Compliance

The Continuous Evolution of Student Privacy Laws

Learn how the work of third-party vendors who farm student data affected student privacy protection laws, and why EdTech should always be privacy-first.

September 6, 2018

In the United States, laws like the Family Educational Rights and Privacy Act seek to protect a student's privacy against third-party entities that look to farm, and profit from them. Even if these regulations exist, and continue to evolve, software vendors need to take their role as a protector.

Table of Contents

FERPA, the core national legislation

The Family Educational Rights and Privacy Act (FERPA) provides a national policy for protecting the privacy of students’ educational records. Enacted in 1974, FERPA applies to all schools – including K-12, colleges, and universities – if they receive funding from the U.S. Department of Education.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT

FERPA grants parents access to their children’s school records, the right to have that data changed, and some control over the sharing of their children’s data. Once a student turns 18, FERPA transfers these privacy rights to the student.

However, FERPA reach isn't vast and updated. Plus, controversies like InBloom's case back in 2012 and Google's non-disclosed data mining continue to appear. Thus, states and concerned organizations turned their efforts to local laws further regulate and patch FERPA's flaws.

inBloom, the last straw for parents

While FERPA is America’s blanket student privacy law, almost every state has also enacted laws of their own. Most of these laws started appearing since 2012, in response to the Gates Foundation-sponsored initiative InBloom. This was a large student database designed to share student data in nine states with data-mining operations and third-party vendors without parental notification or consent.

By April 2014, all nine of the states that had agreed to partner with InBloom had publicly opted out of the program, and InBloom officially closed its doors.  Realizing that the current law did little to protect their children’s data privacy, the advocacy group Parent Coalition for Student Privacy was formed in July of that year. It continues to fight to defend the rights of parents to protect their children’s data.

[caption id="attachment_9503" align="aligncenter" width="940"]

Privacy laws by state

After inBloom's scandal, most states started to continuously update their local privacy laws (Source: ferpasherpa.org)[/caption]

Since 2014, this fight has intensified as the EdTech industry has crept deeper and deeper into the country’s educational systems. The public watchdog organization FERPA/Sherpa maintains an online map and accompanying grid of state-by-state student privacy laws. A visit can help zero-in on the key issues surrounding student data privacy.

California and Connecticut's student  privacy laws

Let’s take a look at Connecticut and California to better understand how student data protection laws work.

Connecticut recently enacted Public Act 18-125: An Act Concerning Revisions to the Student Privacy Act, which updates a 2016 student privacy law. This edition provided student data protection policies for websites, online services, and mobile apps as well as educational consultants dealing with school districts.

As of July 1, 2018, Boards of education must have written contracts with their contractors that include very explicit rules governing the sharing of student data. Among other provisions, the law also stipulates that boards of education maintain public websites that describe all of their student data privacy contracts.

Another state with a strict student privacy law is California. Passed in 2014 and in effect since January 2016, California's Student Online Personal Information Protection Act (SOPIPA) recognizes the increasing role of technology in education and seeks to protect students from being exploited by “operators”.

This range from educational websites, online services, online applications to mobile applications, thus the California law protects K-12 student information from any business that collects, stores or uses student data.

Prey's experience embracing these legislations

Businesses that do side deals with student data are probably going to see these regulations as a barrier, but they are to be taken as an opportunity to improve their services.

Transparency and flexibility are two key concepts software vendors must embrace to ensure the peace of mind of both schools and parents regarding their student’s privacy.

As the law requires, vendors have to offer business models that specify the end game for all data collected. It's an understandable step that, in the demise of privacy era, is much needed to rebuild trust and ensure people execute their rights over their personal data properly.

At Prey, we have strong ties with schools who we help secure their device fleets, and we have learned several lessons along the way. Here are a few tips on how to provide peace of mind to both parents and IT managers at schools with your software.

• Opt-out Features: Our software allows school districts and parents to manage their student's data privacy.  Depending upon state and local rules, IT staff can disable features like the Location History and pictures on Missing Device Evidence Reports to prioritize the endpoint's user privacy. What's more, if required, personal accesses can be provided for parents to administer the platform.

• Embracing Personal Rights: We stay abreast of regulatory changes and adapt and update our privacy policy to ensure that the privacy of all our customers is protected. In May 2018, the European Union enacted its General Data Protection Regulation (GDPR), which gives individuals power over their own data. As an international company with a large European customer base, Prey adopted GDPR and is fully compliant. Even if optional for US establishments, it's a comprehensive way of solving most concerns since it covers personal rights over data, transparency in data handling, storage, and delivery.

• Transparency in Code -- As an open-source company, Prey publicly publishes its code for review. The repository displays our software's clients code and both parents, schools, and third-parties can rest assured that the solution does not contain any hidden capabilities that might infringe on student privacy.

Takeaway

Working with and for schools, aside from being an endeavor, is a matter of responsibility and respect. Nurture this partnership with trust and work together to build a safe tool for their educational environment.

Due to the nature and sensibility of our product, we have always had a great focus on solving privacy concerns immediately. However, as inBloom's case proved, any third-party vendor can be the subject of privacy violations if not properly regulated. It's a matter that any software that interacts with a user's information in any way has to have in mind, and prioritize.

Protect your fleet with Prey's reactive security.
Start a Trial

On the same Issue

HIPAA Checklist: Maintaining Security and Complying with Patient Data Privacy

Navigate through the Health Insurance Portability and Accountability Act requirements and learn which ones are a must-apply for your organization.

February 12, 2022
keep reading
Expert Guide to Online Student Data Protection

The breach of a student's data privacy is not a recent concern, but one that is only now starting to gain attention due to the consequences of a public lack of concern. It is time to understand this issue, and treat it

November 2, 2021
keep reading
Three Laws That Protect Students' Online Data and Privacy

Controlling the privacy of students was a matter of locking records up back then. Now, in the digital classroom era, the risk of leaks increased, and the unwanted collection of data through unregulated online platforms and software caused the need for smarter privacy laws.

February 4, 2021
keep reading
The EU-US Privacy Shield Is No More: What It Means To Our Personal Data

The ruling that governed data protection between the EU and the US is in shambles. What are the consequences for the US organizations dealing with european data?

August 31, 2020
keep reading