While the development and use of innovative technology for students is currently exploding in the education sector, so are the laws governing it. Education technology, commonly referred to as “Ed Tech,” is well established in most schools and continues to grow. At the same time, the laws are also rapidly evolving – at both the state and federal levels. In 2017 alone, 93 bills addressing student data were introduced in various states.
At the federal level, there is also heightened activity. The Federal Trade Commission (FTC) and the Department of Education (ED) recently held a joint workshop on December 1, 2017 focusing on Student Privacy and Ed Tech. Both the FTC and ED acknowledged that these technologies have tremendous potential, while this transformation in Ed Tech has raised questions about how the Rule implementing the Children’s Online Privacy Protection Act (COPPA) applies in the school context, and how it intersects with the Family Educational Rights and Privacy Act (FERPA). The workshop was intended to gather information to help clarify how the FTC and ED can ensure that student privacy is appropriately protected without interfering with the promise of Ed Tech. This workshop convened representatives from parent groups, school associations, Ed tech providers and regulators to discuss a variety of issues related to the intersection of COPPA and FERPA.
Some of the key themes discussed at the workshop and included in written comments were the need for greater clarity from the regulators and modernization of the laws. The groups voiced concerns that certain definitions need to be clearer. Specifically, further guidance is requested from the FTC concerning the definitions of “educational purpose” and “other commercial purposes” in COPPA. From ED, further clarification was requested concerning the definition of “education record” in FERPA and whether or not that includes product improvement/adaptation by Ed Tech providers. The Ed Tech community, in particular, would like to better understand when do they need to obtain consent from parents as mandated by COPPA versus when the School Official Exception under FERPA is sufficient to cover their use of student data for product implementation and further development. For background, the “School Official Exception” in FERPA provides an exception from the consent requirement normally required from the parent/student; However the exception applies only if the information is needed for an educational purpose of the specific school. Both the FTC and ED didn’t provide any timeline for upcoming actions or guidance but indicated that they would take into consideration the comments received and determine next steps. Stay tuned for more from these regulators.
As we mentioned, there is explosive growth in regulation, and below is a brief summary of the state and federal laws in these areas and some recommended next steps. As of September 2017, states have passed 94 laws in 41 states that specifically address student privacy issues. States continue to introduce legislation dealing with student privacy. In 2017 alone, 93 bills were introduced. Perhaps the most commonly referenced law is California’s Student Online Personal Protection Act (SOPIPA) that prohibits an operator of a website, online service provider, online application or mobile application from engaging in targeted advertising to students, their parents or legal guardians. These services and applications also may not use covered information to amass a profile about a K-12 student, sell a student’s information or disclose covered information. The law also addresses security procedures and practices of covered information in order to protect information from unauthorized access, destruction, use, modification or disclosure. A number of other states have modeled their laws on SOPIPA.
Numerous other states including Arizona, Colorado, Georgia, Idaho, Illinois, Louisiana, Maine, Nebraska, New York, Oklahoma, Rhode Island, Texas, Virginia, Washington D.C., and West Virginia, have laws that address student data privacy. Notable trends in state student privacy laws include guaranteeing access to data, regulating service providers, data breach response requirements, and restrictions on nonacademic data such as biometrics, socio economic information and surveys for nonacademic purposes. Moreover, FERPA and COPPA also apply to student data. COPPA applies to online Ed Tech providers and to parents and their children (students). The FTC has acknowledged in guidance that schools can act as the intermediary for parents and students only with regard to the collection by Ed Tech providers of student data solely for the schools educational purposes. FERPA on the other hand applies to schools receiving federal funding, parents (with children under 18) and students. Both COPPA and FERPA impact Ed Tech providers as schools routinely have written agreements with numerous provisions required from the Ed Tech providers. Stay tuned for more state laws regarding student data privacy. There may also be an increase in class action suits where private actions are allowed under applicable state student privacy laws, such as California’s SOPIPA. We also anticipate the modernization of FERPA and the Higher Education Act by Congress and regulatory refinements from ED. There is a bill pending in the Senate currently to update FERPA. Moreover, we expect the FTC to also take action, likely after FERPA modernization, to better align COPPA with FERPA and provide more guidance with regard to definitions. There is also a recent bill pending in Congress to update COPPA.