On January 1, 2016, “ SOPIPA”—the recently passed California student data privacy law that defines how edtech companies can use student data became effective. About 25 other states have passed similar laws that are already in effect, or will become effective. At the same time, more than 200 school service providers have now signed the Student Privacy Pledge, a legally enforceable commitment which has language closely aligned with these laws.
With the beginning of a new year and the expectation of another busy legislative cycle for privacy laws at both state and federal levels, it’s a good time for parents, school administrators and school service providers to take inventory on which companies and services are covered by these standards and understand what they actually require.
First of all, what services are covered by these new regulations?
For SOPIPA, the Student Privacy Pledge, and most state laws, the first key question is to determine whether a particular program or device is designed and marketed for use in schools. This definition, initially proposed by Common Sense Media for their draft bill that became a model for the Pledge and dozens of state laws, does not apply to the wide variety of tools available to the general public, even if they are also used by schools. A vendor selling tools or providing services designed for the general public isn’t obligated to redesign them just because schools purchase the products or students happen to visit the websites.
Rather, the use of these general products are covered by existing, separate federal and state laws, which make it clear that schools are restricted from requiring students to share data except for appropriate educational purposes. If a school purchases a general audience product and requires students to use it, it is ultimately responsible for making sure that the tool complies with privacy regulations, and administrators should carefully review its default settings to ensure they are appropriate.
Some schools may wish to only purchase devices designed for schools, or may want to enable settings that only allow the device to be used for school purposes. Others may recognize that once a child has access to a computer, a web browser, and an Internet connection, the uses they may make of the device are endless. In either case, schools should ensure parents are aware of the choices made by the school, and then inform them and their children of the available options to change those settings.
What happens when students use products or services covered by student privacy restrictions along with general market services at the same time?
Many students spend their evenings on school-issued devices, logged in to school services along with personal accounts and browsing general video sites. A number of leading tech companies provide education-specific services covered by the new student privacy requirements but also offer commonly used general services. Parents should understand that student privacy restrictions apply to the data generated while the student is using an educational product or service implemented by the school, but not while the student is doing general web browsing or personal activities unrelated to school.
Of course, a company that provides both types of products cannot take advantage of the identity of a student to augment data on its general service, and cannot use personal data generated by the student’s use of the school service for unrelated commercial purposes.
What data is covered?
The Pledge and most state laws apply to “student personal information.” Data that has been aggregated, or anonymized information, no longer provides personal details about an individual student and generally raises no privacy concerns. For example, gathering statistics such as “20% of students spend an hour per night on math homework” is useful information to analyze or share, as long as the data is adequately de-identified. But vendors should be aware that some state laws do limit even de-identified data uses; California’s SOPIPA, for example, limits the use of de-identified data to specific purposes such as product improvement, but does not allow it to be used for advertising.
What are the restrictions?
When a product or service and the corresponding data are within the scope of the new state laws and the Pledge, edtech companies are subject to a host of restrictions intended to protect students. They are barred from selling student information, delivering targeted advertising to students, or changing privacy policies without notice and choice. They must use data for authorized educational uses only, support requirements for parental access to data, and delete data when required. They must also meet security standards to protect the data they possess against online breaches.
Understanding the details of these new laws does require an appreciation of the nuances and complexities that was required in order to deal with the wide range of technologies and services used by schools and students. But the goal of policymakers to support the responsible use of technology to support students is clear—and should shape our understanding of the new requirements as we work within the context of an evolving edtech environment shaped by new state laws and existing Pledge standards.