Each month Heidi-Anne O'Neill, 9ine's in-house Data Protection Solicitor shares a frequently asked question to assist school leaders in solving problems and developing best practices in data protection and cyber security. 

Q. I’m the Head of an American School in Europe with a high percentage of American students. I’ve heard about the California Privacy Act 2018, should my school be doing anything about it ?

A. The California Consumer Privacy Act 2018 (CCPA) came into effect on 1 January 2020 and has made headlines as it is the first comprehensive consumer privacy law to land in a US state. It has some similar provisions to the European General Data Protection Regulation (GDPR), but it technically has a narrower territorial reach, being aimed at providing new rights and safeguards for consumers residing in California. 

The CCPA applies to organisations who are doing business in California. This means the location of your school in Europe is of little concern, as you do not need to have a physical presence in California to be subject to the CCPA.  

The CCPA will be relevant to organisations falling within its description of ‘for-profit’ businesses and which:

• Buy, sell or share personal information of 50,000 consumers or devices
• Have a gross revenue of more than $25USD million, or
• Obtains 50% of its annual revenue from sharing information.

Therefore, The CCPA will not apply to non-profit organisations (unless they are owned or controlled by a ‘for profit’ entity).

Find out more about how 9ine is transforming data protection management and register for a free 14-day trial of the 9ine app.

If your school falls into one of these categories, and you deal with the personal information of California residents (regardless of how that information is collected), then it is likely that the CCPA will apply and your data protection lead will need to consider whether your current working practices comply with its requirements. 

As the CCPA was inspired by the GDPR, you may find that there are a number of areas that sound familiar, but be aware that compliance with one regime may not necessarily mean compliance with the other. For instance, residents of California have some similar data subject rights to the GDPR but the timescales are different; there are also transparency requirements in the CCPA that will affect the content of your privacy notices.

Before taking a deep dive into the requirements of the CCPA, the first step you need to take is to identify any processing activities carried out by your school that involve the use of personal information relating to California residents. You then need to determine what information you are actually collecting and for what purpose. By carrying out a Data Mapping exercise in this regard you may find that your school is collecting this information as a result of marketing your school in the area by the use of cookies or even by the use of information about your students families who are based in California. 

Once the extent of the data collection is known, your school will be able to determine the areas where further compliance with the CCPA is required.

About the Author: 

Heidi-Anne O’Neill is 9ine’s in-house Data Protection Solicitor. She has been qualified for fourteen years and has spent the last eight years advising in the area of information law. As a result of many years spent in local government, she holds both a Data Protection Practitioner and a Freedom of Information Practitioner Certificate. She is pleased to be part of the team at 9ine and looks forward to assisting clients on their journey towards data privacy compliance.