On Wednesday, California’s Attorney General released a report with recommendations for the education technology (“Ed Tech”) industry, a multi-billion dollar industry that is transforming learning as we know it. The Ed Tech industry has the potential to greatly enhance the student learning experience through data management systems and tools that support educators and provide personalized curricula and adaptive learning for students. However, these systems and tools (such as cloud services), create added risks and challenges when it comes to safeguarding student personal information and respecting the privacy rights of students.

Working in conjunction with several stakeholders, including Ed Tech providers, the Attorney General’s Privacy Enforcement and Protection Unit issued the following six recommendations, which are specific to website operators and online service providers that primarily target or market services for K-12 school purposes:

  1. Data Collection and Retention: Only collect the types and categories of information necessary to accomplish the objectives of the Ed Tech service as outlined by the educational institution with whom you contract. Be transparent with students and describe data collection and data use practices, as well as data retention policies.
  2. Data Use: Do not use any information acquired from your site or service for profiling students and/or targeted advertising.
  3. Data Disclosure: Notify students of third party disclosures of covered information; specifically, the types of entities that receive covered information and the purpose for the disclosure. Apply the appropriate safeguards to protect covered information when sharing information with third parties.
  4. Individual Control: Implement policies and procedures to permit student access and correction of covered information.
  5. Data Security: Implement and maintain reasonable safeguards and practices to protect student information, including employee privacy and security training. Have an actionable plan in place for data breach incidents.
  6. Transparency: Provide a conspicuous and plain language privacy policy that identifies a privacy contact who can address questions regarding privacy concerns.

The California Attorney General report concludes with appendices containing relevant California laws that the Ed Tech operators should note and review as they grapple with new challenges in the Ed Tech space. The report is a must read for individuals in the Ed Tech industry and should serve as helpful reminders on ways to mitigate the risk of violating student and children’s privacy laws.