With students around the country back in school, it’s time for educators and education-focused technology (“EdTech”) service providers to pick up their pens and paper (or more likely their tablets), and brush up on requirements for protecting student data. Legislators in Arkansas, Delaware, Georgia, Maine, Maryland, New Hampshire, Oregon, and Washington worked to tighten student data privacy restrictions this legislative session, passing bills shortly before the bell rang and the legislators were dismissed.
Following our summary of these new laws, we have outlined a few next steps for education institutions and EdTech service providers in these states, including reexamining and potentially updating current policies and procedures as may be required by these new state laws.
As student data continues to be a focus for legislators, educators and EdTech service providers need to stay abreast of new state student data privacy laws and regulations.”
State Legislators Add New Student Data Rules Following California’s Lead
Back in July we updated you on states that passed data breach legislation since the year began, and how similar efforts have stalled in Congress. Several states have taken up the baton in regards to student data privacy as well. Since January, eight states – Arkansas (H.B. 1961); Delaware (S.B. 79); Georgia (S.B. 89); Maine (S.P. 183); Maryland (H.B. 298); New Hampshire (H.B. 520); Oregon (S.B. 187); and Washington State (S.B. 5419) – passed legislation that bolster protections of student data.
These new laws are by-and-large modeled off of California’s Student Online Personal Information Protection Act (“SOPIPA”) (Cal. Bus. & Prof. Code § 22584) and restrict how operators of K-12 education-focused websites, online services and applications, and mobile applications can use and disclose any student data they might have access to in the course of their business.
EdTech service providers operating in these eight states need to act now, as several states’ student privacy laws have already taken effect. Fortunately, service providers who are already in compliance with SOPIPA likely have a leg up in meeting new student data privacy requirements imposed by these statutes, since most of the states appear to incorporate many of the provisions in California’s student privacy law into their own.
Who is governed?
These laws generally apply to third-party operators of Internet websites, online services and applications, and mobile applications that are designed, marketed, and used for K-12 purposes (“operators”). This definition excludes general audience Internet sites, online services, and online and mobile apps, as well as departments of education, school districts, and the schools themselves.
All of the states except for Maryland and Washington require that operators have “actual knowledge” that their services were designed and marketed, and subsequently used, for K-12 purposes in order to be covered by their respective bill.
What information is covered?
All of these new laws aim to guard a wide array of material that can be used to identify a student which the operator has access to through the operations of its service. Covered information varies from state to state, but typically includes any information that identifies or could identify the student, including student’s name, address, Social Security number, telephone number, geolocation, and biometric dataNumerous other data points related to a student’s education or status – such as a student’s school records, grades, test results, socioeconomic information, and the like – also are covered.
Washington simply defines its covered information as that which is “collected through [an operator] that personally identifies an individual student or other information collected and maintained about . . . or that is linked to information that identifies an individual student.”
Georgia, and Maine, alternatively, cleave covered information into two categories: “student data” and “student personally identifiable information” (“SPII”), and impose additional restrictions on operators’ ability to disclose and use particularly sensitive identifying information. “Student data” is a broadly-defined category of data akin to covered information, which is “collected and maintained at the individual student level.”
SPII, on the other hand, is defined as “student data that, alone or in combination, is linked to a specific student and would allow a reasonable person . . . to identify the student.” Both states provide more stringent rules on how and when SPII can be used or disclosed; for instance, Georgia prohibits the disclosure of SPII without parental consent (or the consent of the student if he or she is 13 or older) except in limited situations, such as in furtherance of the K-12 purpose of the service or application, to ensure legal or regulatory compliance, or guard against liability, among other exemptions.
Given these definitions, it appears that whether particular student data will also be regarded as SPII depends upon the circumstances. Consequently, EdTech companies will need to ensure that their uses and disclosures of SPII are in line with these new limitations. This is especially important because SOPIPA does not make a distinction between student data and SPII; as a result, operators that are otherwise in line with SOPIPA will still need to ensure that their practices align with these new restrictions if they operate in Georgia or Maine.
