failure to follow CCPA guidelines could cost up to $7,500 for each intentional violation and $2,500 for each unintentional violation. Those penalties add up quickly if you have a database of thousands of potential students. Although the law gives you 30 days to cure violations, it’s best to avoid them in the first place.
The core of CCPA is the directive to delete user data, if requested. This means that potential students can ask you to stop contacting them and remove all of their information from your databases. Fortunately, there’s a simple way to avoid ever getting this request – make sure that all of your content is relevant, targeted, and trustworthy.
Nevada Senate Bill 220
The bill, subtitled “An Act relating to Internet privacy” went into effect in October 2019. It allows users to request that their data not be sold to third parties. Web site operators are responsible for posting a notice about how data is collected and used. Anyone who operates a website, collects data from Nevada residents, and does any form of business in Nevada is subject to these regulations. Unlike the CCPA, the Nevada law requires consumers to intentionally opt-out of having their data sold.
Non-compliance can carry a penalty of up to $5,000 per violation as well as a temporary or permanent injunction from the Attorney General. Website operators have 30 days to cure violations. If you are marketing to or enroll students from Nevada, it is important that you clearly comply with Nevada law.
Colorado Consumer Protection Act
The Colorado Protections for Consumer Data Privacy law was the September 2018 update to the Colorado Consumer Privacy Act. It is among the most comprehensive of the consumer data protection regulations in the country. The act states that personally identifiable information must be protected when it’s in use and appropriately disposed of when no longer needed.
Businesses are required to notify a person within 30 days if their Personal Identifiable Information (PII) has been compromised. They must also have “reasonable” data security procedures and practices in place. These regulations apply to any organization that stores PII for Colorado residents. Plus, you are responsible for making sure that third-party service providers have reasonable security measures in place.
The Colorado Attorney General’s office can sue a non-compliant organization to push a change in policy or collect damages.
New York Consumer Privacy Act
The NYPA is currently in committee in the state senate. Many of its provisions are similar to CCPA, with a few notable exceptions. Importantly, New York’s privacy act may not exempt non-profits. So, all institutions of higher education doing business in New York would be subject to its regulation. If passed as written, the law would enable consumers to sue companies directly rather than relying on legal action by the Attorney General or Federal Trade Commission.
It’s unclear exactly what the penalties might be for violating this broadly written regulation. As written, it would give courts free rein to determine penalties. Institutions should certainly keep an eye on this regulation as it moves through the New York State Senate.
The evolution of data privacy
The state data privacy laws listed above represent just a sampling of the more influential regulations. About half of US states have some kind of data privacy laws in place. Some states, like Massachusetts, are actively working on adjustments or amendments to their existing regulations. Others, like Florida, have attempted to introduce such legislation, but have yet to gain traction. The key takeaway is that data privacy is an evolving issue, one which institutions of higher education must monitor to avoid costly penalties and loss of consumer confidence.
It bears repeating, the US does not yet have privacy laws at the federal level. The keyword there is “yet.” The federal government may eventually create data privacy laws that apply to all U.S. citizens. In the meantime, smart marketers in the education industry and beyond should stay informed of state data privacy guidelines. Following the most stringent regulations from states like California, will help avoid potential penalties in all states.
For the latest trends in higher education marketing, including the importance of data privacy, download the 2020 Higher Ed Marketing Playbook.