On November 2, 2016, California Attorney General Kamala Harris released a report outlining best practices for the education technology industry (“Ed Tech”).  In Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data, Attorney General Harris noted the need to implement robust safeguards for collection, use, and sharing of student data.  To that end, the report aims to promote the development of privacy best practices.

This report was released against the backdrop of federal and California laws that safeguard student data.  Specifically, the report aims to enhance the efficacy of two California laws enacted in 2014 that extended protections for student privacy.  (See our related coverage here.)

The report makes the following recommendations in six key areas:

  1. Data collection and retention. Minimize data collection to only the student information that is necessary.  Describe the types of data collected and the collection methods used.  Retain student information only as long as allowed or required, and build into systems the ability to destroy personally identified or identifiable information.
  2. Data use.  Keep the use of data strictly educational.  Do not use any covered information acquired through Ed Tech sites or services as a basis for targeted advertising, whether to a specific student or other user.  Similarly, do not use any information acquired to create profiles of students, except for school purposes.
  3. Data disclosure.  Describe the types of third parties to which service providers disclose covered information and the purpose for doing so.  Only disclose this information to further the school purposes of the site or service or for research purposes if required by state or federal law.  If a provider discloses information to service providers, it should contractually require them not to further disclose it, not to sell it, to maintain reasonable security measures, and to return or delete covered information at the completion of the contract.  Do not sell any student information except as part of a merger or acquisition.
  4. Individual control.  Describe how parents, legal guardians, or eligible students can review or correct covered information and implement policies and procedures to allow them to do so.  Implement policies and procedures (described in a privacy policy) to allow students to download, transfer, export, or delete their own student-created content.
  5. Data security.  Implement and maintain reasonable security measures to protect data.  Designate a responsible person and use a risk management process.  Implement a training program to ensure that employees understand company policy and procedures as well as their own obligations.  Develop and describe the process for notifying individuals of unauthorized disclosure of student information.
  6. Transparency.  Ensure transparency by providing a meaningful privacy policy.  This means that it should cover all student information, as well as the personally identifiable information of other users acquired through the site or service.  The privacy policy should also be conspicuously available on the provider’s website or mobile app.  Further, it should use plain language to make it easy for parents and educators to understand.

The report notes that these recommendations are not regulations, mandates, or legal opinions, but rather form part of an effort to encourage the development of privacy best practices.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.