One bright spot in recent events has been to see our kids stay focused as students and to see teachers continue their great work while bunkered down from their homes. Nevertheless, it may be worthwhile to pause to think about the technology that makes this all possible. One lawsuit recently filed in California sheds light on the privacy issues created when students, schools and teachers become increasingly reliant on “e-learning” and the technology that supports it.

On April 2, 2020, a class-action lawsuit was filed in the District Court for the Northern District of California entitled H.K. and J.C., through their legal guardian Clinton Farwell v. Google, LLC, 20-CV-2257 NC (N.D. Cal. 2020) which brings issues related to data gathered from students during e-learning front and center. Allegations that “Google has infiltrated the primary and secondary school system in this country by providing access to its ‘Chromebook’ laptops, which come pre-installed with its ‘G-Suite for Education’ platform…to over half of the nation’s schoolchildren, including those in Illinois, most of whom are under the age of 13” form the basis of this Class Action Complaint. (See Complaint at ¶ 6). In general, the minor plaintiffs in H.K. claim “[t]hese Google-manufactured and provided laptops come equipped with Google’s ‘G Suite for Education’ platform, which requires the children using it to speak into a microphone on the laptop that records their voices and look into a camera on the laptop that scans their faces.”(See Complaint at ¶ 46).

In providing the factual background for their claims, the minor plaintiffs in H.K. assert “Google provides its ‘Chromebook’ laptops to grade schools, elementary schools and high schools nationwide, who in turn make these computing devices available for use by children who attend their schools.” (See Complaint at ¶ 33). The Complaint alleges that Google collects the following student information through this program:

• The student’s physical location;
• The websites visited by each student;
• Every search term used by the student in Google’s search engines;
• Every video watched by the student on the device;
• The student’s personal contact lists;
• Voice recordings;
• Saved passwords; and
• “Other behavior information.”

The Complaint in H.K. has allegations that Google collects students’ “voiceprints” and face images. (See Complaint at ¶ 38). Next, the Complaint asserts “Google uses the voiceprints and face templates it collects to, inter alia, identify and track the children who its Chromebook laptops and the “G Suite for Education” platform that comes installed on them.”  (See Complaint at ¶ 38). Further, the minor plaintiffs allege “[t]he unique voiceprints and face templates that Google has collected from children in Illinois and across the country are not only used by Google to identify children by name, they are also used by Google to recognize…gender, age and location.” (See Complaint at ¶ 40).

As for the specific allegations by the minor plaintiffs in H.K., the Complaint alleges that H.K and J.C. were Illinois residents, under the age of 13 years old, when they used Google’s G Suite for Education platform in their elementary school located in Bushnell, Illinois. (See Complaint at ¶ 10). Further, the Complaint alleges that neither minor “was asked for verifiable or written parental consent authorizing Google extraction, collection, storage and use of their personal and uniquely identifying ‘biometric identifiers’ or ‘biometric information’…”

Based on these allegations, the plaintiffs in H.K. claim Google violated the Illinois Biometric Information Protection Act (“BIPA”) and the federal Children’s Online Privacy Protection Act (“COPPA”) in the following manner:

• The Complaint in K. states that Illinois enacted BIPA in 2008 to protect Illinois’ citizens’ biometric data which prohibits the collection or use of this information without providing notice to the individual and places a number of requirements on data collectors. (See Complaint at ¶ 17). The plaintiffs claim Google violated BIPA with its “practices of collecting, storing and using biometric identifiers and information from school children in Illinois without the requisite informed written consent…” (See Complaint at ¶ 19). Simply, plaintiffs in H.K. claim Google collected this information without obtaining parental consent. (See Complaint at ¶ 41). Based on these allegations the minor plaintiffs claim Google violated BIPA in their first cause of action.

Here, we may see Google argue that it is not subject to BIPA as a manufacturer of Chromebooks. BIPA lawsuits against the manufacturers of biometric equipment have not seen much success. As seen in the recent case Bray v. Lathem Time Co. 19-cv-3157 (C.D. Ill. March 27, 2020), in addition to suing his former employer, Bray sued Lathem, the company that designed and sold biometric-based timekeeping systems to employers to track time worked by hourly employees. “Lathem claims BIPA was not designed to apply to third-party technology vendors like itself. Although BIPA may give Bray a cause of action against his employer, Hixson—which he is pursuing in a separate action in state court—it does not give him a claim against Lathem.” Consequently, the District Court’s reasoning in Bray makes it more difficult to sue manufacturers of the equipment that collects biometric data.

• The Complaint in K. states that the federal government enacted COPPA in 1999 after “recognizing the vulnerability of children in the Internet age.” (See Complaint at ¶ 20).  “Under COPPA, developers of child-focused applications like Google’s ‘G Suite for Education’ service cannot lawfully obtain the personally identifiable information of children under 13 years of age without first obtaining verifiable consent from their parents.”

