Privacy Compliance in U.S. Universities

Privacy law and compliance with those laws is a complex undertaking. This paper uses a mixed methods approach to review the scope and breadth of compliance with privacy laws at four-year universities in the United States. Starting with a Delphi method with privacy professionals defining the triggers for privacy laws, the laws most important for U.S. universities, and then the elements of a successful privacy program along with the risk factors for noncompliance, the researcher then examines publicly available information on a sample population of universities and lastly performs a legal review based on the Delphi findings and the Document Analysis. Both scholars and practitioners should find the paper useful. The outcomes identify what data subjects and activities trigger privacy laws at U.S. universities, what programmatic elements are required for a privacy compliance program to be successful, and what risk factors universities face in their privacy compliance efforts. All of this is reviewed through the Complexity Theory lens, considering both universities and privacy laws as complex adaptive systems.