There are a number of state student privacy laws of which schools and technology companies whose programs and services are being used for educational purposes during the Coronavirus pandemic should be aware.
For example, a number of states have student online personal information protection acts (SOPIPAs) which prohibit website, online/cloud service, and application vendors from sharing student data and using that data for targeted advertising on students for a non-educational purpose. See, e.g., Arizona (SB 1314), Arkansas (HB 1961), California (SB 1177), Colorado (HB 1294), Connecticut (HB 5469), Delaware (see DE SB79 and SB 208), District of Columbia (B21-0578), Georgia (SB 89), Hawaii (SB 2607), Illinois (SB 1796), Iowa (HF 2354), Kansas (HB 2008), Maine (LD454/SP 183), Maryland (HB 298), Michigan (SB 510), Nebraska (LB 512), Nevada (SB 463), New Hampshire (HB 520), North Carolina (HB 632), Oregon (SB 187), Tennessee (HB 1931/SB 1900), Texas (HB 2087), Utah (HB 358), Virginia (HB 1612), and Washington (SB 5419/HB 1495). Companies whose websites, online/cloud services, or applications are now – in view of the pandemic and remote learning situation – being used by K-12 students should make themselves aware of and compliant with these laws.
A number of states also have statutes regulating contracts between education institutions and third parties, including lists of required provisions. See, e.g., California (AB 1584), Connecticut (Conn HB 5469 (Connecticut’s SOPIPA statute)), Colorado (HB 1423), Louisiana (HB 1076) and Utah (SB 207). It is important that parties that rushed into remote learning situations, and relationships with third parties to make remote learning possible, review their contracts to ensure compliance with these statutes.
We discuss both of the aforementioned statutes below.
SOPIPA Statutes
SOPIPA statutes, such as California SB 1177, apply to website, online/cloud service, and application vendors with actual knowledge that their site/service/application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes. The statutes (1) prohibit the website, online/cloud service, and application operators (hereinafter “Operators”) from sharing covered information; (2) require the Operators to protect covered information (i.e., secure storage and transmission); and (3) require the Operators to delete covered information upon the school district’s request. “Covered information” is defined broadly in SOPIPA statutes, such as California SB 1177, to include any information or materials (1) provided by the student or the student’s guardian, in the course of the student’s or guardian’s use of the site or application; (2) created or provided by an employee or agent of the educational institution; or (3) gathered by the site or application that is descriptive of a student or otherwise identified a student. Therefore, the scope of “covered information” under the SOPIPA statutes is much broader than the scope of protected information under FERPA.
It is unclear if an Operator that was in existence before the coronavirus pandemic but not used for K-12 school purposes, such as WhatsApp, but is being used for K-12 school purposes now (in view of the pandemic), would need to comply with SOPIPA statutes. An argument could be made that such operators are not used “primarily” for K-12 school purposes, and the website/service/application was not “designed and marketed” for K-12 school purposes. But the meaning of terms like “primarily,” “designed,” and “marketed” are vague. And further, to the extent such applications are being used “primarily” for education purposes now, and are being technologically tweaked and marketed for educational purposes now, the argument that SOPIPA does not apply gets weaker. Thus, it is in companies’ best interest – if they know their website/service/application is being used by K-12 students in view of remote learning situations and the pandemic – to comply with SOPIPA statutes.
Statutes Regarding Contracts with Education Agencies/School Districts/Schools
Another set of state statutes that Operators whose products are suddenly being used for educational/remote learning purposes should be aware of are statutes governing contracts with education agencies, school districts, schools, etc. California AB 1584 is an example of such a statute, which governs contracts that “local education agencies” or LEAs (defined as including “school districts, county offices of education, and charter schools”) enter into with third parties, including digital storage services and digital education software.
Under California AB 1584, a LEA that enters into a contract with a third party for purposes of providing digital storage/management of records (e.g., cloud-based services) or digital education software must ensure the contract contains, inter alia:
- a statement that pupil records continue to be the property of and under the control of the LEA;
- a prohibition against the third party using personally identifiable information in individual pupil records for commercial or advertising purposes;
- a prohibition against the third party using any information in the pupil record for any purpose other than for the requirements of the contract;
- a description of the procedures by which a parent/guardian/the pupil may review the pupil’s records and correct erroneous information;
- a description of the third party’s actions to ensure the security of pupil records;
- a description of the procedures for notification in the event of unauthorized disclosure;
- a certification that the pupil’s records shall not be retained or available to the third party upon completion of the terms of the contract;
- a description of how the LEA and third party will jointly ensure compliance with FERPA and COPPA; and
- a provision providing that a contract that fails to comply with the aforementioned requirements shall be voidable and all pupil records in the third party’s possession shall be returned to the LEA.
Under California AB 1584, “personally identifiable information” is defined as “information that may be used on its own or with other information to identify an individual pupil” and “pupil records” is defined as both (i) any information directly related to a pupil that is maintained by the LEA, and (ii) any information acquired directly from the pupil through the use of instructional software or applications assigned to the pupil by a teacher or other LEA employee.
Other states, including at least Connecticut (Conn HB 5469), Colorado (HB 1423), Louisiana (HB 1076) and Utah (SB 207) have similar laws regulating contracts with third party vendors and operators of websites and applications who utilize student information, records, and student-generated content.
In view of these statutes, schools/school districts, and companies that provide (i) storage services, (ii) records management services, and/or (iii) software that is/are now being used for educational purposes should review their contracts to ensure that they contain the required provisions. Additionally, companies that provide (i) storage services, (ii) records management services, and/or (iii) software that is/are now being used for educational purposes should review their practices to ensure compliance.