Remote Learning – Privacy and Data Security Challenges
As schools adapt to the reality of trying to teach remotely during the COVID-19 crisis, education technology companies are seeking to fill the needs of students and support remote learning despite stay-at-home orders imposed across the country. To the extent that any such education technologies involve the collection and use of students’ personal information, appropriate protections and safeguards must be implemented that are in compliance with the legal requirements relating to the privacy and security of student data.
On the federal level, the Children’s Online Privacy Protection Act (COPPA) imposes legal requirements when handling the personal information of children under the age of 13 years. Importantly, COPPA is not a barrier to schools rolling out remote learning and does not impose any direct obligations on schools, but rather sets forth obligations on the operators of commercial websites and online services.
To comply with COPPA, education technology companies must ensure that appropriate notice about data collection and use practices is being incorporated into privacy policies and, in some instances, obtain parental consent before collecting personal information from children. Under COPPA, schools can consent on behalf of parents to the collection and use of student personal information by education technology companies, but only if the education technology company is prohibited from using any such students’ personal information for any commercial purpose other than a school-authorized educational purpose.
Education technology companies should carefully assess the functionality of any remote learning solutions under this COPPA standard. Some functionality being rolled out by education technology companies could arguably fall outside the scope of a direct educational purpose. For example, disciplinary functions that can be used to monitor student activities while at home could inadvertently capture other personal information that may run afoul of COPPA. Also, if an educational technology company plans to use students’ personal information in connection with generating targeted advertising or building user profiles for commercial purposes not related to the provision of the online service, then the education technology company cannot rely on consent being provided by the schools, but must develop mechanisms to seek direct consent from parents.
Additionally, education technology companies must be prepared to respond to detailed due diligence requests by schools before such education technology should be implemented. For example, COPPA requires that any childrens’ personal information must be protected by reasonable data security practices to prevent unauthorized access by hackers and other malicious actors hoping to take advantage of this crisis. Thus, education technology companies must be ready to answer questions about how student data will be secured.
Furthermore, education technology companies should also be prepared to respond to parental questions by providing robust customer support services, which can be challenging as many call centers and other customer engagement facilities are similarly facing staffing challenges due to stay-at-home orders. Any COPPA-required notice of data collection and use practices that is provided to schools should also be made available to parents.
Another federal statute that education technology companies should be aware of is the federal Family Educational Rights and Privacy Act (FERPA). The Department of Education has advised that schools look for “[p]roducts that apply best practices like encryption, strong identity authentication, and a statement and terms of service that explain how the vendor’s use of PII from student education records complies with FERPA.”
Under FERPA, education technology companies can receive student records as a service provider to the schools if the education technology company: (1) performs an institutional service or function for which the school would otherwise use its own employees; (2) has been determined to meet the criteria set forth in in the school’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the student records; (3) is under the direct control of the school regarding the use and maintenance of the student records; and (4) uses the student records only for authorized purposes and does not re-disclose the student records to other parties unless the education technology company has specific authorization from the school or a FERPA exception applies to the disclosure.
For example, the FERPA directory information exception would permit student records to be disclosed during classroom instruction to students who are enrolled in and attending a class, including via a virtual meeting. Thus, an education technology company could offer schools a platform for children to join a virtual classroom from home even though other household members may be able to observe such meetings and see the names of the other students attending the class. For students that cannot join a class during a live session, the same FERPA exception could apply to the students watching a recording of the class at some later time. However, individual sessions between a teacher and student, during which other student records such as grades may be discussed, should be conducted in a private location within the home.
Under FERPA, parents and eligible students have the right to access education records and seek amendment of education records as well as the right to provide consent to any disclosure of personal information from student education records unless a FERPA exception applies. Education technology companies that are already facing staffing and resource challenges must be prepared to honor these rights as well as respond to any complaints within the statutorily required 45 day timeline.
Other Legal Requirements
In addition to COPPA and FERPA, education technology companies need to be aware of other personal information protection laws, including those that are not specific to remote learning. For example, Section 5 of the Federal Trade Commission (FTC) Act prohibits all companies, not just education technology companies, from engaging in unfair or deceptive acts or practices.
Individual states may also have laws and regulations that either directly address the use of education technology or may apply broadly to any collection, use, and disclosures of personal information. For example, many states have implemented their own COPPA-like laws, which in some cases provide for additional protections to minors. In another example, the New York Department of Education adopted new regulations earlier this year to protect any personally identifiable information relating to students, teachers, and principals, in response to the growing problem of cyberattacks on school districts. Education technology companies should be mindful of these state laws and regulations as well as any city or local orders or directives.
Some recent examples of education technologies that have raised legal issues in the past few months include:
- New Mexico Attorney General Hector Balderas filed a lawsuit against Google alleging that the company uses its educational products to collect the data of children under 13 without parental permission. Google has also been sued in California by parents for allegedly selling and distributing Chromebooks that collect and store students’ facial and voice data, location data, and search histories without parental permission.
- New York Attorney General Letitia James (D) is investigating Zoom about its privacy practices relating to its video conferencing application. New York City schoolteachers are now prohibited from using Zoom and Google Classroom’s videoconferencing programs because of safety concerns, according to the New York Education Department.
- The California Department of Education recently announced the creation of a “Closing the Digital Divide Task Force.” The task force will assess the needs of all California students, including working with partners to secure devices and Wi-Fi hotspots to close the technology gap among students in response to a strong recommendation from State Superintendent Tony Thurmond for all schools to focus on remote learning models due to the COVID-19 health crisis. However, any solutions recommended or developed by the task force would, at a minimum, be required to comply with the California Student Online Personal Information Protection Act and the new California Consumer Privacy Act.
- Students at Florida State University have signed an online petition challenging the use of remote learning software designed to detect academic misconduct. The university faculty has been using education technology that records web activity, detects the use of mobile devices to identify potential cheating, and accesses computer webcams and microphones to monitor student activity during exams. More than 5,000 students claim that the technology is a “blatant violation of our privacy as students.”
- The World Privacy Forum Founder recently released a multi-year study on student privacy related to FERPA’s school directory information exemption. The report found that primary, secondary, and postsecondary schools used the exemption to bypass consent requirements and share students' data.
Education technology companies are rapidly launching new and/or expanding remote learning software, and in some cases providing hardware in the form of laptops and other devices, but despite accelerated timelines for rolling out these new education technologies, legal compliance must remain a top priority. Other technology companies that are launching new education technologies must be aware that they are entering a highly regulated sector. While remote learning is critical to minimize the impact of the COVID-19 crisis on students and educational institutions, any such remote learning must be conducted in a manner that respects students’ personal information and complies with the many privacy and data security laws and regulations that impact how education technology should be developed and implemented.
Copyright © 2020 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.