What should edtech companies know about consumer privacy laws?

As states continue to pass new consumer privacy laws, edtech companies may be wondering what their compliance obligations will be under these various frameworks. Taken together, these laws create a “patchwork” of different standards. This patchwork could become even more complicated in the upcoming legislative season. this chartcompares current state privacy laws and provides links to each consumer privacy law that is part of this patchwork. The patchwork can be difficult to understand because these laws are often not passed with educational technology or schools’ unique circumstances in mind. It’s important to understand what questions to keep in mind when evaluating an edtech vendor’s compliance. Edtech companies need to understand the nature of their relationships with schools and consumers, their revenue standards, the scope of their data processing and collection, their non-profit status, and coppa Compliance in determining what your responsibilities will be. However, to simplify the “patchwork”, FPF has identified several threshold questions to help edtech companies assess compliance.

Do you process education records under a contract with the school/district?

According to the Family Educational Rights and Privacy Act (FERPA), “educational records” are records that directly relate to a student and that include any organization, institution, or organization acting by or on behalf of an educational institution or institution. A record maintained by a party representing a party. ” 34 CFR § 99.2. Currently, all states except California specifically exempt information subject to FERPA. This means that, except in California, education records processed by service providers under contract with schools are not subject to these laws. “Edtech companies need to comply with these laws when processing data,” said Chanda Marlowe, an associate at Loeb & Loeb. do not have Covered by FERPA. However, edtech companies are not required to comply when it comes to FERPA-regulated data they process on behalf of schools. ” Data not covered by FERPA may include records related to teachers and other school personnel. An important point to emphasize is that FERPA is enforced by the Department of Education and applies to schools. This means that edtech vendors cannot claim to be “FERPA compliant.”

In California, the CCPA and CPRA contain specific language that impacts edtech companies operating in schools. The CPRA exempts companies acting on behalf of local education agencies (LEAs) from complying with requests to remove student grades, educational test scores, and educational test results. This framework raises two fundamental challenges. First, include the following three categories: CPRA student data (grades, test scores, test results) means that all other student data held by companies on behalf of LEAs is subject to deletion requests, which may be unnecessary It could be interpreted as a request to delete student data. addressed by the listed categories. Additionally, the provision describes student data as data “held by a business on behalf of a local educational institution,” meaning that businesses that provide services to schools are considered “businesses” subject to the law. is implied.

Importantly, the CCPA’s coverage standards apply to commercial businesses with gross revenues of more than $25 million. Buy, sell, or share the personal information of at least 50,000 consumers for commercial purposes. or derives 50% of its annual revenue from the sale of consumers’ personal information. Therefore, edtech vendors in all areas of education, from K-12 to universities, may be subject to the requirements of the CCPA if they process student personal information on behalf of schools and meet the requirements listed above. . Additionally, the CCPA does not provide an exemption from FERPA, creating tension between the two laws for schools and education technology vendors that store students’ personal information.

TLDR answer: As of this blog’s publication, if you are only processing student education records under FERPA’s Official School Exception, you are exempt from compliance with all laws except California law (unless these thresholds are met). ).

Are you an educational technology provider that contracts with schools that are not covered by FERPA?

Private schools, parochial schools, and home schools not covered by FERPA accounted for approximately 15% of students as of May 2023, with 5.4% homeschooling, 9.6% attending private schools, and 85% attending private schools. % are enrolled in public schools. According to Home pulse survey Conducted by the Census Bureau. As home learning increases, washington post Please note that “”Fastest growing form of education in AmericaWith an estimated 1.9 million to 2.7 million home-schooled students in the U.S., edtech companies are working directly with home-schooled students to increase personal understanding, complement traditional education, and provide support for schools like microschools. We have strived to provide a tailored educational environment that focuses on reflecting trends. In general, companies that serve students in schools not covered by FERPA should consider each comprehensive consumer privacy bill, similar to how they consider individual obligations under state student privacy laws. The criteria should be evaluated to see if they apply.

TLDR answer: Consider your customer base and understand that FERPA does not apply to private school or homeschool student data.

Are you an edtech provider offering the same or similar services directly to consumers?

For companies that process education information under FERPA and market and sell products to students and parents outside of school, the analysis becomes more complex. This means that if you are a provider of the same or similar services directly to consumers, parents or students, you will be eligible for these services if your business meets the revenue and data processing standards set out in the respective legislation. This is because the law may apply. However, the extent of coverage remains unclear, as making this determination requires specific analysis that takes into account the requirements within each jurisdiction. This leaves open the possibility of excluding companies that act as service providers through the “school employee” status under FERPA, while allowing the same companies to collect data from the same students outside of the school context. Processing is subject to law.

TLDR answer: it depends.

FPF will continue to track comprehensive consumer privacy legislation in upcoming Congresses. Find us at FPF.org.