The past few years have seen exponential growth in the use of technology in the classroom, with applications ranging from the increased availability and use of e-books to the displacement of physical classrooms through Massive Open Online Courses (also known as MOOCs). One of the fastest growing segments of the education technology market relates to online educational services and applications, which are designed to track individual student progress and use the data gathered to deliver an individualized learning experience to each user. However, while online educational services and applications hold significant potential, the gathering of massive amounts of data has also sparked fears about what data will be collected, from whom, how it will be used, and whether, if at all, it will be deleted. This fear is especially prevalent when it comes to online educational services and applications targeted at children.
Several pieces of legislation already exist at the federal level to address the privacy and data security concerns surrounding the collection and use of data from children; these include the Family Educational Rights and Privacy Act, the Children’s Online Privacy Protection Act, the Protection of Pupil Rights Amendment to the General Education Provisions Act, and the Individuals With Disabilities Education Act. These federal statutes are supplemented in many states by additional legislation designed to provide additional protections. Notwithstanding these extant statutory protections, many people believe that application designers and school officials still have too much leeway when it comes to collecting data from children. In response to these concerns, the Department of Education (“DOE”) recently released a series of guidance documents aimed at helping school officials decide what applications provide the optimum level of data security and privacy for their schools and students.
The main component of the new guidance is a document the DOE is calling a Model Terms of Service (click for pdf.). Despite its name, the Model Terms of Service is not actually a template for school officials to use when negotiating terms with a service or application provider prior to purchase; rather, it is a document containing a list of common provisions that might be included in an education personalization application’s Terms of Service relating to student privacy and security. Examples include provisions on how data is collected, used, shared, transferred and destroyed, whether the application retains the right to market to students or parents based on the data, and information regarding the application’s security protocols. For each sample provision, the Model Terms of Service states whether the provision is a best practice or whether the provision, in the DOE’s view, should not be included in an agreement between the developer and the school. Each sample provision also includes a brief explanation of why the sample provision is either a best practice or problematic in light of a schools’ privacy obligations.
To complement the guidance, the DOE released a user-friendly, 10-minute video to introduce school administrators, teachers and staff to the most applicable federal statutes governing a school’s privacy and data security obligations relating to students, and to explain how the Model Terms of Service can help them evaluate the use of online educational services and applications. The DOE also took the step of encouraging school administrators to check whether the creators of a given application have signed the Student Privacy Pledge when considering whether to use a particular online educational service or application in the classroom. The Pledge, issued as a joint product by the Future of Privacy Forum and The Software & Information Industry Association, contains a list of 12 commitments relating to the collection and dissemination of student information to which signatories must agree.
While these guidance documents are aimed at school officials and teachers, they also provide developers of online educational services and applications with insight into what sort of limits and rules the DOE intends to advocate for when it comes to data security and the collection and dissemination of student data. It stands to reason that developers who align themselves with the DOE’s list of best practices may find themselves at a commercial advantage in the near term, and may have a leg-up on their competitors if these best practices are ever codified into law at the federal or state levels.