Using iPads Before Riding Bikes – Privacy Tech Essentials for EdTech Companies

Considering children learn to use iPads before they ride a bike—ninety-two percent of U.S. children have an online presence before they turn two years old—parents and lawmakers have started paying closer attention to the impact of digital technologies on children.

Do not get ambushed by a lack of student and child data protections or you could see significant fines, like Google and YouTube’s $170 million COPPA violation.

What is EdTech?

As we continue to march through the 21st century, education technologies (EdTech) are globally taking over schooling and education. EdTech is software, hardware, and technological processes built to promote learning; examples of EdTech companies like Byju’s provide technology for functions including homework help lines, individualized education modules, research tools, and online testing services.

Children’s Privacy

As accelerated by the COVID-19 pandemic, remote learning is becoming the new norm of our educational landscape. In reaction to an uptick of children’s online use, concerns surrounding appropriate data collection and use of students and children are surfacing.

Recently, there has been a “explosion of interest” in children’s privacy. In January 2022, two U.S. senators wrote to the Children’s Online Privacy Protection Act (COPPA) Safe Harbor programs to probe if they were actually fulfilling their legal obligations to give greater protections for children. Globally, India has proposed changes to processing children’s personal data, the United Kingdom passed the Age Appropriate Design Code in September 2021 to establish a new approach of how to regulate children under current EU privacy laws, and disgruntled Singapore students started a petition protesting the mandatory installation of a Ministry of Education device management application. As the temperature rises around children’s privacy, it is imperative for EdTech companies to prioritize children and student data safety.

Risks of EdTech Platforms

· Not showing age appropriate advertisements

· Using a targeted ad model on children

· Child dependence on platforms using age appropriate filtering

5 Steps EdTech Companies Can Utilize to Protect Children and Student Data

(1) Know Your Data—Discover, Identify, Inventory, and Map

EdTech companies need to be aware of what kinds of data they have stored and where it is being kept. This can be done by performing a data protection impact assessment. The information from the assessment will put the company’s finger on the pulse of its data so it can access the data as needed. By knowing what data is on hand, a company can specifically inventory children’s data to make sure it is treated sensitively.

(2) Know Your Applicable Regulatory Obligations

Do not use student or child data for commercial purposes. The non-essential student data gets deleted which reduces the amount of student PII data on hand. Minimizing and deleting student data will protect an EdTech company from noncompliance of privacy laws. More about compliance and privacy laws can be found below.

(3) Minimize the Data Collection

Once the data is discovered, identified, inventoried, and mapped it can be minimized by choosing what nonessential data can be deleted. Practicing data minimization can help companies reduce the risk of data loss and liability in case of breach and save operating expenses on costs like data storage. You can learn more about data minimization here.

(4) Responsibilities and Duties

EdTech companies are responsible for providing a school with full notice of its collection, use, and disclosure practices of students’ data, as if it were providing the information to a parent. Additionally, EdTech companies should be diligent and respectful of the contractual limitations set by the school, state education agencies, and local education agencies. Information about privacy technical assistance from the Department of Education can be found here.

(5) Implement Privacy by Design

Design systems proactively with children’s privacy in mind. This means enabling privacy by default and end-to-end security and keeping systems user-centric. More information about privacy by design can be found here.

Applicable Global Privacy Laws for EdTech Companies

COPPA

· COPPA regulates data collection practices of commercial websites or applications directed at children 13 years old and younger in the United States and protects PII data that can be used to track the child.

· Typically, third-party website operators who knowingly collect information from children must receive parental consent; however, if a school has contracted with an EdTech company to collect PII from students for the use and benefit of the school, and for no other commercial purpose, the school can give consent to EdTech companies to use the students’ PII in an educational context.

· EdTech companies can also use the Children’s Advertising Review Unit as a resource to protect children online. For more information, you can visit the Federal Trade Commissions’ website here.

Federal Educational Rights and Privacy Act (FERPA)

· FERPA protects student’s privacy by regulating policies relating to educational records by giving parents and students the right to access educational records, request changes or updates to educational records, and restrict disclosure of educational records.

· Educational institutions may disclose education records or PII to EdTech companies without consent from students or parents provided the company falls under the “school official” exception.

· You can find more information about COPPA and FERPA here.

Protection of Pupil Rights (PPRA)

· The PPRA governs administration of surveys, analysis, and evaluations that cover political affiliations, mental problems, sexual behavior, illegal and frowned upon behavior, and more.

· EdTech companies to pay attention to the PPRA when distributing marketing surveys to make sure they are not inquiring on a protected subject. For more information on the PPRA, click here.

Individuals with Disabilities Act (IDEA)

· IDEA offers similar protections as FERPA but covers students with disabilities. IDEA requires EdTech companies to protect the confidentiality of PII during the collection, maintenance, use, storage, disclosure, and destruction of data.

· A complete comparison between FERPA and IDEA can be found here.

Student Online Personal Information Protection Act (SOPIPA)

· SOPIPA is a California law but has been used as a model by many other states.

· SOPIPA explicitly applies to EdTech companies by forbidding use of student data for sale, targeted ads, or commercial profiles when the company knows their site, service, or application was designed, marketed, and primarily used for K-12 school purposes.

· An EdTech company using best privacy practices should comply with SOPIPA, even if not law in the company’s state.

· To learn more about complying with SOPIPA, click here.

India’s Data Protection Bill (DPB)

· Requires EdTech companies to register with the DPA and process PII of children to protect the rights and are in the best interest of the child—Clause 16.

· You can find a guide to the DPB here.

Singapore’s Personal Protection Data Act (PDPA)

· Though no regulations apply in Singapore are specifically geared toward EdTech, EdTech companies still need to generally comply with the PDPA.

· A guide to the PDPA can be found here. Similarly,

General Data Protection Regulation (GDPR)

· EdTech companies need to comply with the EU’s GDPR and laws, which could completely ban targeted ads to children, regarding children.

· You can learn more about the GDPR’s child privacy regulations here.

By using the steps above and understanding privacy laws, EdTech companies will adequately protect themselves against noncompliance and the students who use their platforms.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.