Technology has transformed the way in which students are learning. Schools increasingly integrate IoT devices and third-party applications into the everyday delivery and management of education. This incorporation of education and technology, or EdTech, increases the amount of student data that is collected, stored, shared,and used—making student data privacy an issue of critical importance to educational institutions and their stakeholders.
Understanding the landscape of education law & EdTech: FERPA, COPPA and Other Considerations
Technology has transformed the way in which students are learning. Schools increasingly integrate IoT devices and third-party applications into the everyday delivery and management of education. This incorporation of education and technology, orEdTech, increases the amount of student data that is collected, stored, shared,and used—making student data privacy an issue of critical importance to educational institutions and their stakeholders.
The term student data refers to personally identifiable information (PII) collected for educational purposes that can be used to identify, contact, and locate a student. Student PII includes:
- Demographic information including name, home address, and telephone number
- Social security number and other unique identifiers
- Academic records
- Health records
- Disciplinary records
- Biometrics data
To empower parents with data control, student privacy laws provide certain rights o the parents or guardians directly regarding the collection, use, and sharing of their children’s PII. Generally, these rights transfer to the student, referred to as eligible students, at the age of 18.
Three key federal laws and many evolving state laws govern the use of student data in education. The most prominent federal student data law is theFamily Educational Rights and Privacy Act (FERPA). It provides parents and eligible students access and disclosure rights to their educational records including the right to:
- Prevent disclosure of certain PII in the student’s education record
- Request amendment to records they believe are inaccurate or misleading
- Review the student’s education record
The second federal law data privacy law is theProtection of Pupil Rights Amendment (PPRA) of 1978. PPRA requires schools conducting federally funded surveys and evaluations to obtain consent from parents and eligible students. Consent is needed before students are asked to reveal sensitive information including but not limited to political affiliations, mental and psychological problems, sex behaviors and religious practices, beliefs and affiliations.
The third federal student privacy law, the Children Online Privacy Protection Act (COPPA), enacted in 1998, applies to operators collecting personal information of children under the age of 13. Companies must provide clear privacy policies and obtain parental consent before gathering information from a minor child.
In education, COPPA is implicated when educational institutions consent to a third-party website or application collection, use or disclosure of personal information from students. However, in order to get consent from the school, the online operator must provide the school with the required COPPA notices and upon request access to the information collected about the students as well as control over deletion and termination of data collection.
While FERPA and PPRA are longstanding student data privacy regulations, recently, states have been focusing on data privacy regulation in education. In fact, 41 states have passed 126 laws affecting education between 2013 and 2019. These state laws provide additional safeguards for student data reflecting the trends and student privacy concerns that arise with modern technology use in education.
Navigating through the body of student data privacy law is complex. Collecting, using, sharing and storing student data presents legal and ethical implications and a robust data security infrastructure. Beckage is an experienced team that can help educational institutions of all sizes navigate this fast-moving legal landscape.
Attorney Advertising: Prior results do not guarantee a similar outcome. The content contained herein should not be considered legal advice and is for informational purpose only.
The California Consumer Protection Act (CCPA) will impact global companies. The CPPA aims to sets forth landmark privacy rights for Californians and becomes effective January 1, 2020. Last week the California Assembly Privacy and Consumer Protection Committee began clarifying important ambiguities in the CCPA through a serious of amendment bills. These amendment bills are not law just yet. These bills were actions taken by the Committee to advance proposed changes through the legislative process. Some of the most notable clarification from the amendment bills include:
- Updating the current CCPA to make it clear that employees are not “consumers” for purposes of the CCPA and addressing some of the concerns with household data.
- Clarifying personal and de-identified information by adding a reasonableness standard to make it clear that not all information capable of being associated with an individual or household will be considered personal information. Further, the de-identification standard would be shifted to the FTC “reasonably linkable” de-identification definition which is better understood.
- Redefining “publicly available” to mean information that is lawfully made available from federal, state, or local records to ensure there is a public record exemption from the definition of “personal information.”
- Adding amendments that make loyalty programs exempt from the CCPA’s “non-discrimination” restrictions.
- General cleanup of mistakes and confusion in the current language.
- Updating the current CCPA requirement that businesses must establish a toll-free number to receive CCPA requests, to a requirement that they must provide a toll-free number or an email address.
Two amendment bills were withdrawn that would have dramatically expanded the CCPA requirements. Notably, it included the bill that extended the private right of action to all privacy violations, extended the opt-out to all sharing of personal information (not just “sales”), added data minimization requirements, and expanded the CCPA right-to-know requirement to require accounting to consumers the specific third parties to whom personal information was shared.
What’s next? These amendment bills head to the Senate leadership. However, these initial steps suggest that some legislative clarifications of CCPA requirements may pass this year. It is important to balance compliance with this state law with other data privacy and security laws across the globe. Taking a practical approach with experienced legal teams will be critical.
DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used or relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where the advice is sought.
Attorney Advertising: Prior results do not guarantee a similar outcome.