Yesterday, several big tech companies that offer educational and school services signed the “Student Privacy Pledge,” introduced by the Future of Privacy Forum (“FPF”) and The Software & Information Industry Association (“SIIA”) to safeguard student privacy as it relates to the collection, maintenance, and use of students’ personal information. Among the fourteen education tech companies representing the initial group to join SIIA and FPF in introducing the Pledge are Microsoft, Amplify, and Houghton Mifflin Harcourt. Notably, tech giants Google and Apple were absent from the list of signatories. As part of the Pledge, effective January 1, 2015, participating companies agree to the following commitments:
-
Not to collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student
-
Not sell student personal information
-
Not to use or disclose student information collected through an educational/school service (whether personal information or otherwise) for behavioral targeting of ads to students
-
Not to build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student
-
Not to make material changes to school service provider consumer privacy policies without first providing prominent notice to the account holder(s) (i.e., the educational institution, or the parent/student when the information is collected directly from the student with student/parent consent) and allowing them choices before data is used in any manner inconsistent with terms they were initially provided; and not to make material changes to other policies or practices governing the use of student personal information that are inconsistent with contractual requirements
-
Not knowingly retain student personal information beyond the time period required to support the authorized educational/school purposes, or as authorized by the parent/student
-
Collect, use, share, and retain student personal information only for purposes for which companies are authorized by the educational institution, teacher, or the parent/student
-
Disclose clearly in contracts or privacy policies, including in a manner easy for parents to understand, what types of student personal information is collected and the purposes for which the information maintained is used or shared with third parties
-
Support access to and correction of students’ personally identifiable information by the student or their authorized parent, either by assisting the educational institution in meeting its requirements, or directly, when the information is collected from the student with student/parent consent
-
Maintain a comprehensive security program reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information
-
Require that vendors with whom students’ personal information is shared in order to deliver the educational service are obligated to implement these same commitments
-
Allow a successor entity to maintain the students’ personal information, in the case of a merger or acquisition, provided the successor is subject to these same commitments for previously collected student personal information
According to the group, “The commitments are intended to detail ongoing industry practices that meet and go beyond all federal requirements and to encourage service providers to more clearly articulate these practices to further ensure confidence in how they handle student data.” Further, the Pledge applies to “all student personal information whether or not it is part of an ‘educational record’ as defined by federal law, and whether collected and controlled by the school but warehoused offsite by a service provider or collected directly through student use of a mobile app or website assigned by their teacher.”
Illustrating the present focus, both local and federal, on this particular area of privacy regulation, the Pledge comes just a week after California Governor Jerry Brown signed into law two bills restricting the ability of education tech companies, online sites, and mobile apps to collect and use personal information pertaining to K-12 students. Currently, a handful of other states have enacted similar student data privacy bills specifically concerning the practices of cloud-computing companies. On the federal side, this past May, Senators Ed Markey (D-MA) and Orrin Hatch (R-UT) introduced an amendment to the 40-year-old Family Educational Rights and Privacy Act (“FERPA”) called the “Protecting Student Privacy Act of 2014,” which would update FERPA to keep pace with education tech innovations, and the resulting abundance of student data, by strengthening protections for student data handled by private companies.