What should edtech companies know about consumer privacy laws?
As states continue to pass new consumer privacy laws, edtech companies may be left wondering what their compliance obligations are under these varying frameworks. Taken together, these laws create a “patchwork” of different standards. In the upcoming legislative season, this patchwork may continue to grow more complicated. This chart, which compares current state privacy laws, provides links to each of the consumer privacy laws that are part of this patchwork. Because these laws often are not passed with edtech and the unique school setting in mind, making sense of the patchwork may be challenging. It is critical to understand what questions to keep in mind when assessing edtech vendor compliance. Edtech companies may want to consider the nature of their relationship with schools and consumers, revenue thresholds, the extent of data processing and collection, nonprofit status, and COPPA compliance when determining what their responsibility will be. However, to simplify the “patchwork”, FPF has identified some threshold questions for edtech companies to help assess their compliance.
Are you processing education records under contract with schools/districts?
According to the Family Educational Rights and Privacy Act (FERPA), “Education records” are records that are directly related to a student and that are maintained by an educational agency or institution or a party acting for or on behalf of the agency or institution.” 34 CFR § 99.2. Currently, every state except for California specifically exempts information covered under FERPA. This means that, with the exception of California,education records processed by service providers under contract with schools would not be subject to these laws. As Loeb & Loeb Associate Chanda Marlowe notes, “edtech companies would need to comply with these laws if they are processing any data not covered by FERPA. However, edtech companies would not have to comply when it comes to data regulated by FERPA that they are processing on behalf of a school.” Data not covered by FERPA may include records that relate to teachers and other school staff. An important piece to highlight is that FERPA is enforced by the Department of Education and applies to schools, meaning edtech vendors may not make any claims of being “FERPA compliant”.
In California, the CCPA and CPRA contain specific language that impacts edtech companies working in schools. The CPRA exempts businesses working on behalf of a local educational agency (LEA) from complying with a deletion request for a student’s grades, educational test scores, and educational test results.This framework introduces two fundamental challenges: First, the inclusion of three categories of student data—grades, test scores, and test results—in the CPRA implies all other student data held by a business on behalf of an LEA is subject to a deletion request, which could be interpreted as requiring the deletion of student data that is not addressed by the listed categories. Additionally, the provision’s description of student data as data “that the business holds on behalf of a local educational agency,” implies companies that provide services to schools are considered “businesses” subject to the law.
Importantly, the CCPA’s coverage threshold applies to for-profit businesses that have gross revenue exceeding $25 million; buy, sell, or share the personal information of at least 50,000 consumers for commercial purposes; or derive 50% of its annual revenue from selling consumers’ personal information. Thus, edtech vendors in all areas of education—from K-12 to colleges and universities—may be subject to the requirements of the CCPA if they process students’ personal information on behalf of schools and meet the above requirements. Additionally, the CCPA provides no exemption for FERPA, creating tension between the two laws for schools and edtech vendors storing students’ personal information.
TLDR Answer: If you are only processing student educational records under FERPA’s school official exception, as of the time of publishing this blog, you are exempt from complying with all but the California law (granted those thresholds are met).
Are you an edtech provider that contracts with schools that are not covered by FERPA?
Private, parochial, and home schools, which are not covered by FERPA, constitute roughly 15% of students as of May 2023, with 5.4% of students homeschooled, 9.6% students attending private schools, and 85% of students enrolled in public schools, according to a household pulse survey conducted by the Census Bureau. As homeschooling has increased, with The Washington Post noting it has become “America’s fastest-growing form of education” and an estimated 1.9 to 2.7 million homeschooled students in the U.S., edtech companies have sought to cater directly to homeschooled students and provide bespoke educational environments centered around enhancing individual understanding, supplementing traditional education, and mirroring trends like microschools. Generally speaking, companies providing services to students at schools not covered by FERPA will have to evaluate the criteria of each of the comprehensive consumer privacy bills to see if they apply, similar to how they must consider their individual obligations under state student privacy laws.
TLDR Answer: Consider your customer base and understand that FERPA does not apply to private schools or home schooled student data.
Are you an edtech provider that offers the same or similar service directly to consumers?
If you are a business that processes educational information under FERPA and also markets and sells your products to students and parents outside of school, the analysis becomes more complicated. This is because if you are a provider that offers the same or similar services directly to consumers, parents, or students, you may be covered by these laws if your business meets the revenue and data processing thresholds prescribed by each law. However, it remains unclear to what extent you are covered because making this determination requires specific analysis that considers the requirements within each jurisdiction. This leaves open the possibility that companies operating as service providers through their “school official” capacity under FERPA are excluded, while the same company is subject to the law when processing data from those same students outside of the school context.
TLDR Answer: It depends.
FPF will continue to track comprehensive consumer privacy laws in the upcoming legislative session. Find us at FPF.org.