European policymakers have come to an agreement on a far-reaching new data privacy law, one of a series of recent protections discussed in global markets that could have implications for U.S. ed-tech companies.
The Digital Services Act, which the European Commission came to terms on last month, in conjunction with another policy called the Digital Markets Act, is meant to protect online users’ rights, filter illegal and harmful content, create new transparency for platform practices, and ban targeted advertising to children.
It also bans targeted advertising toward certain categories of personal data, such as ethnicity, political views, and sexual orientation.
The regulations will be applied according to a tier system based on tech companies’ size. The larger the platform, the more obligations the company will have to meet in terms of accountability and transparency.
Although the new regulations apply to countries that belong to the European Union, ed-tech companies in the U.S. need to pay attention to them, said Linnette Attai, president of PlayWell LLC, a privacy compliance consulting company.
Many elements of the European legislation are likely to make their way into U.S. privacy policies, said Attai. There are more than 130 different existing laws in individual states affecting student data privacy. Many of those laws have taken hold since 2012, amid growing fears about the impact of districts sharing data with ed-tech companies.
On data privacy issues, there is “an undercurrent of things happening in the EU before they happen in the U.S.,” she said, and ed-tech organizations need to be attuned to those dynamics.
“If you’re aware of what’s going on, not in your backyard, you can prepare for it when it gets there,” Attai said. “If you’re not, you’re caught flat-footed, and it takes a longer time to figure out your strategy for implementation and your business.”
Another reason ed-tech companies need to pay attention to the EU policy is that the market today is global. Businesses based in the U.S. and other countries are selling products to schools and parents across borders, and when their digital tools intersect with the European regulation, they will be under pressure to comply.
“It’s critically important for technology providers to look outside of their own ecosystems,” she added.
Specifically, ed-tech companies envisioning how they will comply with the new European law should determine now if children are visiting their platforms and if they have ways to segment out that data, Attai said.
If U.S. ed-tech companies are aware of these changes and are already in compliance with existing federal and state student data privacy laws, adjusting to new legislation like the Digital Services Act should be relatively painless, Attai said.
Laws like the Children’s Online Privacy Protection Act and the Family Educational Rights and Privacy Act already prohibit operators from engaging in behavioral targeting for children under 13, and require that, without prior written parent consent, student personal information only be used for the institution’s educational purpose.
While the EU has reached political agreement concerning the Digital Services Act, it is now subject to formal approval from the European Parliament and member states. Once approved, online platforms will have 15 months to comply with the legislation, which is expected to become enforceable at the beginning of 2024.
A Global Movement on Privacy
Gabriela Zanfir-Fortuna, vice president of global policy at the Future of Privacy Forum, a Washington-based data privacy advocacy group, said she has noticed a much greater focus internationally on protecting data privacy, particularly since the EU’s passage of the General Data Protection Regulation, commonly known as GDPR, in 2018. That sweeping law set limits on companies’ collection and processing of data.
Similarly, India approved the Information Technology Rules in 2021, a policy that shares some of the same goals for content moderation and the removal of illegal online content as the EU guidelines. India’s rules also propose a digital media code of ethics, including having a labeling scheme to mark content safe for children.
India has a flourishing industry of ed-tech providers that have drawn a huge amount of outside investment. And the market has also attracted interest from foreign-based education companies, including those from the U.S., who hope to establish a foothold in its sprawling, decentralized market.
Eyes are also on Australia, as policymakers are considering new digital content rules through a measure called the Online Safety Bill. This law seeks to put new restrictions on image-based abuse, cyber abuse, and harmful content.
“It’s critically important for technology providers to look outside of their own ecosystems.”Linnette Attai, President, PlayWell LLC
According to the United Nations Conference on Trade and Development, 71 percent of countries have some form of regulation in place to secure the protection of data and privacy, and more proposals are likely to emerge in other nations over the next few years, Zanfir-Fortuna said.
“We have seen a flurry of legislation being proposed,” said Zanfir-Fortuna. Those measures create a “baseline type of regulation that applies across industries and that is very broad in application,” and they have a “very broad definition of what personal data is and a very broad definition of what processing personal data means.”
With so many different sets of regulations being approved in different countries and individual states, it’s easy for ed-tech companies to get caught up in a fragmented legal ecosystem, having to adjust their business models to adhere to differing policies.
Zanfir-Fortuna said she has seen companies seek to comply with the strictest or most detailed rules in different countries in order to keep up with all the changes.
Ed-tech providers should be “tracking these changes and understanding exactly what impact the changes will have on their business models,” although a convergence of future regulations across the board would be ideal, she said.
When the GDPR policy took effect in Europe, enforcement largely fell on regulators in individual countries, which critics say weakened the law’s power. The Digital Services Act will be enforced by the European Commission, which, as a unified body, will have more authority to regulate large online tech companies.
Such large corporations, or “gatekeepers,” defined by the legislation as providers of core platform services, will have more stringent obligations to adhere to, in comparison with smaller players in the market.
“It will be important to see exactly how the obligations to not target online ads to children will look like and who exactly will have that obligation,” Zanfir-Fortuna said. “This will definitely be something that [ed-tech companies] should pay attention to, and they should understand what this particular legal obligation means for them.”
Image by Getty.