New NC Law Enhances Student Privacy Rights and Restricts Providers of Online Educational Resources
Education technology (or "EdTech") organizations will want to pay close attention to a new North Carolina statute that was signed into law a couple of days ago. On Thursday, June 9, 2016, a new law titled "An Act to Protect Student Online Privacy" was enacted to further protect the privacy of K-12 students in North Carolina. It becomes effective October 1st, so education technology companies have very little time to prepare before the upcoming school year begins. They should review their data collection, storage, use and sharing policies and procedures in light of the new law, and adjust their practices if necessary. In some cases, this may require changing or disabling the features and functions of websites or applications.
Who Is Affected?
The law is primarily aimed at the fast-growing Ed Tech sector. Organizations may be affected
whether or not they have a contract with a school, school board, or the State of North Carolina. The statute applies to the operators of websites, online services, online applications, or mobile applications who know that the site, service, or application is used primarily for K-12 school purposes. School boards are also affected, because they should ensure that their contracts with providers of online services require those providers to comply with the new law.
Like the existing student privacy statute, the law applies to
public schools only. Private schools, and their service providers, will remain unaffected. (If private schools wish to protect the privacy of their students, they must do so by including contractual protections with their service providers. I would strongly suggest that they do so.)
New Prohibitions
Online operators are prohibited from selling or renting a student's information without parental consent. They are also generally prohibited from disclosing a student's covered information (defined below) except for six specific purposes. The permissible disclosures include disclosures to a subcontractor who is contractually prohibited from further disclosure of the information and who agrees to implement reasonable security procedures.
Online operators may not engage in so-called "targeted advertising" (better known as "behavioral advertising") based on information received for "school purposes." "Targeted advertising" means presenting an advertisement to a student where the advertisement is selected based on information obtained (or inferred over time) from that student's online behavior, usage of applications, or covered information. Furthermore, they are prohibited from "amassing a profile" of a student except for school purposes.
New Requirements
In addition to proscribing new limitations, the statute imposes two new obligations on online operators. All operators must "implement and maintain reasonable security procedures" and "protect covered information from unauthorized access, destruction, use, modification, or disclosure." Operators are also required to delete a student's information at the request of the school board, or when the operator stops providing service to the school board, unless the student's parent consents to the record retention.
Broader Scope of Covered Information
Although the student privacy statute already contained a definition of the term "personally identifiable information," the new statutes creates a
significantly more broad definition of the same term that is applicable
only for purpose of
online privacy protections. It includes twenty nine (29) categories of information.
Interaction with Existing Law
You may recall that I wrote in mid-2014 about a then-new student privacy law in North Carolina. You can read that summary
here. Titled "An Act to Ensure the Privacy and Security of Student Educational Records," the law prohibited schools from collecting certain categories of information, restricted the disclosure of personally identifiable student data, required school boards to give parents an annual summary of parental rights and opt-out opportunities, and directed the State Board of Education to make rules regarding privacy standards, audits, breach notification and data retention and destruction policies. The 2016 law described in this article amends and enhances the 2014 statute.
It should be noted that the federal
Children's Online Privacy Protection Act (better known as COPPA) already protects children's online privacy in the educational context as well as in all other contexts. Any organization affected by North Carolina's new statute should already be in compliance with COPPA, but if it is not, there is no better time than now to become compliant.
Don't Get Sent to the Principal's Office!
Education technology companies and school boards have very little time to revise their policies and practices in order to comply with the new statute. They should consult with their privacy counsel quickly so that they will not be "sent to the principal's office" when the summer break ends!
You can find more posts like this by Ward and Smith, P.A. attorney and Certified Information Privacy Professional (CIPP/US) Matt Cordell at the North Carolina Privacy and Information Security Law Blog: www.PrivacyLawNC.com. Matt Cordell practices in the areas of privacy law, information security law, data use law and related consumer protection laws, and has offices in Raleigh, New Bern, Greenville, Wilmington and Asheville. This article is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this article without obtaining the advice of an attorney.
