Overview
Educational technology (EdTech) tools were critical during the COVID-19 pandemic and remain a key part of education, from digital textbooks and instructional material, to interactive applications for teachers, parents, and students. There are many benefits to EdTech, such as personalized learning and rapid feedback. But while these tools have incredible benefits in the classroom, they collect more personal data about students than ever before and have the potential to put students’ privacy at risk. Beyond typical student rosters and class enrollment, these technologies can gather more bespoke information, including survey results, school performance, and study habits, and they even can create psychological profiles and predict academic performance of classrooms and individual students.
Entities in the education sector – from academic institutions to EdTech vendors and their investors – are all key players in protecting the privacy of students. Because of the personal data collected and processed by EdTech tools, there are a number of education-specific and broader privacy laws that should be considered: the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA) at the federal level, as well as California’s Student Online Personal Information Protection Act (SOPIPA) and other state laws.
This article will provide a high-level summary of these laws and highlight several key privacy and security issues that all entities in the education space should keep in mind while navigating a constantly shifting regulatory landscape.
In Depth
LEGAL OVERVIEW
FERPA
The Family Educational Rights and Privacy Act is the primary federal privacy law regulating student data.[1] FERPA protects “education records,” i.e., records, files, documents, and other materials that 1) contain information directly related to a student and 2) are maintained by an educational agency or institution or by a party acting for the agency or institution.[2] The law prohibits the disclosure of education records except under certain conditions (e.g., to accrediting organizations, designated officials, school officials) or with the consent of the student/parent, and grants rights to parents and eligible students to review, request corrections to, and stop the release of their student records.
FERPA applies directly to educational institutions and agencies that receive funds from programs administered by the US Department of Education. It applies indirectly to recipients of “education records,” such as EdTech vendors and other contractors. When contracting under FERPA, educational institutions and agencies should enter into a data processing agreement with all EdTech vendors that includes FERPA privacy requirements and imposes minimum data security requirements to protect the student records.
COPPA
The Children’s Online Privacy Protection Act applies to for-profit operators of commercial websites and online services that direct their online services to children under age 13 or knowingly collect personal information from children under 13. COPPA follows a notice-and-consent model. Before an online operator knowingly collects the personal information from someone under 13, it must first give notice to and obtain verifiable consent from the minor’s parent or guardian.[3] The business must also, among other things, provide a clear and comprehensive privacy policy, honor the parent or guardian’s rights to access and delete their child’s personal information, and maintain the confidentiality, security, and integrity of the information it collects.
COPPA could apply to for-profit EdTech vendors in the K-12 setting to the extent their online products are targeted to or collect personal information (such as a name, email address, IP address, and screen name) of children under 13. Many educational institutions partner with EdTech vendors to offer online programs to benefit their students, such as online tutoring, education modules, and homework help lines. EdTech vendors and educational institutions need to have a clear understanding of what personal information is collected by the EdTech vendor, whether any of that personal information is subject to FERPA or other educational privacy laws, and how the parties will work together to obtain verifiable consent and honor rights in compliance with COPPA.
State Student Privacy Laws
A number of states have passed laws to protect student privacy. Most of these laws are based on California’s Student Online Personal Information Protection Act, which prohibits EdTech apps and services that target K-12 students from selling or using student personal information for targeted advertising or profiling.[4] Further, it requires EdTech vendors to maintain reasonable security procedures to protect student data and honor data-deletion requests from the school or district.[5] At least 13 states have followed suit by passing laws that are modeled after SOPIPA.
Additionally, comprehensive privacy and data protection laws are becoming increasingly common and more are being passed each year. Many of these laws generally exempt FERPA-regulated data, and the California Consumer Privacy Act exempts consumer requests to delete certain student data, such as grades and educational scores held on behalf of local educational agencies. However, certain schools and EdTech vendors may still fall within the umbrella of these laws if they meet the requisite thresholds of applicability and process data outside of the scope of FERPA.
KEY PRIVACY AND SECURITY ISSUES
Privacy of Student Data
Over the last few years, the FTC has prioritized the privacy of student data, making it clear that companies cannot ask parents and schools to trade their children’s privacy rights in order to do schoolwork online or attend class remotely. As a result, those that handle student data should carefully examine their privacy practices and aim to minimize the collection, use, and sharing of student data to only the extent necessary to provide the services. EdTech vendors and schools should also be transparent in their data collection and processing practices through their privacy policies and COPPA notices. State privacy laws may also have strict contracting, disclosure, and data-security requirements, which range in scope and effect from state to state.
EdTech Vendor Contracting
Contracts between schools and EdTech vendors should take into account all privacy and security laws applicable to both parties and clearly state the data types that will be collected, used, and disclosed as part of the services. Contracts should also include data processing terms that detail the processing activities, ownership rights/control over the data, and any restrictions that must be placed on the data to protect student privacy and comply with applicable law. It is also a good idea to include the physical and technical security measures the EdTech vendor is required to deploy to safeguard student data.
For EdTech vendors, we recommend incorporating into contract templates terms addressing FERPA’s “school official” exception (i.e., that the vendor performs an institutional service or function for which the institution would otherwise use employees, is under the direct control of the institution with respect to the use and maintenance of education records, and restricts certain uses and disclosures of personally identifiable information)[6] to streamline the procurement process.
Security
Security is an important issue for all entities that process and maintain student data. Elements such as encryption at rest and in transit, multifactor authentication, employee training, and role-based access controls are all critical to fostering and maintaining trust with educational institutions. External audits and certifications based on industry standards such as ISO 27001 or SOC2 can verify and improve existing cybersecurity processes. Better cybersecurity practices and the associated certifications can also help lower cyber-insurance premiums by demonstrating robust controls.
TAKEAWAYS
The legal and regulatory landscape for all involved in the education sector is complex and ever changing, as evidenced by COPPA 2.0 passing the US Senate in July 2024. If you have questions or would like to evaluate your practices, reach out to your McDermott lawyer or the authors of this article.
