State Student Privacy Laws: A Game-Changer for Service Providers

Student data privacy legislation has been on a tear recently. At the state level, according to the Data Quality Campaign, this year 47 states have introduced 186 bills addressing student data privacy, and 15 states passed 28 new student data privacy laws. Much of this state legislation is modeled on California’s landmark Student Online Personal Information Protection Act (SOPIPA), which goes into effect on January 1, 2016. At the federal level, both the Senate and the House have responded to President Barack Obama’s call for enhancing student data safeguards under the Family Educational Rights and Privacy Act (FERPA) with new legislative proposals. If there’s one privacy goal that commands widespread political support, it’s the protection of student data.

But protection from what?

The chief target of this legislative flurry appears to be the online educational services industry. In particular, the new state legislation aims at blocking Internet service providers to schools from using the student data they collect for commercial purposes, such as targeted advertising or creating student profiles (except for school purposes). California’s SOPIPA, for instance, is directed at “operators,” which is defined to include any online service or application, or any mobile application, used primarily by K-12 schools and designed or marketed for that purpose.  

This targeting of the edtech services industry by state legislatures represents a sea change from the compliance structure of FERPA, which was enacted in 1974—seemingly light-years before the advent of online services, behavioral advertising and Big Data analytics. To understand that sea change, an overview of how FERPA currently applies to service providers will be helpful.

FERPA and service providers

FERPA puts the primary compliance burden on schools themselves. FERPA’s message to schools is: protect student data from disclosure unless you have the consent of the parent or eligible student, with limited exceptions, or risk losing your federal funding. 

One of those exceptions is disclosure to school officials (including teachers) who have “legitimate educational interests,” in which case prior consent of the parent or student isn’t required. A contractor providing outsourced services to a school is treated as a school official if it is (1) performing services for which the school would otherwise use employees, (2) is under the direct control of the school with respect to the use and maintenance of student data, and (3) agrees to abide by FERPA regulations governing use and redisclosure of student data. Most ed-tech service providers fall neatly within this school official exception.

Once the service provider is in possession of student data, use of that data is permitted only for the purposes for which the disclosure was made—namely, to provide educational services to the school. Redisclosure of the student data is allowed only with the prior consent of the parent or eligible student. However, if the student data is properly de-identified, it is not FERPA protected and consequently is not subject to FERPA’s use and re-disclosure limitations.

De-identification of student information is addressed in § 99.31(b) of the FERPA regulations, which states that a school (or a school official) may release education records or information without obtaining the consents otherwise required under FERPA “after the removal of all personally identifiable information provided that the educational agency or institution or other party has made a reasonable determination that a student’s identity is not personally identifiable, whether through single or multiple releases and taking into account other reasonably available information.”

When the FERPA regulations were updated in 2008, there was an intense debate over how to define de-identified data. In particular, some commenters expressed concern that de-identified data could be re-identified and requested that the Department of Education set objective standards for de-identification. In the end, the regulations adopted a “reasonableness” standard to allow flexibility in approaches to de-identification.

Once a service provider de-identifies student data, there are no FERPA restrictions on its use. In its 2014 publication “Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices,” the Privacy Technical Assistance Center, a Department of Education resource, noted that a service provider can use de-identified information, for instance, “to develop new personalized learning products and services.” This right to exploit de-identified student data has been a boon to service providers seeking to reap additional value from data collected from school clients.

The new state laws and service providers 

Prospects for federal student privacy legislation that amends or supplements FERPA are uncertain, but as noted, new state laws are rapidly coming into force. So how will things be different under SOPIPA and its state legislative kin?

• Direct liability for violations Under FERPA, schools are primarily responsible for compliance, with service providers only liable for breaching the FERPA flow-down provisions in their school contracts. Under the new state laws, service providers will be directly liable if they fail to meet their legal compliance obligations.
• Uncertain enforcement prospects. As spending clause legislation, FERPA’s primary enforcement mechanism is the withholding of funds from a violating institution or education program.  In practice, the Department of Education works with educational programs accused of FERPA violations to achieve voluntary compliance rather than actually withholding funds. Under the new state laws, it remains to be seen how vigorous enforcement will be. But states such as California have made privacy enforcement a priority, and some state legislation lays out specific fines for violations as well as allowing private rights of action.
• No carte blanche to use de-identified data. Under FERPA, what constitutes de-identified student data has always been murky; but once achieved, the FERPA restrictions no longer apply. Under the new state laws, that’s not necessarily the case. SOPIPA, for instance, only explicitly allows use of de-identified data (1) to improve the service provider’s educational products and (2) to demonstrate the effectiveness of the service provider’s products or services. In addition, aggregated de-identified student data may be used for the development and improvement of educational sites, services or applications. While this scope of use might be sufficient for many service providers, it may well preclude, for example, marketing the data analysis performed on de-identified data as a stand-alone product.
• Multiple and potentially conflicting laws to contend with. If an ed-tech company is offering its services nationwide, if not globally, it can’t afford to ignore any particular state’s student privacy requirements, since those requirements will apply to all data collected from students in that state. The only solution may be to put in place a privacy compliance program that’s compatible with the most stringent state law requirements and hope that no irreconcilable conflicts between state obligations arise.    
• New security requirements. FERPA imposes restrictions on student data disclosures, but doesn’t dictate any specific security controls.  Given the recent epidemic of data breaches, it’s no surprise that many of the new state student privacy laws put a heavy emphasis on security as well as privacy.  For instance, Delaware’s recently enacted student data privacy law requires compliance with the state’s Department of Technology and Information’s Cloud and Offsite Hosting Policy and mandates inclusion of terms and conditions specified in a related cloud hosting template. 

One potentially saving grace of the new state laws, from the service provider’s perspective, is that the scope is usually limited to K-12 schools, unlike FERPA, which extends to all federally funded educational institutions.

Preparing for the future

Ed-tech service providers must prepare for a future in which multiple state student data privacy laws may govern their service offerings, depending upon the services’ geographic scope. A few steps that every ed-tech company should take

• Familiarize yourself with the new state privacy laws and determine whether they apply to your services.
• Take a fresh look at your privacy policy and terms of service and decide what revisions are necessary to comply with applicable state requirements.
• Confirm that your security protocols meet state standards.
• Consider revising your marketing materials to emphasize (i) your awareness of privacy/security legal requirements and (ii) your commitment to compliance Ensure that your consultants and subcontractors with access to student data are contractually committed to legal compliance (and will indemnify you for any breaches).

With the student data privacy goal posts constantly shifting, achieving compliance will be a challenge. Ed-tech companies that manage this feat will have a serious competitive advantage when marketing their services to schools and teachers.