student privacy

On May 22 the Federal Trade Commission (“FTC”) announced a $6 million settlement with Edmodo, an ed tech provider, for violations of the COPPA Rule and Section 5 of the FTC Act.  The FTC described this settlement as the first FTC order that will prohibit an ed tech provider from requiring students to provide more personal data than necessary to participate in online activities.  The settlement is consistent with the FTC’s policy statement on ed tech issued last May (see our summary of the policy statement here).Continue Reading FTC Announces COPPA Settlement Against Ed Tech Provider Including Strict Data Minimization and Data Retention Requirements

Earlier this week, the Federal Trade Commission and Department of Education announced plans to hold a joint workshop on the application of the Children’s Online Privacy Protection Act (“COPPA”) and the Family Educational Rights and Privacy Act (“FERPA”) to educational technology products and services in the K-12 school environment.  In advance of the workshop, the FTC and Department of Education are soliciting comments on several key questions regarding COPPA and FERPA compliance for educational technology providers.  This is a valuable opportunity for Ed Tech providers to provide feedback to both agencies on the practical application of COPPA and FERPA in this arena.
Continue Reading FTC and Department of Education Announce Joint Workshop on FERPA and COPPA Compliance for Ed Tech

On November 2, 2016, California Attorney General Kamala Harris released a report outlining best practices for the education technology industry (“Ed Tech”).  In Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data, Attorney General Harris noted the need to implement robust safeguards for collection, use, and sharing

During his speech earlier this week at the Federal Trade Commission, President Obama unveiled a set of proposals to enhance student privacy protections.  These proposals will include publishing a draft Student Digital Privacy Act, promoting an existing Student Privacy Pledge for educational technology providers, and introducing new privacy tools through the Department of Education.
Continue Reading President Obama Proposes New Legislation and Model Terms of Service to Protect Student Privacy

Yesterday, several big tech companies that offer educational and school services signed the “Student Privacy Pledge,” introduced by the Future of Privacy Forum (“FPF”) and The Software & Information Industry Association (“SIIA”) to safeguard student privacy as it relates to the collection, maintenance, and use of students’ personal information.  Among the fourteen education tech companies representing the initial group to join SIIA and FPF in introducing the Pledge are Microsoft, Amplify, and Houghton Mifflin Harcourt.  Notably, tech giants Google and Apple were absent from the list of signatories.  As part of the Pledge, effective January 1, 2015, participating companies agree to the following commitments:

  • Not to collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student
  • Not sell student personal information
  • Not to use or disclose student information collected through an educational/school service (whether personal information or otherwise) for behavioral targeting of ads to students
  • Not to build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student
  • Not to make material changes to school service provider consumer privacy policies without first providing prominent notice to the account holder(s) (i.e., the educational institution, or the parent/student when the information is collected directly from the student with student/parent consent) and allowing them choices before data is used in any manner inconsistent with terms they were initially provided; and not to make material changes to other policies or practices governing the use of student personal information that are inconsistent with contractual requirements
  • Not knowingly retain student personal information beyond the time period required to support the authorized educational/school purposes, or as authorized by the parent/student
  • Collect, use, share, and retain student personal information only for purposes for which companies are authorized by the educational institution, teacher, or the parent/student
  • Disclose clearly in contracts or privacy policies, including in a manner easy for parents to understand, what types of student personal information is collected and the purposes for which the information maintained is used or shared with third parties
  • Support access to and correction of students’ personally identifiable information by the student or their authorized parent, either by assisting the educational institution in meeting its requirements, or directly, when the information is collected from the student with student/parent consent
  • Maintain a comprehensive security program reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information
  • Require that vendors with whom students’ personal information is shared in order to deliver the educational service are obligated to implement these same commitments
  • Allow a successor entity to maintain the students’ personal information, in the case of a merger or acquisition, provided the successor is subject to these same commitments for previously collected student personal information

Continue Reading Microsoft and Other Leading K-12 School-Service Providers Pledge To Protect Student-Data Privacy

Last week, California enacted bills SB 1177 and AB 1584, strengthening student privacy protections in the State.

SB 1177 prohibits operators of online sites or mobile apps who know that their services are used primarily for K-12 school purposes and whose services designed and marketed as such (“operators”) from using K-12 student data in four specific ways. First, SB 1177 prohibits operators from engaging in targeted advertising on any website or mobile app (including their own) if the advertising would be based on any information obtained from the operations of its K-12 online site or mobile app. Second, SB 1177 prohibits operators from using information obtained from the operations of the K-12 online site or mobile app to create a “profile” about a K-12 student, unless the profile is created in furtherance of K-12 school purposes. Third, operators are prohibited from selling a student’s information. And, fourth, SB 1177 prohibits operators from disclosing personally identifiable information, unless certain special circumstances exist, such as responding to or participating in judicial process.

