Student Privacy Laws

“HIPAA doesn’t apply to public schools.” That line has misled EdTech teams, confused school leaders, and put student data at risk for over two decades. It’s true that FERPA usually governs student records in K–12. But here’s what most people miss: HIPAA still matters, especially when schools use third-party platforms to handle health-related data. From school-based telehealth to IEP services to student mental health screening tools, the line between educational records and medical records is blurrier than ever. And when the wrong line gets crossed? It’s not just a compliance issue. It’s a breach. Here’s what I tell EdTech companies and school leaders: - Understand which privacy law governs each data set (there are many permutations of who owns and governs the data) - Avoid assuming FERPA coverage is a catch-all (again think of all the permutations in this hyper-connected, thirty-party platform driven world) - Build governance into your products and partnerships - Train teams on real-world data-sharing risks, not just legal theory Because when student privacy is mishandled, it’s not just trust that erodes. It’s the entire foundation of the EdTech ecosystem. #EdTech #FERPA #HIPPA #AIGovernance #StudentPrivacy

October comes next week, and so do new privacy requirements in three states. Here's a recap and what to check ⤵️ 1️⃣ Colorado Privacy Act amendments related to minors' personal data will: 🔸impose obligations where a controller knows or willfully disregards that a user is a minor; 🔸require opt-in consent to sell or use a minor's personal data for targeted advertising, or to use system design features to increase engagement; 🔸limit how precise geolocation data of minors can be processed; and 🔸mandate data protection assessments in additional contexts. Rulemaking is underway to provide further clarity on these new requirements, including to specify when a data controller "willfully disregards" that a user is a minor and what system design features increase engagement. See the draft regulations here: https://lnkd.in/gcBtzyTi 2️⃣ Montana privacy law amendments that: 🔸lower the law's threshold for applicability; 🔸remove the general non-profit exemption; 🔸add privacy policy content requirements; 🔸require sale and targeted advertising opt-out links outside the privacy policy; and 🔸remove the right to cure violations. 3️⃣Maryland's Online Data Privacy Act takes effect. It has a low bar for applicability, and unique or less common requirements like: 🔸prohibiting processing of sensitive personal data unless it is strictly necessary to provide or maintain a consumer-requested product or service; 🔸forbidding collection of personal data unless it is reasonably necessary and proportionate to provide or maintain a consumer-requested product or service; 🔸banning sales of personal data of minors, and processing of their personal data for #TargetedAdvertising; 🔸broad data deletion right unless retention is required by law (though other provisions may give some flexibility); 🔸privacy policy requirements including to disclose the type of, business model of, or processing conducted by each third party to which personal data is disclosed; and 🔸consumer health data requirements.   If you haven't already, identify which of these laws apply to your organization, and see if your current privacy practices address what's required. Consider especially: ✔️ How your organization identifies accounts, profiles, and personal data of minors, and treats them in line with Colorado's, Maryland's, and other states' increasingly complex requirements 💡 Validate that there are processes to address parental reports, app store provided age information, and other reports and signals that a data subject is a minor; ✔️ Data collection and use limits to address Maryland's strict data minimization requirements, particularly for sensitive personal data 💡 Updates may be appropriate in #privacy impact assessment processes, organizational policies, and organizational privacy training; ✔️ Confirming your organization's privacy policy has the third party details required under the Maryland law.

Despite what your teenagers tell you, they are children under privacy law. Last week, UK regulators launched investigations into TikTok, Reddit and Imgur over their use of data from 13-17 year olds. Here are five best practices for handling children's data: 1️⃣ Don't let children share their precise geolocation to everyone 2️⃣ Turn privacy options on by default 3️⃣ Encourage children not to share personal information publicly 4️⃣ Review recommendation algorithms for addictive or harmful content 5️⃣ Inventory your SDKs to avoid accidentally sharing sensitive children's data Please note that the UK has also adopted the Age Appropriate Design Code and this law is in effect and in force. While California's version has been stayed by the courts, modified versions are being drafted in California and elsewhere. In addition, CCPA and other state privacy laws consider children's data to be sensitive data. Depending on your state, this may require risk assessments and opt-ins before processing for targeted advertising. #ChildrensPrivacy #ParentalControls #PrivacyLaw #AgeVerification #UK #COPPA #advertising #marketing https://lnkd.in/gESf6PPN

ICYMI: Despite an updated COPPA rule, states aren't waiting for Congress to act on protecting kids online. Here are a few of the proposed laws making their way through state legislatures and one that was signed into law last week: 🌴In South Carolina, a proposed State Senate bill (S268) mandates that online services enhance minors' safety by restricting data collection, preventing potential harm, offering tools for managing screen time and data, facilitating parental controls, and enabling harm reporting. Additionally, these services must publicly disclose their safety practices concerning minors' data and safety. 🌞In North Carolina, the proposed Children's Online Safety Act would enact safeguards to protect children online, establish the online safety division at the Department of Justice and the cyberbullying unit at the state Bureau of Investigation, create the online child safety commission, and appropriate funds for those purposes. 🏙️ The New York Children's Online Safety Bill (SB S4609) would require operators of covered platforms to conduct age verification to determine whether a user is a covered minor, utilize default privacy settings for covered minors, and require parental approval of activity related to a covered minor's covered platform account. 👉🏼 Arkansas Governor Huckabee Sanders signed the three children’s privacy-related bills passed by the legislature last week into law: HB 611, HB 612, and HB 1717. Under HB 1717, operators who know they are collecting personal information from teens must provide notice of what information the operator collects, the purpose for processing personal data, and disclosure practices.

As technology increasingly integrates into education, protecting student data privacy is extremely important. Did you know that since 2013, 42 states have passed 121 laws addressing this issue? With the ever-changing legislative landscape, it's essential to stay informed. That's why Project Unicorn's updated Privacy Jump Start Guide is a must-read resource. This guide provides a comprehensive overview of student data privacy, highlighting the importance of best practices and offering resources from organizations like Council of Chief State School Officers, Data Quality Campaign, Common Sense Media, Consortium for School Networking (CoSN), Center for Democracy & Technology, Future of Privacy Forum, Federal Trade Commission, U.S. Department of Education, National Center for Education Statistics (NCES), Student Privacy Compass, Access 4 Learning Community, SIIA , ConnectSafely, Massive Data Institute, Texas Congress of Parents & Teachers (Texas PTA). Whether you're an educator, administrator, or IT professional, this guide equips you with the knowledge to navigate student data privacy during your interoperability journey.: https://ow.ly/blts50P86W3 #DataPrivacy