While EdTech providers’ privacy requirements may vary, complying with student privacy laws is always complex. It’s a time of unprecedented opportunity for ed tech providers. It’s also a time of unprecedented change.

During 2020, over 40 million US students enrolled in K-12 moved to some form of distance learning with more than 30 million of those relying on online resources for learning. As a result of this sea change, in March 2021, the federal government added $7 billion dollars to the E-Rate program for schools to purchase one-to-one devices and internet connectivity. With all this new opportunity, there has never been a more important time for ed tech providers to protect children’s personal information and build trust with parents and educators.

What are the risks for ed tech providers? As policy makers nationwide adapt to the groundswell of reliance on learning technology, the regulatory landscape is changing, too. Across all fifty states, there are over 100 state privacy laws that apply to K-12 students and more are under consideration every legislative session.

PRIVO supports ed tech providers not only to meet regulatory requirements but to stay a step ahead while meeting their organizational or business needs. At the federal level, although there are just a few laws such as FERPA and PPRA, the consequences of not complying can be severe financial penalties, as well as brand damage. In 2019, Google paid the highest fine related to child privacy in American history at $170 million dollars.

For an example of how privacy concerns can damage a brand, look no further than the case of InBloom, a consortium that had a positive, child-centered mission. So, what went wrong? InBloom streamlined the availability of student data to those in the school system, from campus leaders to ed tech providers. However, it was quickly undermined by a perceived lack of transparency about how student data was handled: “When vocal opposition raised concerns about student data use potentially harming children’s future prospects or being sold to third parties for targeted advertising... participating states succumbed to pressure from advocacy groups and parents and, one by one, dropped out of the consortium.” Although there were no compliance issues per se, InBloom was closed the year after it launched. Its demise highlights the need to offer transparent and privacy-enhanced experiences for schools, educators and, above all, students.

Over the past few years ed tech providers have started to come under increased scrutiny. Google found itself in the firing line. New Mexico's attorney general brought an action against the tech giant, claiming its school tools tracked students' activities on their personal devices outside the classroom. It also faced a lawsuit last year from two students alleging it collected biometric data of thousands of students using its tools. Education platform Edmodo suffered a major data breach which exposed millions of students and teacher’s information online, highlighting the need to prioritize security measures and several Senators wrote to ed tech companies asking them to provide more information on their data collection and use practices.

With children’s privacy protections firmly in focus and the Children’s Online Privacy Protection Act (COPPA) Rule Review due, there has never been a better time for ed tech providers to ensure they have their house in order. 


About the authors

Patrick Davenport is the Kids Privacy Assured Program Manager for Student Digital Privacy at PRIVO, and Claire Quinn is the Chief Privacy Officer at PRIVO.