Ed-tech providers to districts in New York state, as well as the districts themselves, must comply with recently updated data privacy and security regulations arising from a state education law that was originally enacted in 2014.
The updated regulations, approved by the state’s Board of Regents last month, include several changes went into effect Jan. 29. Among them:
- Ed-tech companies are required to include a data security and privacy plan in their contracts with education agencies that the districts find acceptable;
- Schools must now include new information in their annual data privacy and security awareness training for anyone who handles personally identifiable information;
- All education agencies must follow the National Institute of Standards and Technology Cybersecurity Framework as their standard for data security and privacy;
- Further definition of “contracts” now includes click-wrap agreements under which “a user must agree to terms and conditions prior to using the product or service;”
- Schools and districts have until July 1, 2020 to adopt and publish new privacy and security policies reflecting the regulations.
As districts revise their existing policies, “it remains to be seen how that’s going to impact ed-tech companies,” said Sara Kloek, the Software & Information Industry Association’s director of education policy. She advised that ed-tech companies “make sure they are working alongside their customers” so that they understand what changes to expect beginning this summer.
When data breaches occur, third-party contractors must notify educational agencies no more than seven calendar days after the discovery of the breach or unauthorized release, the regulations indicate.
Companies that fail to comply with the requirements in the law could be subject to civil penalties up to $250,000, if they are found to be in violation, said Kloek who recently blogged about the changes.
Since 2013, 44 states and the District of Columbia have enacted new laws related to student data privacy, according to Taryn Hochleitner, a senior associate at the Data Quality Campaign, and all states have at least introduced such legislation.
When California passed its Student Online Personal Information Protection Act, or SOPIPA, in 2014, many states took provisions from that legislation and used similar language in theirs, Hochleitner said. New York’s law, however, was passed before California’s.
“It’s a broader bill,” she said, and included more transparency around defining what data was being collected, and for the first time created the role of chief privacy officer for the state.
The new regulations in New York also added more information about what “commercial or marketing purpose” means under the law. It’s defined as “the sale of student data; or its use or disclosure for purposes of receiving remuneration, whether directly or indirectly; the use of student data for advertising purposes, or to develop, improve or market products or services to students.”