This month, the state of California began enforcing its latest consumer privacy law. Known as the California Consumer Privacy Act, or CCPA, the comprehensive law protects the personal consumer data that businesses collect and increases transparency around it.

Under the law, California residents can ask companies what personal information they have collected and how they are using and sharing that data, according to the Office of the Attorney General. Additionally, residents can ask companies to delete and not sell personal data they have collected.

The law applies directly to for-profit companies in California that make over $25 million annually, buy or sell the personal data of 50,000 or more consumers, or earn 50 percent or more of their annual revenue selling that data.

Yet there are aspects of the new law that K–12 schools should be aware of, especially because students generate enormous amounts of sensitive data online. Plus, student data privacy remains a hot-button issue in education amid the growing number of cyberthreats and the increased use of digital tools for remote learning, such as learning management systems and videoconferencing platforms.

“Schools are in the business of educating students, but they need to be very aware of what is in their contracts and make sure they are holding vendors to what is in their contracts,” Daniel Greene, a member of the Beckage law firm, told EdTech.

DISCOVER: Find out how to address data privacy during remote learning.

How CCPA Reinforces Student Data Privacy

One of the key provisions in the CCPA is the privacy protection of minors. The National Law Review notes that the CCPA extends requirements on companies collecting personally identifiable information, or PII — including geolocation, IP addresses and browsing history — from children under 13 years of age.

For example, compliance with the Children’s Online Privacy Protection Act (COPPA), which requires online operators to notify and get consent from parents before collecting information on kids, will not be enough to ensure CCPA compliance. Businesses such as educational technology companies will have to take “reasonable steps to ensure that the person authorizing consent for the sale of a child’s data on his or her behalf is actually their parent or legal guardian,” according to The National Law Review.