Privacy Quick Tips for Vendors

Complying with FERPA, COPPA, and other student privacy laws can be complex. But when privacy policies are poorly written or not adequately protective of consumer rights, criticism is sure to follow eventually. A listing of laws and compliance guides are available throughout this site. For small app developers or those looking for some quick key points, we provide the below items for a quick check-up. This list is NOT comprehensive, but flags some important issues. Learn more on EdSurge.

In general, be careful about changes to your privacy policy. You may need permission if the uses of data are different from what your policy previously stated. Under COPPA, material changes to the policy may require specific notice and an obligation not to use data differently than promised under the prior policy.

If you provide a service targeted toward schools and have contractual agreements with schools, FERPA generally requires:

    • Disclose clearly and concisely with the school what types of student data are collected and what purposes you may use or share this information.
    • Schools must maintain direct control over data they share with you, and you may not use student data for any reason other than the legitimate education purposes for which it was shared with you.
    • Data you collect and store may need to be readily accessible. Under FERPA, parents and eligible students (generally students aged 18 and over, or any student in post-secondary school) must be able to access the student’s education records upon request to the school. Make sure that you can support such access.
  • Do not share student data with third parties, unless authorized by a school or law. Do not keep data beyond the period authorized by the school.

If you provide a service for which parents and teachers can sign up, the following tips are especially important:

    • Provide a clear and complete privacy policy.
    • Parents must be able to directly access and delete any data about children under the age of 13, so be sure you provide this capability.
    • Do not request a child’s precise location unless you get verified parental consent. The FTC has explicitly declared that the precise location of a child requires parental consent. If it necessary to collect precise location, explain why and for what purpose you are collecting that information.
    • Take responsibility for any cookies or third party code on your website or mobile application. Be careful about using free social sharing widgets like Add This or Share This, as they sell data to ad networks and data companies. Other free plugins, such as analytics or ad network code, may share data with third parties in violation of your obligations under COPPA (and FERPA).
  • While teachers can provide consent to satisfy COPPA, you are still must satisfy other COPPA obligations to parents.

Other general tips to consider:

    • Do not allow ad networks to target “Interest-Based Ads” on your services.
    • Use reasonable industry practices to secure any student data you collect and store. Be prepared to report and address a potential data breach to your system.
  • Be aware that different laws use different definitions of “personally identifiable information.” This definition can be very broad. If you receive education records from schools, there may be different legal obligations and restrictions based on whether the data is personally identifiable or aggregated.