Permissible Uses and Disclosures of Student Data
Operators are permitted under the laws to use students’ information gathered by virtue of their service for certain enumerated purposes. For instance, all states except New Hampshire allow operators to use student information to improve or maintain the operator’s services and for customized learning purposes. In the same states, operators may disclose student data: where permitted or required by law; for activities in furtherance of the K-12 purpose of the service or application; to ensure legal or regulatory compliance, or guard against liability; and for “legitimate research” required or authorized by state or federal law, among others.
Further, all of the states except for Washington grant operators greater freedom to use or disclose aggregated and “de-identified” student information. While neither Arkansas, Maryland, nor Oregon define these terms, the other state statues express them as follows. “Aggregate student data” is data that is not personally identifiable and is collected or reported at the group, cohort, or institution level. “De-identified data,” on the other hand, is generally defined as a student data set that cannot be reasonably used to identify, contact, or infer information about a student or his or her device. Operators can use aggregate or de-identified data under certain circumstances, such as to develop and improve the operator’s service or to demonstrate the effectiveness of its products or services, including through marketing.
Restrictions on Use, Sale, or Disclosure of Student Data
These new laws impose many of the same restrictions and obligations on operators’ use and disclosure of student data as found in SOPIPA, though with slight variations.
All of these laws prohibit operators from engaging in targeted advertising, based off either the service that they provide or the students’ covered information to which they have access. Fortunately, most of these laws carve exceptions into their definition of “targeted advertising” that permit some advertising to students that use an operator’s services. All states except New Hampshire declare that targeted advertising does not include advertisements to students online based on their current visit to a specific location. Further, all states except New Hampshire, Maine, and Washington allow ads to a student in response to a single search query where the student’s online activities are not collected or retained. Washington instead exempts adaptive or personalized learning and customized education from “targeted advertising.”
The laws further prohibit operators from using student information to create student profiles when not related to an educational purpose. Arkansas, Georgia, Maine and Maryland state that collecting or retaining information that remains under the student, parent, school or school district’s control does not constitute creating a profile. However, all of these statute’s terms impose tight restrictions on how EdTech operators can amass information on the students their products serve.
Operators also may not sell student information, or disclose such data except in the situations outlined above.
Student Data Protection and Retention
Operators are required to affirmatively protect student data under the passed legislation, both by implementing and maintaining reasonable security procedures and practices as well as deleting student information under their control “within a reasonable time” if requested by the school or the district. Delaware, Georgia, and Maine require deletion of student data within 45 days of a school or district’s request.
Transparency and Access to Data
Washington’s new law will require that operators provide “clear and easy to understand” information about what student data they collect, how it is shared and used, and provide “prominent notice” before making material changes to their privacy policies.
Additionally, unlike in SOPIPA, parents will have a right to access to their children’s covered information and correct any errors under Washington’s statute.
When do these laws go into effect?
EdTech service providers operating across many states are provided little relief, with three of these laws already effective, two more effective in the next six months, and all of the laws effective within a year.
- Effective as of July 2015: Arkansas, Georgia, and Maryland
- Effective October 14, 2015: Maine
- Effective January 1, 2016: New Hampshire
- Effective July 1, 2016: Oregon and Washington
- Effective August 1, 2016: Delaware
EdTech service providers operating in these states need to take a close look at their data collection, use, and disclosure practices and ensure compliance with these new mandates. In particular, EdTech service providers should pay special attention to the leeway that these statutes give in terms of delivering targeted advertising to students. Consequently, K-12 EdTech service providers that want to use targeted advertising to improve their services and products should look at their current advertising practices and modify them according to these new laws and in conjunction with other applicable advertising industry rules. And providers serving students and schools in Georgia and Maine should mind the different obligations those states have created regarding student data and SPII. Finally, EdTech service providers also may need to update their privacy policies for websites, apps, and services subject to these laws.