Amid a year filled with high-profile data breaches and a focus on privacy concerns, a number of states have enacted enhanced privacy and data security laws that apply specifically to students, including, in the case of California, new rules that may potentially apply to a broad class of technology services directed at K–12 students.
The new laws enacted in many states include enhanced privacy requirements for school districts that are relevant to education technology companies that provide services to school districts. These laws address student data privacy in a number of ways, including restricting with whom student data may be shared, restricting which data may be collected, requiring school districts to adopt data-retention and security standards, and requiring the publication of data collection indices that explain each element of student data that school districts collect.
Several new state laws also require specific provisions regarding student data privacy to be included in any contract between a school district and a third-party service provider. For example, in Louisiana, agreements with contractors must include, among other matters, provisions for privacy and security audits by the district as well as data breach planning, notification, and remediation procedures. In California, such agreements must include, among other matters, procedures for parents and legal guardians to review and correct personally identifiable information held by the contractor.
California’s Expanded Student Data Privacy Regime
For education technology companies that provide services to school districts, it is usually clear when student privacy laws will apply because student data is passed from school districts to providers under agreements between the companies and districts. However, the Student Online Personal Information Protection Act (SOPIPA) recently enacted in California and taking effect on January 1, 2016, is not limited to services provided directly to schools. SOPIPA applies stringent privacy rules to any operator of websites, Internet services, or mobile applications with actual knowledge that the services are used primarily for “K–12 school purposes” and were designed and marketed for K–12 school purposes. SOPIPA prohibits, among other actions, using student data for targeted advertising on the service; using any information collected, including persistent unique identifiers (such as persistent cookies), for targeted advertising on any other site or service; and selling student data. SOPIPA also imposes certain data security and deletion requirements on covered services.
Without further guidance or regulations from California, the scope of SOPIPA’s application to online services is unclear, but potentially very broad. “K–12 school purposes” is defined as any purpose that customarily takes place at the direction of a K–12 school, teacher, or school district or that aids in the administration of school activities. Accordingly, even if an online service is not provided directly to schools, if it is used by K–12 students or fills a traditional school function, it may be subject to the restrictions. Services subject to SOPIPA may therefore include some social networks, collaboration tools, study aids (such as flashcard apps or other mobile education apps), note-swapping services, and message boards, among any other tools that a school might use or benefit from.
Considerations for Education Technology Service Providers
For companies that provide services directly to schools, the raft of new state privacy laws means that companies should consider the applicable state laws when evaluating business opportunities with school districts for services that involve handling student data. As discussed above, each state will have its own requirements for data security, auditing, and student privacy that companies must be able and willing to comply with. Negotiation of agreements with school districts will also be constrained by laws in states that require the inclusion of specific provisions in all service provider agreements.
Education technology companies that do not provide services directly to school districts should still consider whether their services are used for purposes covered by SOPIPA, and if so, evaluate how user data, including persistent identifiers, are used in the business in the event that they are required to comply with SOPIPA’s restrictions in 2016. Sourcing@MorganLewis will continue to follow any new developments on this issue closely.