Privacy Tips for Ed Tech Companies and Schools Conducting Remote Learning

As schools increasingly are adjusting to remote learning and utilizing education technology (“ed tech”) services, both schools and their ed tech service providers need to consider the appropriate collection and usage of student personal information.  Here are some tips for protecting students’ privacy and safeguarding personal data:

Be aware of relevant laws.  A number of privacy laws potentially apply to the utilization of ed tech vendors.  One important law is the Children’s Online Privacy Protection Act (“COPPA”).  COPPA spells out what operators of commercial websites and online services, including some ed tech services, must do to protect children’s privacy and safety online.  For example, if your company is covered by COPPA, you need to have certain information in your privacy policy and get parental consent before collecting some types of information from children under 13.  Companies covered by COPPA also must maintain reasonable data security practices.  In addition to COPPA, the Family Educational Rights and Privacy Act (FERPA), as well as state laws that protect the privacy of K-12 students, may be applicable.  Under FERPA, educational agencies and institutions may disclose, without consent, education records, or PII contained in those records, to the providers of online learning software apps under the “school official” exception provided they meet the conditions of that exception.

When does COPPA apply to ed tech services used for remote learning?  COPPA generally requires companies that collect personal information online from children under age 13 to provide notice of their data collection and use practices and obtain verifiable parental consent.  In the educational context, however, the Federal Trade Commission (“FTC”), which enforces COPPA, has indicated that schools can consent on behalf of parents to the collection of student personal information if such information is used for a school-authorized educational purpose and for no other commercial purpose.  This is true whether the learning takes place in the classroom or at home at the direction of the school.

For the ed tech service to obtain valid consent from the school instead of from the parent, the service must provide the school with the necessary COPPA-required notice of its data collection and use practices.  As a best practice, the FTC recommends that ed tech services make the COPPA notice available to parents, and, where feasible, let parents review the personal information collected.  In addition, ed tech services should use plain language that students, parents, and educators can easily understand.

What should schools using ed tech services be doing?  While COPPA generally does not impose obligations directly on schools, the FTC recommends that they consult with attorneys and information security specialists to review the privacy and security policies of the ed tech services they use for remote learning.  The school or school district should give parents a notice of the websites and online services whose collection they have consented to on behalf of the parent.  In deciding which online technologies to use with students, a school should be careful to understand how an operator will collect, use, and disclose personal information from its students.  Among the questions that a school should ask potential operators are:

• What types of personal information is collected from students?
• How is the personal information used?
• Is the information used or shared for commercial purposes not related to the provision of the online education services requested by the school?
• What administrative, technical, and physical measures are taken to protect the security, confidentiality, and integrity of the personal information that is collected?
• What are the data retention and deletion policies for children’s personal information?
• Do existing privacy policies reflect the current data handling practices? Are the privacy policies clear and accessible to students, parents, and educators?

If you would like to learn more about these issues, please connect with a Honigman attorney in the Data Security and Privacy Litigation group.