On February 26, 2015, the Department of Education’s Privacy Technical Assistance Center (“PTAC”) issued guidance to assist schools, school districts and vendors with understanding the primary laws regulating student privacy and how compliance with those laws may be affected by Terms of Service (“TOS”) offered by providers of online educational services and mobile applications. The guidance also is intended to aid school districts and schools in implementing separate guidance issued by the PTAC in February 2014. The guidance was accompanied by a short training video directed to teachers, administrators and other relevant staff.

The guidance, Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, states that the TOS offered by providers of online educational services and mobile applications are often “Click Wrap” agreements requiring schools and districts to accept the TOS without an opportunity for negotiation. The guidance explains certain language commonly found in TOS agreements offered by providers of online educational services and mobile applications in order to help schools and school districts better determine whether accepting the TOS could violate any law regulating student privacy, such as the Family Educational Rights and Privacy Act. For example, the guidance states that the “TOS should be clear that data and/or metadata may not be used to create user profiles for the purposes of targeting students or their parents for advertising and marketing, which could violate privacy laws.” The guidance also contains information about provisions in TOS with respect to the definition of “de-identification,” modifications to the TOS and the providers’ use and sharing of student data.

In addition to highlighting common provisions that are potentially problematic from a legal perspective, the guidance provides examples of provisions that are more protective of student privacy and in line with best practices. The guidance also provides a brief explanation of why the commonly found provisions are problematic or in accordance with best practices for student privacy.