In addition to the four prohibitions listed above, SB 1177 places two affirmative requirements on operators. The bill requires that operators “[i]mplement and maintain reasonable security procedures and practices” appropriate to the information protected, and to specifically protect the information from “unauthorized access, destruction, use, modification, or disclosure.” In addition, SB 1177 requires operators to delete personally identifiable information regarding a K-12 student upon request by a school or school district.

AB 1584 addresses the access and use of K-12 student data by third party vendors. AB 1584 explicitly permits local educational agencies to enter into contracts with third parties to provide online services relating to management of pupil records or to otherwise access, store, and use pupil records in the course of performing contractual obligations.
Continue Reading California Strengthens Student Privacy Protections

After gaining prominence in 2012, state legislation restricting access to personal social media accounts by employers and schools has remained active.  Three more states have enacted their own restrictions thus far in 2013, and bills are pending in more than two dozen other states, according to the National Conference of State Legislatures. In 2012, Illinois and Maryland  enacted social media privacy laws restricting employers, Delaware and New Jersey enacted laws restricting academic institutions, and California and Michigan enacted both employer- and school-focused restrictions.

So far this year, Utah, New Mexico, and Arkansas have enacted their own restrictions. Utah enacted two laws — the Internet Employment Privacy Act and the Internet Postsecondary Education Privacy Act — as part of one bill, HB100, which was signed into law on March 26 and takes effect May 14. New Mexico enacted two separate bills — SB 371 and SB 422 — focusing on employers and post-secondary schools, respectively. Both bills were signed April 5 and take effect on June 14. In Arkansas, a bill imposing restrictions on public and private post-secondary schools was enacted as Act 998 on April 8.  Below is more information about each.Continue Reading Utah, New Mexico, Arkansas are Latest States to Restrict Access by Employers or Schools to Personal Social Media Accounts

Advances in technology present opportunities to improve student learning, allow teachers and students to work more efficiently, and reduce operational costs for educational institutions.  Many schools are taking advantage of these benefits by implementing online course systems and cloud computing services that allow students and teachers to access their programs, e-mails, and documents online from anywhere and almost any device.

As a New York Times article published earlier this week also highlighted, the embrace of educational cloud services also raises interesting and important questions about the privacy and security of student data.  After all, these services by definition involve the movement of student and teacher communications, documents, or other data that used to be stored on-site and managed by school employees to the cloud.  Cloud computing services are operated by third-party vendors, and these vendors have a range of business models and practices with respect to the collection, use and disclosure of data. 

As they work to safeguard student data without inhibiting the benefits of educational technologies, we find that educational institutions increasingly are focusing on regulatory requirements and contractual protections for student data — and in particular five principles that we describe after the jump.Continue Reading Student Privacy and the Cloud: Five Principles for Schools

A bill reintroduced in the U.S. House of Representatives on Wednesday would prohibit employers and schools from requesting or demanding access to employees’ or students’ personal social-media accounts.

The bill, titled the “Social Networking Online Protection Act,” would bar employers from requesting or requiring that employees or job applicants provide the employer access to personal e-mail or social-networking accounts.  The bill also would bar employers from firing or otherwise retaliating against an employee or applicant for refusing or complaining about such a request. Violations would carry a civil penalty of up to $10,000, and the bill would authorize the Secretary of Labor to seek an injunction against practices that violate the law.

The bill would establish similar protections for students or applicants at colleges and K-12 schools receiving federal funds. Continue Reading Bill Would Set Federal Restrictions on Employer, School Access to Personal Online Accounts

New Jersey earlier this month became the latest state to bar college and university officials from demanding access to students’ or applicants’ personal online accounts.  Gov. Chris Christie signed the law, which takes effect immediately, on Dec. 3.

Under the new law, which applies to public and private higher-education institutions, schools cannot require a student or applicant to “in any way provide access” to “a personal account or service through an electronic communications device,” nor may schools “in any way inquire as to whether a student or applicant” has a social-media account. Schools may not retaliate against students who refuse to provide access to their accounts, and the law voids any agreement to waive the statute’s protections.Continue Reading New Jersey Restricts Colleges’ Access to Students’ Personal Accounts, Considers Similar Protections for Employees