School’s in Session for the Ed Tech Industry: California AG Gives Lessons on Student Data Safeguards
On Wednesday, California’s Attorney General released a report with recommendations for the education technology (“Ed Tech”) industry, a multi-billion dollar industry that is transforming learning as we know it. The Ed Tech industry has the potential to greatly enhance the student learning experience through data management systems and tools that support educators and provide personalized curricula and adaptive learning for students. However, these systems and tools (such as cloud services), create added risks and challenges when it comes to safeguarding student personal information and respecting the privacy rights of students.
Working in conjunction with several stakeholders, including Ed Tech providers, the Attorney General’s Privacy Enforcement and Protection Unit issued the following six recommendations, which are specific to website operators and online service providers that primarily target or market services for K-12 school purposes:
- Data Collection and Retention: Only collect the types and categories of information necessary to accomplish the objectives of the Ed Tech service as outlined by the educational institution with whom you contract. Be transparent with students and describe data collection and data use practices, as well as data retention policies.
- Data Use: Do not use any information acquired from your site or service for profiling students and/or targeted advertising.
- Data Disclosure: Notify students of third party disclosures of covered information; specifically, the types of entities that receive covered information and the purpose for the disclosure. Apply the appropriate safeguards to protect covered information when sharing information with third parties.
- Individual Control: Implement policies and procedures to permit student access and correction of covered information.
- Data Security: Implement and maintain reasonable safeguards and practices to protect student information, including employee privacy and security training. Have an actionable plan in place for data breach incidents.