Illinois schools must comply with the Student Online Personal Protection Act by July 1, 2021. While many schools may not have been aware of this deadline or have been pushing compliance down the road, the coronavirus pandemic has put SOPPA compliance in a new light. Illinois schools are quickly realizing that their contractual relationships with educational technology companies and the use of student data are issues that must be addressed immediately. Therefore, this coming summer provides schools a unique opportunity to both get in compliance with SOPPA early and prepare for an uncertain fall semester.

• The Second Half Of The 2019-2020 School Year Caught Many School Districts By Surprise

On April 20, 2020, the Chicago Tribune published an article titled “Illinois districts were urged to prepare e-learning plans for students in case of emergency. Most didn’t do it.”  This article reports that many Illinois school districts were, understandably, caught off guard by the coronavirus quarantine in the second half of the 2019-2020 school district. While preparing for remote learning was a pressing issue prior to the quarantine, many schools, for a variety of reasons were unprepared when remote learning became a necessity:

Long before the coronavirus pandemic shut down Illinois schools, state education officials encouraged school districts to prepare to teach remotely. But most of the state’s 852 school districts didn’t have e-learning plans in place when schools closed in mid-March, a ProPublica Illinois-Chicago Tribune analysis has found.

In describing the weeks since remote learning has become a way of life, many school districts have struggled with various online applications, learning tools and getting students adjusted to their new classrooms:

Many of those districts have found themselves scrambling to figure out how best to teach students when they can’t be face to face. They have had to search for the best online platforms — Google Meet or Zoom or Flipgrid or Seesaw? — and try to determine how many students lacked internet service while districts that had already established the logistics have been able to pivot more easily into actual instruction.

Over the last couple of weeks, many school districts, their teachers and their students have needed to learn how to use remote learning tools after remote learning had started. Of course, while e-learning tools have made remote learning possible while people have been ordered to stay at home, these ed-tech applications also provide Google and a number of other tech companies with unlimited access to sensitive student data.

While schools have made significant progress shifting to remote learning, schools will need to take a closer look at how student data was protected during the coronavirus pandemic and what steps need to be taken this summer to shore up security. The legislative intent behind SOPPA fits the current situation perfectly:

Schools today are increasingly using a wide range of beneficial online services and other technologies to help students learn, but concerns have been raised about whether sufficient safeguards exist to protect the privacy and security of data about students when it is collected by educational technology companies. This Act is intended to ensure that student data will be protected when it is collected by educational technology companies and that data may be used for beneficial purposes such as providing personalized learning and innovative educational technologies. 

Indeed, SOPPA may provide the best guidelines for schools to take a closer look at protecting student data and relationships with ed-tech companies during and after the quarantine.

• Schools Should Begin Planning For E-Learning In The Fall of 2020

The central point of the Chicago Tribune’s April 20th article is that many schools and students were unprepared when they shifted to remote learning. There is further evidence that schools may be in the same position next fall if they don’t immediately take steps to prepare for a remote learning environment. Many colleges are already looking at how the coronavirus pandemic may impact the 2020-2021 school year. For example, “…the University of Arizona said it remains hopeful the fall semester would include a return to campus:”

“We are cautiously optimistic that the fall semester will be able to launch with the normal face-to-face campus experience, but of course we will prioritize the health and well-being of our community in making that decision…”

And, colleges and universities are not the only schools struggling to figure out what this fall may look like for students. For example, the Washington State Superintendent of Schools, Chris Reykdal, has acknowledged that “[s]hort of a vaccine, which people continue to tell us is 12-18 months away, we have to figure out if it’s safe to come back even in the fall.” Similarly, the spokesperson for schools in Fort Wayne, Indiana commented: “[t]his could just keep going on, and we may not start in the fall.”

Given this uncertainty, schools may face a limited opportunity this summer to prepare for remote learning and be ready to address the uncertainties this fall. And, in deciding how to prepare for an uncertain fall semester, Illinois schools should start with SOPPA.

