EdTech Platforms May Violate Privacy Laws
Privacy Plus+
Privacy, Technology and Perspective
EdTech Platforms May Violate Privacy Laws. This week, the privacy risks of education technology (“EdTech”) platforms made news. As reported by the Washington Post and the Fort Worth Star-Telegram, a new study has revealed that EdTech platforms used by schools during the pandemic appear to have tracked children’s online behavior for the benefit of advertisers and others. The platforms also seem to have requested access to students’ cameras, contacts, and locations, even when that information was unnecessary for schoolwork. Links to the articles follow, and Kate Morris is quoted in the Star Telegram article:
https://www.washingtonpost.com/technology/2022/05/24/remote-school-app-tracking-privacy/
https://www.star-telegram.com/news/politics-government/article261707627.html
In connection with these articles, we think it would be helpful to highlight the federal and state laws at issue:
FERPA: The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g; 34 CFR Part 99, protects the privacy of student education records. FERPA applies to all schools that receive federal funds. In addition to giving parents and eligible students certain rights concerning “education records” (a term defined broadly), FERPA generally requires schools to have written consent from a parent or eligible student to release any PII from the student's education record. However, disclosure without consent is permitted under certain conditions described in 34 CFR § 99.31. One of these conditions is the “school official exception,” which allows a platform to receive PII from education records without parental consent if the platform: (1) “performs an institutional service or function,” (2) has “a legitimate educational interest” in the education records, (3) “is under the direct control” of the school “with respect to the use and maintenance of education records,” and (4) uses education records only for authorized purposes and does not redisclose PII from education records to other parties without consent. The penalty for violating FERPA is the withdrawal of federal funding to the school. A pitfall for schools is the procurement process, which requires careful attention to ensuring that the contract and the vendor’s privacy practices and policies align.
COPPA: The Children's Online Privacy & Protection Act (COPPA), 15 U.S.C. § 6502, and the COPPA Rule, 16 C.F.R. pt. 312, impose requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that actually know they are collecting personal information online. The COPPA Rule requires operators of these types of these services to include a clearly written privacy notice on their home page and anywhere else on their site where user data is collected. COPPA also requires operators to obtain "verifiable parental consent" before collecting or using personal information from children, and to maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. The FTC has published guidance on complying with the COPPA Rule, which is available at the following link:
Violations of the COPPA Rule carry civil penalties of up to $46,517 per violation.
Student Privacy Act: In Texas, the Student Privacy Act, Tex. Educ. Code § 32, restricts the use of students’ personally identifiable information when used in connection with websites, online services, online applications, or mobile applications for a school purpose. Specifically, the Act prohibits the “operator” of a website, online service, online application, or mobile app from knowingly engaging in “targeted advertising” if the target of the advertising is based on information the operator acquired through the use of those platforms for a school purpose. Operators are also prohibited from using the information to create a profile about a student unless the profile is created for a school purpose. In addition, operators cannot sell or rent any student’s “covered information.” The Act does not include a penalty.
Our view: As mentioned in the Star-Telegram article, linked above, the FTC has recently indicated that enforcement of COPPA is now a priority, especially in EdTech. You can read the FTC’s policy statement on this issue by clicking on the following link:
Here, we think that EdTech platforms should take note of the FTC’s enhanced scrutiny because the penalties for violating the COPPA Rule are stout, and the FTC has expressly stated its intent to ensure that EdTech companies protect children’s privacy.
While we support any action that enhances user privacy – especially children’s privacy – we question the schools’ presumably inadvertent role in the commercialization of student data. On the “front end,” education agencies and/or school systems that contract for EdTech must be diligent and attentive enough to ensure that students’ privacy is protected not only by “policies” posted somewhere on the vendors’ websites, but that those policies are reflected in the contracts between the vendors and the schools. And even where the contracts require limitations on data use and impose security obligations, the vendors’ performance under those contracts must be monitored and assured. This will require not just FTC scrutiny of EdTech practices, but also scrutiny of the schools’ roles themselves.
Without up-front diligence on vendors followed by continued monitoring and oversight, schools will find that they have – albeit inadvertently – played a role in ceding student data to vendors who weren’t adequately committed to responsible data stewardship. And without looking to the entities ultimately responsible for student data – i.e. the schools – we suspect that EdTech privacy problems will persist.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.