As the groundbreaking California Consumer Privacy Act (CCPA) took effect on January 1, many were still working to understand the new requirements for businesses and rights bestowed to consumers. The California attorney general (AG) followed up on January 6 with a CCPA advisory pressrelease reviewing the regulations and restating that California residents are now afforded new, more stringent, data privacy rights. The CCPA has been bignews for anyone who does business in California. But the million-dollar question for New York-based companies that handle CA consumer data is whether the CCPA applies to them. While we still await clarity on many of the key components of the Act, the recent advisory does provide some useful reminders for businesses to think about.
Technology has transformed the way in which students are learning. Schools increasingly integrate IoT devices and third-party applications into the everyday delivery and management of education. This incorporation of education and technology, or EdTech, increases the amount of student data that is collected, stored, shared,and used—making student data privacy an issue of critical importance to educational institutions and their stakeholders.
Last week the National Institute of Standards and Technology (NIST) released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. This is a tool for managing privacy risk that has been a year in the making. Now that it is finalized, this updated framework offers businesses privacy protection strategies and an overview of key privacy risk management concepts.
Understanding the landscape of education law & EdTech: FERPA, COPPA and Other Considerations
Technology has transformed the way in which students are learning. Schools increasingly integrate IoT devices and third-party applications into the everyday delivery and management of education. This incorporation of education and technology, orEdTech, increases the amount of student data that is collected, stored, shared,and used—making student data privacy an issue of critical importance to educational institutions and their stakeholders.
The term student data refers to personally identifiable information (PII) collected for educational purposes that can be used to identify, contact, and locate a student. Student PII includes:
- Demographic information including name, home address, and telephone number
- Social security number and other unique identifiers
- Academic records
- Health records
- Disciplinary records
- Biometrics data
To empower parents with data control, student privacy laws provide certain rights o the parents or guardians directly regarding the collection, use, and sharing of their children’s PII. Generally, these rights transfer to the student, referred to as eligible students, at the age of 18.
Three key federal laws and many evolving state laws govern the use of student data in education. The most prominent federal student data law is theFamily Educational Rights and Privacy Act (FERPA). It provides parents and eligible students access and disclosure rights to their educational records including the right to:
- Prevent disclosure of certain PII in the student’s education record
- Request amendment to records they believe are inaccurate or misleading
- Review the student’s education record
The second federal law data privacy law is theProtection of Pupil Rights Amendment (PPRA) of 1978. PPRA requires schools conducting federally funded surveys and evaluations to obtain consent from parents and eligible students. Consent is needed before students are asked to reveal sensitive information including but not limited to political affiliations, mental and psychological problems, sex behaviors and religious practices, beliefs and affiliations.
The third federal student privacy law, the Children Online Privacy Protection Act (COPPA), enacted in 1998, applies to operators collecting personal information of children under the age of 13. Companies must provide clear privacy policies and obtain parental consent before gathering information from a minor child.
In education, COPPA is implicated when educational institutions consent to a third-party website or application collection, use or disclosure of personal information from students. However, in order to get consent from the school, the online operator must provide the school with the required COPPA notices and upon request access to the information collected about the students as well as control over deletion and termination of data collection.
While FERPA and PPRA are longstanding student data privacy regulations, recently, states have been focusing on data privacy regulation in education. In fact, 41 states have passed 126 laws affecting education between 2013 and 2019. These state laws provide additional safeguards for student data reflecting the trends and student privacy concerns that arise with modern technology use in education.
Navigating through the body of student data privacy law is complex. Collecting, using, sharing and storing student data presents legal and ethical implications and a robust data security infrastructure. Beckage is an experienced team that can help educational institutions of all sizes navigate this fast-moving legal landscape.
Attorney Advertising: Prior results do not guarantee a similar outcome. The content contained herein should not be considered legal advice and is for informational purpose only.