In general, SOPPA governs the relationship between schools, students/parents and “Operators.”  SOPPA defines “Operators” as “the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application with actual knowledge that the site, service, or application is used primarily for K through 12 school purposes and was designed and marketed for K through 12 school purposes.” In short, moving toward SOPPA compliance will force schools to take a look at their contracts with ed-tech companies and closely analyze how student data is transferred to third parties. This focus on educational technology companies makes SOPPA requirements the perfect place for schools to start this summer to prepare for next fall.  Further, schools will get a jump start for the July 1, 2021, mandatory deadline to comply with SOPPA.

Learn more at www.tresslerllp.com/soppa, or contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post This Summer Provides A Unique Opportunity For Student Data Privacy appeared first on Privacy Risk Report.

One bright spot in recent events has been to see our kids stay focused as students and to see teachers continue their great work while bunkered down from their homes. Nevertheless, it may be worthwhile to pause to think about the technology that makes this all possible. One lawsuit recently filed in California sheds light on the privacy issues created when students, schools and teachers become increasingly reliant on “e-learning” and the technology that supports it.

On April 2, 2020, a class-action lawsuit was filed in the District Court for the Northern District of California entitled H.K. and J.C., through their legal guardian Clinton Farwell v. Google, LLC, 20-CV-2257 NC (N.D. Cal. 2020) which brings issues related to data gathered from students during e-learning front and center. Allegations that “Google has infiltrated the primary and secondary school system in this country by providing access to its ‘Chromebook’ laptops, which come pre-installed with its ‘G-Suite for Education’ platform…to over half of the nation’s schoolchildren, including those in Illinois, most of whom are under the age of 13” form the basis of this Class Action Complaint. (See Complaint at ¶ 6). In general, the minor plaintiffs in H.K. claim “[t]hese Google-manufactured and provided laptops come equipped with Google’s ‘G Suite for Education’ platform, which requires the children using it to speak into a microphone on the laptop that records their voices and look into a camera on the laptop that scans their faces.”(See Complaint at ¶ 46).

In providing the factual background for their claims, the minor plaintiffs in H.K. assert “Google provides its ‘Chromebook’ laptops to grade schools, elementary schools and high schools nationwide, who in turn make these computing devices available for use by children who attend their schools.” (See Complaint at ¶ 33). The Complaint alleges that Google collects the following student information through this program:

• The student’s physical location;
• The websites visited by each student;
• Every search term used by the student in Google’s search engines;
• Every video watched by the student on the device;
• The student’s personal contact lists;
• Voice recordings;
• Saved passwords; and
• “Other behavior information.”

The Complaint in H.K. has allegations that Google collects students’ “voiceprints” and face images. (See Complaint at ¶ 38). Next, the Complaint asserts “Google uses the voiceprints and face templates it collects to, inter alia, identify and track the children who its Chromebook laptops and the “G Suite for Education” platform that comes installed on them.”  (See Complaint at ¶ 38). Further, the minor plaintiffs allege “[t]he unique voiceprints and face templates that Google has collected from children in Illinois and across the country are not only used by Google to identify children by name, they are also used by Google to recognize…gender, age and location.” (See Complaint at ¶ 40).

As for the specific allegations by the minor plaintiffs in H.K., the Complaint alleges that H.K and J.C. were Illinois residents, under the age of 13 years old, when they used Google’s G Suite for Education platform in their elementary school located in Bushnell, Illinois. (See Complaint at ¶ 10). Further, the Complaint alleges that neither minor “was asked for verifiable or written parental consent authorizing Google extraction, collection, storage and use of their personal and uniquely identifying ‘biometric identifiers’ or ‘biometric information’…”

Based on these allegations, the plaintiffs in H.K. claim Google violated the Illinois Biometric Information Protection Act (“BIPA”) and the federal Children’s Online Privacy Protection Act (“COPPA”) in the following manner:

• The Complaint in K. states that Illinois enacted BIPA in 2008 to protect Illinois’ citizens’ biometric data which prohibits the collection or use of this information without providing notice to the individual and places a number of requirements on data collectors. (See Complaint at ¶ 17). The plaintiffs claim Google violated BIPA with its “practices of collecting, storing and using biometric identifiers and information from school children in Illinois without the requisite informed written consent…” (See Complaint at ¶ 19). Simply, plaintiffs in H.K. claim Google collected this information without obtaining parental consent. (See Complaint at ¶ 41). Based on these allegations the minor plaintiffs claim Google violated BIPA in their first cause of action.

