In response to the growing pressure on education technology companies to protect students’ data privacy, two organizations recently organized a "boot camp" to provide guidance and clarity on legal obligations. This event, held in the capital, is expected to be the first of many tutorials for ed-tech companies. The Future of Privacy Forum, in partnership with Rethink Education, organized the two-day tutorial, which drew about 40 companies, mostly startups or small to medium-sized businesses without legal counsel to navigate the complexities of student-data privacy laws.
The organizers kept most of the event closed to the press and did not disclose the names of attending companies in order to create a safe space for company officials to freely ask questions without their statements being made public.
Advice for K-12 Companies on Protecting Information
Education technology companies serving the K-12 market must comply with various laws and policies regarding student-data-privacy. These include federal laws such as the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA). The Future of Privacy Forum, a Washington-based think tank promoting responsible data use, offers the following advice to these companies:
– Be cautious when making changes to privacy policies. Permission may be required if data usage deviates from the original policies. For example, under COPPA, significant policy changes may need specific notice and an obligation to handle privacy in accordance with the initial promises.
– If your service allows parents or teachers to sign up, ensure that your policies are clear and thorough. Provide parents with the ability to delete their children’s data under the age of 13 and avoid requesting precise location information without parental consent. Exercise caution when using free social-sharing widgets or plug-ins, as they may sell data to advertising networks and violate FERPA and COPPA by sharing data with third parties.
– Be prepared to report and address data breaches in your system. Implement reasonable, industry-standard practices for data security from the outset.
– Understand that different laws have different definitions for "personally identifiable information" and restrictions on its usage. If your company receives education records from schools, different legal obligations may apply depending on whether the data is personally identifiable or aggregated.
– Familiarize yourself with the rights granted to students under FERPA. Schools must allow parents (and sometimes students) to review their education records within 45 days.
Jules Polonetsky, the executive director of the Future of Privacy Forum, emphasized the importance of helping K-12 vendors understand their legal and other obligations at federal, state, and district levels from the early stages of product development rather than addressing issues after they arise.
Rising Legal Concerns
Various K-12 organizations, such as the Consortium for School Networking and the Software & Information Industry Association, have also sought to provide clarity on relevant laws. In addition to the federal laws of FERPA and COPPA, over 20 states have enacted their own laws on safeguarding student data in the past two years. Individual districts may also establish their own requirements for vendors.
The concerns of companies regarding the legal environment were apparent during a question-and-answer session, when a company representative expressed concerns about data privacy potentially hindering education vendors’ ability to raise capital. The representative asked how to regulate with minimal interference. The response from Ms. McSweeny was that the FTC enforces the law and can fine providers for violations. However, the staff also aims to help companies understand how to interpret COPPA and how it applies to their practices. Ms. McSweeny also encouraged companies to adopt "privacy by design" and be transparent about their privacy practices from the start. When companies take these steps, they ensure that their technology aligns with their privacy policy, reducing liability issues. Proactive privacy measures also lead to innovation and changes in products that are appealing to the market.
Determining what is required by FERPA, COPPA, state laws, and district policies has been challenging for emerging ed-tech companies. Karina Linch, a senior vice president at BrainPOP, stated that even with legal counsel and doing business in all 50 states, they face varying requests and conflicting district privacy policies. BrainPOP aims to incorporate privacy policies into their product development so that schools and districts can choose between subscribing without sharing student data or enabling usage to track individual student learning. However, the confusion is not one-sided. There is frustration among vendors about determining whether FERPA or COPPA applies and understanding which law governs their practices. Federal lawmakers are working on legislation to update student-data-privacy policies, which may supersede multiple state laws.
The confusion is not limited to companies; K-12 officials are also grappling with the rapid growth of apps, tools, and cloud-based systems available to them. Districts want broad privacy protections to account for this evolving landscape, resulting in a checklist of requirements for companies to fulfill. This complexity makes it challenging for well-intentioned schools and companies to align their practices.
