With the continuing push for more prolific and creative use of technology in Kindergarten through 12th grade classrooms, student data has become more valuable, and the protection of that data of greater concern. In the face of the perceived need for greater protection of student data, the Delaware General Assembly, on June 25, 2015, approved SS1 for SB 79 (the “Student Data Privacy Protection Act” or “SDPPA”). Expressly modeled on California’s Student Online Personal Information Privacy Act, the SDPPA is designed to prohibit educational technology service providers from selling student data, using student data to engage in targeted advertising to students and their families, or creating student profiles for non-educational purposes.
If signed into law, the SDPPA will regulate the activities of operators of websites and applications designed and marketed for K-12 public school purposes, or those who collect, maintain or use student data in digital or electronic form for K-12 public school purposes. In particular, operators must provide reasonable security to prevent unauthorized access to, destruction of, use, modification or disclosure of student data. Operators must also delete a student’s data within a reasonable period (not to exceed 45 days) following a school or school district’s request for such deletion.
Operators also must not engage in targeted advertising using student data or state-assigned student identifiers where the data or student identifiers have been obtained as a result of use of a website, online or cloud computing service, online application or mobile application. Such data also may not be used to create a student profile except in furtherance of K-12 public school purposes. Student data may not be sold – except in instances of sale, merger or acquisition of an operator by another entity, and provided that the operator and/or successor entity continues to be subject to the SDPPA with respect to previously acquired student data. Operators also must not disclose student data except in certain specified instances, including responding to judicial process, to protect the security of the operator’s website or application, and protecting the safety of users of a website or application. Operators, however, may disclose student data when another provision of federal or state law requires disclosure, or for other legitimate research purposes. Finally, operators may use student data when supporting, evaluating or diagnosing the operator’s website, and may also use student data or de-identified student data to develop and improve an operator’s website or application, or to demonstrate the effectiveness of an operator’s products or services.
In addition to the proscriptions on the use and disclosure of student data, the SDPPA establishes a Student Privacy Task Force to “study and make findings and recommendations regarding the development and implementation of a comprehensive framework to govern the privacy, protection, accessibility, and use of student data within and as part of the State’s public education system.” SDPPA at Section 3. The act also gives to the Consumer Protection Unit of the Delaware Department of Justice the power to enforce the new law.
If the SDPPA is signed into law, the proscriptions applicable to operators will not take effect until August 1 of the first full year following the act’s enactment into law, with all other provisions taking effect immediately upon the Governor’s signature. SDPPA at Section 5.