Here, we may see Google argue that it is not subject to BIPA as a manufacturer of Chromebooks. BIPA lawsuits against the manufacturers of biometric equipment have not seen much success. As seen in the recent case Bray v. Lathem Time Co. 19-cv-3157 (C.D. Ill. March 27, 2020), in addition to suing his former employer, Bray sued Lathem, the company that designed and sold biometric-based timekeeping systems to employers to track time worked by hourly employees. “Lathem claims BIPA was not designed to apply to third-party technology vendors like itself. Although BIPA may give Bray a cause of action against his employer, Hixson—which he is pursuing in a separate action in state court—it does not give him a claim against Lathem.” Consequently, the District Court’s reasoning in Bray makes it more difficult to sue manufacturers of the equipment that collects biometric data.

• The Complaint in K. states that the federal government enacted COPPA in 1999 after “recognizing the vulnerability of children in the Internet age.” (See Complaint at ¶ 20).  “Under COPPA, developers of child-focused applications like Google’s ‘G Suite for Education’ service cannot lawfully obtain the personally identifiable information of children under 13 years of age without first obtaining verifiable consent from their parents.”

Privacy issues related to “e-learning” are developing at a rapid pace.  For example, on April 9, 2020, the Federal Trade Commission took a position that undercuts the plaintiffs’ assertions in H.K. that Google violated COPPA. In her blog post on the FTC’s website, Lisa Weintraub Schifferle wrote it was the FTC’s position that schools can consent to the collection of information for educational purposes:

If your child’s school is providing remote learning: Under COPPA, schools can consent on behalf of parents to the collection of student personal information by educational technology services. If your school has consented, then the service may only use that information for educational – not commercial – purposes. If you have questions about a service’s privacy and security practices, first review its online privacy notice. If you still have questions, consider asking your school. Remember, please, to be patient with your child’s school, as many schools are working hard to implement distance learning and may not be able to respond quickly. If you’d like to learn more, check out the U.S. Department of Education’s Student Privacy Policy Office’s new guidance on the Family Educational Rights and Privacy Act (FERPA) – “FERPA and Virtual Learning.”

Schools and educational technology companies can expect these privacy issues to become more prevalent once “brick and mortar” schools reopen. Further, in addition to seismic changes in this technology, schools will also need to monitor changes in the law. For example, the Illinois legislature’s recent amendments to the Illinois Student Online Personal Protection Act (“SOPPA”) by setting forth an extensive list of requirements that schools must implement by July 1, 2021.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post The ABC’s Of Privacy Law: New Lawsuit Provides Glimpse Of Privacy Issues For “E-Learning” In Schools Under COPPA, BIPA And SOPPA appeared first on Privacy Risk Report.

Join us for this exciting new webinar…

The Final Countdown: Strategies for Illinois Schools to Get SOPPA Compliant Before the Deadline

Presented by Datamation and Tressler LLP

Thursday, March 12, 2020

10:00 AM – 11:00 AM CT

Click Here to Register!

Webinar Description

While data breaches are starting to become an accepted part of life, the public is not willing to accept breaches involving minors’ personal information. In particular, recent breaches at educational publisher Pearson and other vendors have put a priority on keeping student personal information secure. Illinois has taken the lead in privacy law by adopting the Student Online Personal Protection Act (“SOPPA”) to protect student personal information.  SOPPA is a unique privacy law in that compliance is mandatory and it places a number of objective requirements on public and private schools. This law requires Illinois schools to monitor the security measures taken by third parties entrusted with student data. This engaging presentation will address the requirements under SOPPA, including the July 1, 2021 compliance deadline.

About the Presenter: Todd Rowe, Attorney at Tressler LLP

Todd Rowe is an award-winning privacy and cyberliability attorney located in Chicago, IL. He is ready to help you meet the SOPPA deadline. Tressler LLP attorneys are known for providing responsive, friendly and cost-effective legal services. Our team can offer custom, flat-rate or project-based pricing to ensure that we meet your budget and exceed your expectations. Learn more at www.tresslerllp.com/soppa, or contact Todd at trowe@tresslerllp.com for a free consultation.

The post New Webinar on March 12: Strategies for Illinois Schools to Get SOPPA Compliant Before the Deadline appeared first on Privacy Risk Report.