California Releases Privacy and Security Best Practices for Education Technology Industry
The California Department of Justice has issued recommendations for privacy and security practices in the education technology (Ed Tech) industry. The report, entitled Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data encourages the development of best practices among the operators of software and digital services that provide schools and school districts with (1) administrative management systems and tools, (2) instructional support, and (3) educational content.
In a forward, Attorney General Kamala D. Harris recognizes that educational technology “holds the potential to unlock countless new opportunities to educate students for the workforce of tomorrow,” but notes that it is “critical that we implement robust safeguards for what is collected, how it is used, and with whom it is shared.” While the recommendations are not legally binding, they are intended to “ensure privacy protections for students while making the most of technological advancements” by encouraging the Ed Tech industry to “focus on educational purposes, by limiting the collection and use of student information acquired through the technology.”
The report’s Executive Summary highlights the widespread adoption of Ed Tech in PreK-12 education, which amounted to an $8.38 billion market in 2015. Ensuring the privacy of student data in the Ed Tech industry is especially important because these services often involve the collection and maintenance of ”very sensitive” student data such as medical histories, social and emotional assessments, and test reports. The report also recognizes that Ed Tech can also collect new types of information such as metadata and location information, which might not be covered by existing federal laws on student and child privacy.
The report’s recommendations break down into the following categories:
- Data Collection and Retention: Collection of student data should be limited to that which is necessary to achieve the Ed Tech service’s educational purposes. Data should not be retained indefinitely and Ed Tech services should ensure their capacity to delete student data if so directed.
- Data Use: Ed Tech companies should not use any student information for targeted advertising or to create profiles of students, except as required by the educational institution. If student data is used to improve Ed Tech products or to demonstrate their effectiveness, that data should be aggregated or de-identified.
- Data Disclosure: Any disclosure of covered information to a service provider should contractually ensure that the information is only used for the contracted service, that the provider employs reasonable security practices, and that the data is returned or deleted at the completion of the contract.
- Individual Control: Implement policies and procedures to allow parents, legal guardians, and eligible students to review and correct covered information and to download, transfer, export, or delete student-generated content.
- Data Security: Implement and maintain security measures that are appropriate for the nature of the student information and implement a training program to ensure that employees understand these procedures and their individual obligations. Further, develop and describe the process for notifying relevant government agencies, educational institutions, and parents in the event of any unauthorized disclosures of student information.
While the report itself is not legally binding or self-enforcing, companies offering Ed Tech services should carefully review these recommendations and consider how they comport with California’s existing student and children’s privacy regime. In addition to applicable federal laws such as FERPA and COPPA, California has recently enacted two laws relating to privacy and data security in the Ed Tech industry. California Education Code Section 49703.1 establishes procedures and use restrictions for third party cloud-based services and education software companies entering into contracts with local educational agencies that involve the transfer or management of student generated content and education records. And California’s Student Online Personal Information Protection Act (SOPIPA) applies to third party education service providers and includes obligations such as implementing and maintaining “reasonable security procedures and practices.” Companies should also be aware that California has signaled a commitment to active enforcement of privacy laws and regulations. For example, in October the AG’s office established an online forum for reporting potential violations of California’s Online Privacy Protection Act. Understanding and adopting recommendations in the report will help prevent regulatory scrutiny, negative publicity, and civil lawsuits.