Privacy issues related to “e-learning” are developing at a rapid pace.  For example, on April 9, 2020, the Federal Trade Commission took a position that undercuts the plaintiffs’ assertions in H.K. that Google violated COPPA. In her blog post on the FTC’s website, Lisa Weintraub Schifferle wrote it was the FTC’s position that schools can consent to the collection of information for educational purposes:

If your child’s school is providing remote learning: Under COPPA, schools can consent on behalf of parents to the collection of student personal information by educational technology services. If your school has consented, then the service may only use that information for educational – not commercial – purposes. If you have questions about a service’s privacy and security practices, first review its online privacy notice. If you still have questions, consider asking your school. Remember, please, to be patient with your child’s school, as many schools are working hard to implement distance learning and may not be able to respond quickly. If you’d like to learn more, check out the U.S. Department of Education’s Student Privacy Policy Office’s new guidance on the Family Educational Rights and Privacy Act (FERPA) – “FERPA and Virtual Learning.”

Schools and educational technology companies can expect these privacy issues to become more prevalent once “brick and mortar” schools reopen. Further, in addition to seismic changes in this technology, schools will also need to monitor changes in the law. For example, the Illinois legislature’s recent amendments to the Illinois Student Online Personal Protection Act (“SOPPA”) by setting forth an extensive list of requirements that schools must implement by July 1, 2021.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post The ABC’s Of Privacy Law: New Lawsuit Provides Glimpse Of Privacy Issues For “E-Learning” In Schools Under COPPA, BIPA And SOPPA appeared first on Privacy Risk Report.

Recently, the Chicago Tribune reported on a data breach involving student data stored by Pearson Clinical Assessment that may have involved a number of students at Illinois schools. On September 5, 2019, the parent of a student at Indian Prairie School District 204 in Naperville, Illinois filed a class-action lawsuit against Pearson Clinical Assessment – the education publisher that suffered a massive data breach in November 2018 exposing the personal information of thousands of teachers and students across the country.

As schools increasingly use online services and other technologies to help students learn, the ability to provide adequate protection of sensitive student data becomes increasingly problematic. Data protection is further complicated as more third party vendors provide services to schools that require the collection and storage of personal information belonging to students and staff.  Therefore, schools are increasingly becoming proactive by implementing security safeguards and privacy policies to protect sensitive student and staff data to reduce their chances of being involved in breaches similar to the one seen with Pearson.

The Illinois legislature has recently adopted a statutory framework to make sure schools take all steps necessary to protect student and staff information. Specifically, the Illinois legislature’s recent amendments to the Illinois Student Online Personal Protection Act (SOPPA) by setting forth an extensive list of requirements that schools must implement by July 1, 2021. These requirements are designed to ensure schools take steps to protect data. The major amendments affecting schools are summarized below:

• Under the new SOPPA amendments, schools and third-party operators are only allowed to use and collect student information for school-related purposes.
• Schools are prohibited from selling student information.
• Schools must enter into a written agreement with third-party operators before transferring any protected student information. The written agreement between schools and third-party operators must include the following information:
• A description of the student information that will be transferred to the third-party operator.
• A statement of the product or service being provided to the school by the operator.
• A statement that, pursuant to the federal Family Educational Rights and Privacy Act of 1974, the operator is acting as a school official with a legitimate educational interest, is performing an institutional service or function for which the school would otherwise use employees, under the direct control of the school, with respect to the use and maintenance of covered information, and is using the covered information only for an authorized purpose and may not re-disclose it to third parties or affiliates, unless otherwise permitted under this Act, without permission from the school or pursuant to court order.
• A description of how, if a breach is attributed to the operator, any costs and expenses incurred by the school in investigating and remediating the breach will be allocated between the operator and the school.
• A statement that the operator must delete or transfer to the school all covered information if the information is no longer needed for the purposes of the written agreement and to specify the time period in which the information must be deleted or transferred once the operator is made aware that the information is no longer needed for the purposes of the written agreement.
• If the school maintains a website, a statement that the school must publish the written agreement on the school’s website. If the school does not maintain a website, a statement that the school must make the written agreement available for inspection by the general public at its administrative office.
• The operator must notify the school of any data breach within 30 calendar days of its occurrence.
• Except for a nonpublic school, provide to the school a list of any third parties or affiliates to whom the operator is currently disclosing protected information or has disclosed protected information. This list must, at a minimum, be updated and provided to the school by the beginning of each State fiscal year and at the beginning of each calendar year.

The adoption of SOPPA dramatically impacts Illinois public schools to the extent many requirements move from being voluntary to compulsory. Over the next year, schools will need to analyze where their safeguards stand and what additional protections should be put in place before this law takes effect. The largest change for schools may be to forge a close relationship with their vendors and confirm vendors are providing the necessary safeguards. On a more practical level, schools may need to get away from using “boilerplate” contract forms with vendors and take a closer look at what the vendor is doing to protect information the schools have been entrusted to protect.

For more information about this article, contact Tressler attorney Christine Walczak at cwalczak@tresslerllp.com.

The post The Adoption Of SOPPA May Provide A Tough Lesson For Schools That Fail To Comply appeared first on Privacy Risk Report.