With education technology companies facing increasing pressure to protect students’ data privacy, a pair of organizations set out recently to help them—by staging a “boot camp” meant to cut through vendors’ confusion and make sense of shifting legal obligations.
The event, held last week in the nation’s capital, is expected to be the first of several of the tutorials for ed-tech companies, according to the Future of Privacy Forum, which along with the investment company Rethink Education, organized the two-day tutorial.
The boot camp drew about 40 companies, many of them startups or small- to medium-size businesses that aren’t likely to have their own lawyers on staff to advise them on how to navigate the legal terrain of student-data privacy.
The organizers closed most of the event to the press, and they would not release the names of the companies attending. They said they wanted to allow company officials to be free to ask questions of the speakers, and each other, without having their statements aired publicly.
Education technology companies are required to comply with a variety of laws and policies that address student-data-privacy issues—including two federal laws, the Family Educational Rights and Privacy Act, or FERPA, and the Children’s Online Privacy Protection Act, or COPPA. The Future of Privacy Forum, a think tank in Washington that advocates responsible data use, offers this advice to companies serving the K-12 market:
• Be careful about changing your privacy policies. Companies may need permission if the uses of data differ from what the policies originally stated. Under COPPA, for instance, material changes to policies may require specific notice and an obligation not to handle privacy differently from what was previously promised.
• If your service allows parents or teachers to sign up, make sure your policies are complete and clear. Enable parents to delete any data for children under age 13; don’t request a child’s precise location without parents’ consent. Be careful using free social-sharing widgets or free plug-ins, which may sell data to advertising networks and data companies or share data with third parties in violation of FERPA and COPPA.
• Be prepared to report and fix a potential data breach to your system. And use reasonable, standard industry practices for securing data up-front.
• Be aware that different laws have different definitions of “personally identifiable information,” and restrictions on using it. If a company receives education records from schools, there can be different legal obligations based on whether the data are personally identifiable or are aggregated.
• Be aware of rights provided to students under FERPA. For instance, schools must provide parents (and students, under some circumstances) with the ability to inspect and review students’ education records within 45 days.
Jules Polonetsky, the executive director of the Future of Privacy Forum, a Washington-based organization that aims to help build more responsible data practices, said one of his group’s primary goals was to help K-12 vendors understand their legal and other obligations at the federal, state, and district levels—and how to address those demands during the conception of products, rather than after a problem occurs.
Legal Concerns Rising
K-12 organizations, such as the Consortium for School Networking, which represents school technology officers, and the Software & Information Industry Association, have also sought to provide clarity on various laws for their audiences.
In addition to the major federal laws that address student-data privacy—the Family Educational Rights and Privacy Act, or FERPA, and the Children’s Online Privacy Protection Act, or COPPA—more than 20 states have passed their own laws related to safeguarding student data over the past two years. Individual districts are also tailoring their own requirements for vendors.
“Privacy and contracting across thousands of school districts is getting very complex,” said Mr. Polonetsky, who served previously as New York City’s consumer-affairs commissioner and as AOL’s chief privacy officer.
To vendors, each district seems to have “a different checklist,” he added. “Good companies want to get it right, but it’s really hard to come up with different versions of your product, or negotiate different versions of contracts.”
The boot camp was held at the downtown Washington offices of 1776, a business incubator and seed fund that backs companies in education and other areas. It was co-sponsored by Rethink Education, a White Plains, N.Y.-based venture capital firm that invests in educational technology.
The setting was designed to be informal: On the opening day of the event, Mr. Polonetsky and other organizers sported “FERPA sherpa” T-shirts, an allusion to their efforts to guide companies through challenging terrain.
Attendees heard from speakers such as Terrell McSweeny, a member of the Federal Trade Commission; representatives of individual school districts; lawyers who study data-privacy law; and privacy- and industry-advocacy groups.
In comments to attendees at the beginning of the boot camp, Ms. McSweeny said she was aware of the potentially “incredible benefits” that innovative tools for using data can bring to schools, even as the FTC—which seeks to protect consumers on privacy and other issues—is determined to make sure K-12 companies follow the law.
Companies’ worries about the legal landscape were evident in an opening question-and-answer session, when a business official told Ms. McSweeny that concerns about data privacy can potentially scuttle fledgling education vendors’ ability to raise capital.
“How do you figure out how to regulate with the lightest possible touch?” the company official asked.
Ms. McSweeny responded that the FTC’s duty is to enforce the law—it can fine providers it deems to have committed violations—but that its staff also strives to answer individual companies’ detailed questions about how to interpret COPPA, and how it applies to their business practices.
She also urged companies to embrace “privacy by design.” They should make efforts to notify parents about how information is used, and to be transparent about privacy practices, as part of their product development, she said, rather than cobble together a policy for a district after the fact.
When companies take that step, “at the very least, one advantage is your technology matches what your privacy policy says,” Ms. McSweeny said in an interview after the session. “It’s been those disconnects that can result in liability” problems for businesses, she said, when they fail to do so.
When companies are proactive in addressing privacy, “it actually generates, in and of itself, new innovation,” Ms. McSweeny added, and “changes to the product that are very marketable and interesting.”
As it is, figuring out what is required by FERPA, COPPA, myriad state laws, and individual district policies has involved considerable “detective work,” particularly for up-and-coming ed-tech companies, said one boot-camp attendee, Karina Linch. She is the senior vice president of product management for BrainPOP, a New York City-based company that creates digital learning games and other academic content.
That’s the case even for BrainPOP, which has its own legal counsel and does business with schools in all 50 states, Ms. Linch said.
When it comes to districts’ privacy policies, she said, “we get a lot of very, very different requests, that sometimes conflict with each other.”
Widespread Confusion
The company has sought to bake privacy policy into the development of products so that schools and districts can either subscribe to the company’s services without sharing any student data or enable usage to keep track of individual student learning, Ms. Linch said. Creating those options requires much more work for BrainPOP on the development end, she said, but the company believes it appeals to parents and districts.
Mr. Polonetsky hears particular frustration among vendors about cases in which FERPA and COPPA may overlap, and how companies sometimes have trouble deciphering which law governs their various practices. COPPA is designed to give parents control over what information is collected from their children. FERPA is meant to protect the privacy of students’ education records, and generally applies to schools that receive funds from the U.S. Department of Education.
But confusion is widespread. Decisions about whether FERPA or COPPA applies can hinge on whether schools are creating online student accounts and have contracts with vendors, or if teachers provide permission and enable students to create accounts, Mr. Polonetsky noted.
Federal lawmakers, meanwhile, have been drafting legislation meant to update and broaden student-data-privacy policies, in a way that could pre-empt the various laws being enacted by individual states.
The confusion, of course, doesn’t just flow one way. Mr. Polonetsky said the flurry of local privacy policies reflects K-12 officials’ desire to make their protections as broad as possible, to account for the fast-evolving and often-bewildering set of apps, tools, and cloud-based systems being marketed to them.
Districts are “going through their checklist, and they’re saying to companies, ‘Why can’t I tell if you meet [our data-privacy requirements] or not? Here are the things I need to know,’ ” Mr. Polonetsky said. “There’s been complexity on both sides that’s made it hard for good-meaning schools and good-meaning companies to have a meeting of the minds.”