Bookmark and Share

Legal Updates

Student Personal Information And Privacy: An Adult Conversation

In few contexts are we more tempted to exclaim, “Kids Today!” than when it comes to their views on privacy. Much has been written about the changing mores of young people with respect to what they are willing to share about themselves in cyberspace.

Though students’ ideas of acceptable boundaries may be shifting with each new enticing smart phone app, the adults in the room need to be mindful and vigilant about the potential misuse of student personal information. In particular, independent schools should ensure that their data-collection processes, website privacy policies, and vendor agreements are compliant with all laws concerning student personal information.

Data Collection And Privacy Policies

Whether through the admissions office portal, from its general access website or elsewhere online, if a school collects “personal information” from children under age 13, the school must comply with the Children’s Online Privacy Protection Act (“COPPA”), in effect since 2000 and overseen by the Federal Trade Commission. “Personal information” for children includes, but is not limited to, a child’s full name, address, telephone number, Social Security number and screen or user name, and any photo or video file containing a child’s image or voice. This definition is broader than the typical definition of “personal information” in state statutes covering data security for adults, taking into account the need to safeguard the connection between a student’s name and his or her image.

The primary upshot of COPPA is that schools should not be requesting or encouraging the submission of personal information from children under the age of 13 absent parental consent. If a school is aware that it – or another entity, through the school’s website – is collecting such information directly from young students, then a privacy policy, prominently displayed and easy to access, must be posted on the school’s website. The privacy policy must list all services or vendors collecting the personal information, explain how the personal information is used, and describe parents’ rights to control the parameters of how their children’s personal information is handled. Though limited exceptions apply, schools must generally verify parental consent prior to obtaining any personal information from younger children.

Independent schools are also encouraged to have more general website privacy policies covering the collection and use of personal information of older children and users. In addition to identifying “personal information” and describing how such information is used (for example, by the advancement office, to maintain a database of donors), privacy policies should indicate that personal information may be disclosed to school employees on a need-to-know basis and under other appropriate circumstances, including when required by law or court order, or when necessary to protect a school’s legal rights. In sum, schools should signal their intent to be protective of personal information, but also indicate that under appropriate circumstances, such information may need to be shared.

A privacy policy should also describe, if applicable, how the school’s website employs cookies (text files that permit a user to have a more fluid experience using the school’s website), the limits of the school’s privacy policy (should a visitor access another website or service through the school’s website), and contact information for a staff member who may assist with any privacy-related questions.

Vendor Agreements

Faculty may debate the merits of cyber tools in their classrooms, but independent school administrators should be united in ensuring that vendor agreements covering such tools and services place the onus on vendors to safeguard student data.

At the outset, we recommend that such agreements define as narrowly as possible the types of student data covered by the particular educational technology tool. Vendor agreements should stipulate that the vendor does not own the student data and will limit its use of the data to purposes related to its services. In particular, vendors should agree not to sell student data.

We further recommend that a vendor contract specify that the vendor will comply with all applicable state data security laws, which typically mandate that the state attorney general and consumer protection agency be notified if a data breach occurs, along with parents whose children’s personal information might have been compromised. In order to avoid a breach in the first place, vendors should also agree to encrypt student data if it is managed on any portable devices, and have protocols in place to address the storage and security of such data.

In 2014, a consortium of software providers to K-12 schools announced a pledge to protect student privacy. As of this writing, approximately 260 vendors have signed the pledge, which includes the tenets outlined above and commits the vendors to offering additional protections, including not retaining student data beyond the term of a contract for services and providing students and parents with the ability to access the student data maintained by vendors. Independent schools might consider checking whether their vendors have signed on to this pledge, at, in advance of executing any contracts for educational technology services. If a vendor has signed the pledge, this is a strong signal that the vendor takes seriously the safeguarding of student personal information.

* * *

On their websites, through policy announcements to their communities at large (including applicants and alumni), and behind the scenes (through appropriately drafted contracts with technology service providers), independent schools can take meaningful steps to protect student privacy, even in an age where students themselves seem less concerned with doing so.

Please contact any member of the Firm’s Education Practice Group if you need assistance in understanding and managing student personal information or related compliance issues.