A Conversation with Mark Williams

The California Student Data Privacy Agreement (CSDPA) model contract is a practical, cost- and time-saving template agreement for school districts and technology vendors that balances parties’ interests and adequately protects student data privacy. Created as part of the Student Data Privacy Consortium (SDPC), the California model contractual addendum was created through a collaborative project among Fagen Friedman & Fulfrost (F3 Law), a full-service public education law firm in California; the California Educational Technology Professionals Association (CETPA); and the California Student Data Privacy Consortium (SDPC).

On July 10, FPF interviewed Mark Williams, partner and co-chair of F3’s eMatters and Higher Education practice groups, about the creation and implementation of the CSDPA and plans for a new national model contract that all SDPC members could use.

FPF: What was the background for creating the California Student Data Privacy Agreement and what is its purpose?

Mark: The California Educational Technology Professionals Association and F3 Law, acting as CETPA’s general counsel, was contacted by Larry Fruth and Steve Smith, co-founders of The Student Data Privacy Consortium. The SDPC has a state registry of technology contractors who have agreed to sign California’s specific data privacy agreements. We wanted to join the SDPC, to establish a California registry and create our own model data privacy agreement. Following Steve Smith and the SDPC’s lead, we’ve worked for about seven months to draft this model agreement and have been very happy to be involved with this organization.

Our goal was to create a solution to the mutual problems affecting both school districts and vendors. Let’s start with the school districts. A big part of the districts’ budget is IT and digital products. However, school districts are thinly resourced and do not have adequate funding to negotiate provisions in technology contracts, especially regarding privacy. So, they found themselves agreeing to vendor contracts that were remarkably slanted to the vendors’ interests.

The vendors had a different challenge. Although they typically want to comply with data privacy rules, they did not have a mechanism with which to do so. In practice, they were negotiating individually with school districts, and this was very frustrating for them.

The California Student Data Privacy Agreement was envisioned as a solution to this mutual problem. We wanted to draft a balanced contract that considers the interests of the school districts, including student data privacy interests, and those of the vendors. In terms of CSDPA’s more important provisions, we tried to create a durable document to serve as a practical, easy-to-understand guide for districts and vendors to govern their data relationship over time.

FPF: Beyond providing a practical solution for the parties, does the CSDPA have additional objectives?

For a parent to make an informed decision about participating in a particular program, they need to know about the expected benefits and the data that the vendor will receive. This description of purpose and data exchange was very important in order to obtain parents’ buy-in for new contracts.

Mark: Absolutely. First, the CSDPA is meant to be used as a transparency and accountability document for education stakeholders. Parents and public organizations have concerns about these contracts, including how they are entered into and what is involved. We took those concerns to heart. In this respect, two important things we wanted to accomplish through the CSDPA are to clearly state in writing 1) the type of data that a particular contract would require and 2) the purpose of the agreement. For a parent to make an informed decision about participating in a particular program, they need to know about the expected benefits and the data that the vendor will receive. This description of purpose and data exchange was very important in order to obtain parents’ buy-in for new contracts.

We were also interested in establishing standards for data security, including ensuring that technology companies adopt appropriate security measures to prevent unauthorized access to student data. These were some of the more challenging provisions in the agreement. It is a very complicated, technically driven field, and it is challenging to set standards that are both understandable to school administrators and encompass the variety of technology relationships that these contracts can establish.

Finally, we wanted to drive down transaction costs for both vendors and school districts. Even if using a data privacy amendment together with the CSDPA, technology companies must repeatedly enter into the same agreement and sign it with different school districts. To solve this, our innovation was “Exhibit E.” This simplified solution allows a school district to adopt the same data privacy terms used by another district by simply signing the exhibit, sending it to the vendor, and concluding the negotiations for the data privacy provisions, in this one easy step. In other words, the technology company must negotiate only once for the data privacy amendment, and other school districts can “piggyback” off that original agreement.

FPF: So, the CSDPA serves as an adaptable template for different technology companies and types of services?

Mark: Yes, exactly; the CSDPA is a template. It is important to address some misconceptions that companies or districts may have about it. While the CSDPA attempts to capture most issues for most relationships, we do not claim that it can encompass every different contract variation. To accommodate this reality, there is an amendment process, administered by CETPA in California, under which we approve variations to contract terms. For this purpose, we have created a specific term amendment form. In practice, we honor nearly all term amendment requests because the variance being sought is reasonable and based on a business approach that is acceptable to us and to the school districts.

FPF: To what extent has the CSDPA been adopted so far?

Mark: Its adoption has certainly exceeded our expectations. In California, 1,100 of the state’s 1,200 school districts are using the CSDPA. Furthermore, several school districts have established a board policy barring them from entering into any technology contract other than the CSDPA. There have been roughly 700 companies that have already signed off on it as well.

Moreover, the CSDPA has provided indirect benefits. By setting a de facto standard, this agreement is exerting a gravitational pull on all privacy agreements. Even some of the largest technology companies in the education space that have their own agreements and don’t necessarily want to sign the CSDPA itself have been cooperative. They are willing to have us review their privacy agreements and, in many instances, modify them to match the provisions and the spirit of the CSDPA.

FPF: Can the CSDPA be used beyond California? And what about drafting a national model contract?

Mark: It absolutely has reach beyond California. In fact, more than 15 states, including Texas, Washington, and Massachusetts, have already adopted it. So, we have effectively begun to set a national approach. To take this national momentum one step further, we have convened attorneys, industry specialists, and security experts to draft a new, national model contract.

Recently, digital privacy law has seen a confluence towards commonly accepted approaches. Because of this, we have not faced many obstacles in finding common ground. The only major challenge we have encountered has been security standards. No standard practice has been formally established for the K-12 space, and there are real differences between states’ approaches to data security practices. Therefore, we are faced with a double-headed dragon of simultaneously establishing common language and common standards.

Another question we are currently wrestling with is whether this national model will be more of a reference guide for best practices or, rather, will be more directly connected to specific requirements. Different-sized companies may require different levels of standards. For example, setting uniform, strict standards could negatively impact smaller and emerging companies, by setting heavy burdens that act as barriers to entry.

FPF: So, we may see a multi-tiered system emerge in the national model in order to address this issue?

Mark: That’s exactly right. To a certain extent we have been applying an ad hoc version of a tiered approach in the CSDPA, but we might choose to formally structure it this way in the national version.

FPF: Is it possible for people not directly involved with the national model contract to provide input on its development?

Mark: Absolutely. This document is open source in the broadest sense of the term, and we are actively collecting comments. My experience, including on the CSDPA, has been that the more input we receive, the better. I strongly encourage people to reach out and provide their suggestions. They can reach out to the CDPC or the eMatters team at F3law.com. We plan to publish an initial draft for public comments within 30 days.

 

 

This interview was conducted by Ahuva Goldstand on July 10, 2019. It has been edited and condensed for clarity.