With the shelter-in-place orders imposed by the local and state governments, businesses are scrambling to transition to a virtual workforce and facilitating employees to work remotely from home. Educational institutions are no exception. School administrators and teachers have been working hard to create and implement plans to educate students at home, including maintaining a classroom curriculum through online platforms and incorporating daily or weekly interactions with the teacher and classmates through video chat or remote conferencing services.
Amidst the rapid changes caused by COVID-19, and attempts to deal with such a fluid environment, it may be easy to overlook applicable privacy laws. While some regulations have been suspended or modified to alleviate the pressures from the pandemic, federal and state privacy laws have not been relaxed. As one may recall, the California Consumer Privacy Act (CCPA) became effective this year on January 1, an almost distant memory now given the current world events. We continue to wait for finalization of the CCPA regulations and enforcement beginning on July 1, 2020, or six months after the publication of the final regulations, whichever is sooner.
The CCPA governs the collection, disclosure, and sale of personal information and compliance with the statute centers on proper notice and security. The CCPA requires disclosure before data collection. On the federal side, the Children’s Online Privacy Protection Act (COPPA) requires verified parental consent before collecting information from children under the age of 13 online. If you are selling information collected from children under the very broad definition under the CCPA, the CCPA imposes a new obligation to obtain opt-in consent from the child before his or her information is sold. With more dependency on technology services now than ever, schools and their technology vendors should align their compliance plans for their student population, even if the privacy laws may not apply directly to the schools themselves.
Because the CCPA does not apply to nonprofits, and an organization falls within the regulation only if it has a revenue of $25million or more annually, holds the data of 50,000 or more “Residents,” or, makes half its revenue or more from the sales of personal data, many schools will avoid the CCPA. However, there will be larger private schools that may trigger the regulations, especially since the CCPA does not offer clear guidance on how to determine whether a business is indeed for “profit” or not.
Likewise, COPPA generally does not apply directly to state government agencies, schools, or nonprofits but rather aims to govern operators of commercial websites, online services, and mobile apps that are directed at children under 13 and “collect, use, or disclose personal information” from those children, and operators of websites and online services that are for a general audience but have “actual knowledge” that they are collecting, using, or disclosing personal information from children under 13. However, as the technology wave has moved into the classroom, and is more heavily relied upon, schools cannot ignore these regulations. This is more so because the Federal Trade Commission (FTC), which enforces COPPA, has said that schools can, in many situations, stand in for parents and give consent on behalf of parents to allow the vendors to collect information from students.
According to the FTC, schools can grant consent on behalf of parents only when the operator of the website, online service, or app in question is providing a service that is “solely for the benefit of students and the school system” and is specific to “the educational context.” If the app or service is not only for education—for example, if any information collected from children under 13 is to be used or shared for commercial purposes unrelated to education—the operator and/or the school clearly has to get verifiable consent directly from parents. However, this determination is often not easy to make. In addition, if schools are not allowed to review information collected on students or request that student info be deleted, parental consent will be needed, as well.
In view of the above considerations, regardless of whether these privacy laws apply to an educational institution or not, all should take an interest in the regulations and ensure their technology vendors are in compliance, especially when rolling out remote learning. This is especially so where virtual classroom instructions are taking place with interactive student participation through videoconferencing and sessions are recorded for those that could not participate and posted online. This scenario could trigger COPPA issues because the video information about the child could be considered to be “collected” via the video.
Best practices include but is not limited to:
- understanding what data will be collected by the vendor and how the data will be used to help determine whether the app or service is solely for educational purposes or whether parental consent will need to be obtained;
- if parental consent is needed, consult with legal counsel as to how best secure the consent—whether a one-time consent listing all applicable apps and/or services suffices or whether separate consents need to be secured for each specific app or service;
- conducting due diligence on the technology vendors to make sure the vendors’ privacy policies provide the necessary disclosures; and
- ensuring contracts with the vendors obligate the vendors to comply with all applicable privacy laws and to implement security measures to protect their app or service and collected data against cyber threats with technical controls, risk assessments, and a remediation plan.
While extenuating circumstances may forgive some loose compliance with privacy laws, following best practices to comply with the laws is still the best prophylactic.