In 2014, 36 states introduced 110 student data privacy bills and 21 states passed new student data privacy laws. The final numbers for 2015 are now in, and the pace is largely unchanged. In fact, according to numerous reports, legislatures in 46 states (all but Nebraska, Pennsylvania, Vermont, and Wisconsin) considered student data privacy bills this year (182 bills in total).
Nearly half of the legislatures considered bills based, at least in part, on the California Student Online Personal Information Protection Act (SOPIPA) which essentially established a national student data privacy standard for ed tech companies operating in the K-12 space when it was passed last fall. SOPIPA becomes effective in January 2016.
Fifteen states passed student data privacy bills and quite a few (including Georgia, Maryland, Oregon, and Washington) passed comprehensive bills based on the California law. Notably, however, it appears that legislatures are listening to the concerns of the ed tech industry that were raised in the wake of SOPIPA. The laws that were passed in 2015 tended to address some of the major concerns companies have had about the workability of SOPIPA. For example, SOPIPA was unclear or ambiguous about many critical issues such as what services are covered, obtaining parent consent, and how the law will be enforced. While some advocacy groups have been critical of what they see as a watering down of SOPIPA, many of the laws passed this year provide more certainty and clarity for the companies subject to them (for example, limiting the covered entities to those with contracts with a school or district, as the Maryland law does). This debate will continue as more states consider these bills. Provisions that create certainty for an ed tech company can also be seen as creating a loophole in the view of a parent or advocacy group (as well as schools).
Another interesting development was in Nevada where a new student data privacy law requires school districts to develop policies regarding the use of ed tech products by individual teachers. Such policies could restrict or limit the ability of teachers to use products that do not meet certain data privacy standards as well as the use of “freemium” products (those that are free for basic services, but charge for premium services) under certain conditions. District initiatives to establish internal policies regarding the use of third party technologies in the classroom are becoming increasingly common.
The pace of these changes—and the intricacies of the differences between various state requirements—requires both schools and ed tech companies to reconsider student data privacy as a priority.
Practice tips
For ed tech companies
- Ensure that your product and practices conform to the student data privacy laws of the states where you operate and continue to monitor the changing landscape. This is critical when companies are first starting out. Few things are as damaging as finding out down the road that schools in California (or any state) are prohibited from using your product or service.
- Keep your privacy policy and terms of service updated to match your current practice. These documents form the agreement between you and your client (including on issues such as liability and dispute resolution). Don’t limit your ability to enforce those policies.
- Consider your contractual and marketing practices in light of the importance schools (and parents) are placing on student data privacy.
For schools (K-12 and postsecondary)
- Establish an internal student data privacy policy and procedure that is aligned with the relevant state laws.
- Develop a procedure for assessing (and keeping track of) the technologies and products that are being used in your classrooms and have a process for ensuring compliance with your internal policy.
- Review your contractual arrangements with third parties for compliance with federal and state student privacy laws.