Developers and operators of educational technology services should take note. Just before the election, California Attorney General Kamala Harris provided a document laying out guidance for those providing education technology (“Ed Tech”). “Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data” provides practical direction that operators of websites and online services of a site or service used for K-12 purposes can use to implement best practices for their business models.
Ed Tech, per the Recommendations, comes in three categories: (1) administrative management systems and tools, such as cloud services that store student data; (2) instructional support, including testing and assessment; (3) content, including curriculum and resources such as websites and mobile apps. The Recommendations recognize the important role that educational technology plays in classrooms by citing the Software & Information Industry Association; the U.S. Market for PreK-12 Ed Tech was estimated at $8.38 billion in 2015.
The data that may be gathered by through Ed Tech systems and services can be extremely sensitive, including medical histories, social and emotional assessments and test results. At the Federal level, the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Rule (COPPA) govern the use of student data. However, according to the Recommendations, these laws “are widely viewed as having been significantly outdated by new technology.”
Recognizing this, California has enacted laws in this space to fill in gaps in the protection. Cal. Ed. Code § 49073.1, requires that local education agencies (county offices of education, school districts, and charter schools) that contract with third parties for systems or services that manage, access, or use pupil records, to include specific provisions regarding the use, ownership and control of pupil records. On the private side, the Student Online Personal Information Privacy Act (SOPIPA), requires Ed Tech provides to comply with baseline privacy and security protections.
Building on this backdrop of legislation, Attorney General Harris’ office provided six recommendations for Ed Tech providers, especially those that provide services in the pre-kindergarten to twelfth grade space.
- Data Collection and Retention: Minimization is the Goal
- Data Use: Keep it Educational
Describe the purposes of the data you are collecting. Do not use any personally identifiable data for targeted advertising, including persistent identifiers, whether within the original service, or any other service. Do not create profiles other than those necessary for the school purposes that your service was intended for. If you use collected data for product improvement, aggregate or de-identify the data first.
- Data Disclosure: Make Protections Stick
Specifically describe any third parties you share personally identifiable data with. If disclosing for school purposes, only do so to further the school specific purpose of your site. If disclosing for research purposes, only disclose personally identifiable information if you are required by federal or state law, or if allowed under federal and state law, and the disclosure is under the direction of a school, district or state education department. Service providers should be contractually required to use any personally identifiable data only for the contracted service, not disclose the information, take reasonable security measures, delete the information when the contract is completed, and notify you of any unauthorized disclosure or breach. Do not sell any collected information, except as part of a merger or acquisition.
- Individual Control: Respect Users’ Rights
- Data Security: Implement Reasonable and Appropriate Safeguards
Provide a description of the reasonable and appropriate security you use, including technical, administrative and physical safeguards, to protect student information. Describe your process for data breach notification. Provide training for your employees regarding your policies and procedures and employee obligations.
Given the size of the California market, any guidance issued by the California Attorney General's office should be carefully considered and reviewed. If you are growing an ed tech company, this is the time to build in data privacy and security controls. if you are established, it's time to review your privacy practices against this Guidance and see how you match up. If you have any questions or concerns as to how these recommendations could be applied to your company, please do not hesitate to contact the team at Mintz Levin.