Privacy and Ed-tech in 2016

There was a lot of legislative movement for the educational technology (ed-tech) industry in 2015 with states placing additional privacy regulations on the industry, and the effects of those new acts should be felt this year. The states that passed this type of legislation in 2015 were following California’s lead. California’s governor signed the Student Online Personal Information Protection Act (SOPIPA) (2014 Cal SB 1177) back in 2014. Even though these states enacted legislation after SOPIPA, at least one of these acts came into effect before SOPIPA became operative (which was January 1, 2016). Maryland’s Student Data Privacy Act of 2015 (2015 MD H.B. 298) was approved by the governor on May 12, 2015 and took effect July 1, 2015. On August 7, the influential and often business friendly state of Delaware saw its governor approve the Student Data Privacy Protection Act (2015 Del. SS 1 for SB 79). Some of the Delaware act’s provisions became effective upon its enactment into law, but the provisions that have the most impact are effective “August 1 the first full year following the Act's enactment into law”. Georgia’s Student Data Privacy, Accessibility, and Transparency Act (2015 GA S.B. 89) was signed by the state’s governor on May 6, 2015 and will become effective July 1, 2016. Additional states passed similar legislation such as Arkansas and Virginia. According to an article by the National Association of State Boards of Education released last June, 111 state bills “were aimed at establishing better safeguards for the collection, use, and disclosure of student data.” These acts’ influence on ed-tech’s privacy practices, especially those technology vendors doing business with K-12 schools (i.e. operators) may be significant. There are new government restrictions on the collection and use of information and marketing to students, and security requirements. The impact on the privacy practices of businesses as a whole is muted because the acts’ definition of operators is generally defined narrowly. For example, California, Delaware and Georgia’s acts’ definition of “operator” applies to those that have “actual knowledge” that its website/app/service is used for K-12 school purposes and was designed and marketed for K-12 school purposes. But note that Delaware and Georgia’s definition is broader than California’s because those acts add that anyone that does the following is also an operator: collects, maintains, or uses student data (i.e. personally identifiable information) in a digital or electronic format for K-12 school purposes. Maryland’s Student Data Privacy Act of 2015 closely tracks California’s except that Maryland’s does not have the actual knowledge requirement in the definition of “operator,” but it does include that the website/app/service must be “issued at the direction of a public school, a teacher, or any other employee of a public school, local school system, or the Department.” For those ed-tech companies that are deemed “operators,” the effects are wide-reaching. Like California’s SOPIPA, Maryland, Delaware, and Georgia’s new acts restrict operators from “knowingly” engaging in targeted advertising activities, creating a profile of users (except for school purposes), or selling or disclosing student information (except under certain circumstances).

The acts also have security breach provisions. SOPIPA requires that operators implement and maintain reasonable security procedures and practices. Delaware, Georgia, and Maryland adopted language similar or the same as California’s SOPIPA. Although Delaware did set a floor on what reasonable security procedures and practices entail. According to the act, the operator shall “at a minimum, comply with the Department of Technology and Information's Cloud and Offsite Hosting Policy and include the terms and conditions set forth in the Department of Technology and Information's Cloud and Offsite Hosting Template for Non-Public Data.” These acts also have the requirement that the student information be deleted at the request of the school or district.

Some of the statutes set up regulatory bodies and schemes to deal with the newly passed regulations which puts an additional burden on the ed-tech industry. The Georgia act requires that the State School Superintendent designate a “Chief Privacy Officer” who will “assume primary responsibility for data privacy and security policy.” Among the Chief Privacy Officer’s responsibilities are to conduct a privacy impact assessments and establish “model process and policy for any parent to file complaints of privacy violations or inability to access his or her child's education records against the responsible local board of education pursuant to Code Section 20-2-667.” Delaware’s act establishes a Student Data Privacy Task Force “to study and make findings and recommendations regarding the development and implementation of a comprehensive framework to govern the privacy, protection, accessibility, and use of student data within and as part of the State's public education system.”

So what does having these various and varied state laws on the books mean for ed-tech businesses? Because of the national (and even global) market for ed-tech, many operators will probably find it most efficient to be compliant with the strictest aspects of any of these state acts, rather than have state specific services/products. Thus, one provision in a state act can effectively drive changes in the entire industry. Having these privacy acts on the books in several states also increases the ed-tech industry’s liability exposure. The businesses must understand and comply with statutes that are worded and interpreted differently from state to state. In addition, instead of being held liable in just one jurisdiction, those who violate provisions that are the same in several states could find themselves as defendants in many states at the same time. Finally, as discussed above, some of these acts create regulatory bodies. The ed-tech industry now has the extra burden of monitoring and complying with these bodies’ processes, findings and recommendations.

Those that violate the acts could face stiff penalties. For example, in 2012 the California Attorney General brought suit against Delta Airlines and said in her complaint that the Attorney General has powers under the Unfair Competition Law (Cal Bus & Prof Code § 17206) to levy penalties of $2,500 per violation (which according to the California Attorney General, per violation means per download) under the California’s Online Privacy Protection Act of 2003 as amended (CALOPPA) (2003 Cal AB 68). Note that CALOPPA does not have a specific provision for enforcement. Here, SOPIPA also lacks a specific enforcement provision. Thus, it is not too far of a leap to think that the California Attorney General could use the same reasoning to argue that violations under SOPIPA would incur $2,500 penalty per download or student. Delaware’s act gives enforcement authority to the Consumer Protection Unit of The Department of Justice (which is under the Attorney General) under the state’s Consumer Fraud statutes which has a civil penalty of up to $10,000 for each wilful violation (§ 2522 Proceedings brought by the Attorney General). Because this part of the act is not yet effective, it is uncertain whether the Delaware Attorney General (or the Delaware courts) will interpret each violation as each person affected by the violation.

The legislative action for the ed-tech industry is not limited to the states. There were also federal bills introduced in 2015 aimed at regulating student data. These federal bills included S.1341-Student Privacy Protection Act, S.1322 Protecting Student Privacy Act of 2015, H.R.2092 Student Digital Privacy & Parental Rights Act of 2015, and H.R.3157 Student Privacy Protection Act. None of these federal bills have been enacted into law, but they serve as evidence that there is momentum on the federal level to pass new ed-tech regulations. If a new federal law regarding student data is passed, it will add an additional layer of compliance for the ed-tech industry and would most likely make running the privacy and security aspect of their businesses even more complicated.