The Top Five Legal Issues for Edtech Startups and Schools

Data Privacy

The Top Five Legal Issues for Edtech Startups and Schools

By Matthew Johnson     Apr 16, 2016

The Top Five Legal Issues for Edtech Startups and Schools

As an attorney who focuses on legal issues relevant to the education sector, I’m often asked about some of the key legal issues in the space—especially for emerging companies who have to be strategic about allocating their time and resources.

There’s no one issue that tops the others, but in the meantime, here are my top five. And schools or district administrators—while this list is mainly directed at companies (and investors evaluating companies) you are oftentimes involved in or affected by them, as well.

1. Data Privacy

This one is probably obvious if you have been following EdSurge over the past couple years. But knowing that an issue is receiving a lot of attention—and then actually addressing it—are two different efforts that don’t always happen in tandem. Unfortunately, in my experience, too many emerging edtech companies are not addressing the issues—or they think they are, but aren’t taking strong enough action. Whenever I ask an audience whether their companies have privacy policies, almost everyone raises their hands. But when I next ask whether that privacy policy was borrowed (meaning cut-and-pasted) from another source, most hands stay up.

Simply “having” a privacy policy is not very helpful if that policy does not reflect your actual practices, or if that policy does not meet the legal requirements that are relevant to your business.

This is especially important today, when the legal requirements related to how you collect, use, or disclose student information are rapidly changing. Since the beginning of 2014, nearly two-thirds of states have passed new student privacy laws. And many of them, such as California’s Student Online Personal Information Protection Act (“SOPIPA”), will have a significant impact on the privacy practices of edtech companies (and create significant risks for failing to comply).

Ensuring that both your privacy policies and privacy practices comply with these new laws (in addition to the usual suspects of FERPA, COPPA, and HIPPA) needs to be an ongoing effort. You should assess where you stand and adapt to changing circumstances at least annually. At a time when data privacy has become a gating item for many schools (i.e. customers), companies that use their compliance as a marketing tool will have an advantage.

2. Data Security

It is common to lump data privacy and data security together—but they are not the same. Data privacy and data security are distinct issues with different risks and solutions. Think of data privacy as addressing issues related to your company’s intentional use data (such as what you collect, how you use it, and who you share it with). Think of data security as what your company does to prevent unintentional access to personal data (and how it responds to a possible breach).

Does your company have a comprehensive written data security plan that addresses technical, physical, and administrative issues? Do you monitor how that plan aligns with practice? Do you have a breach response plan? If not, you need to make these a priority. It will take some effort, because these plans are not “one-size-fits-all.” A good starting point is to become familiar with the industry resources provided by the National Institute of Standards and Technology—but make sure you consult with a professional. This is an area where being proactive will save you in the long term.

Having inadequate data security can be a legal problem, a contractual problem, and also a customer relations problem. Many edtech companies have access to sensitive data, sometimes regarding children, so it is no surprise that the cost to remediate a breach in this space is expensive. According to a 2015 Ponemon Institute study, the average cost to remediate a breach in the education industry is $300 per affected record (second only to healthcare worldwide).

You may think that formal plans are unnecessary for a small company, but they are critical. Your ability to respond strategically to data security issues will (1) reduce the likelihood of a breach and (2) help your company respond appropriately and confidently in a potential breach.

3. Accessibility for Users with Disabilities

Under the Americans with Disabilities Act of 1990 (“ADA”), schools, both public and private, are required to take appropriate steps to ensure that technology offered in the classroom is accessible to students with physical and mental disabilities. The law isn’t prescriptive. Districts may use inaccessible technology so long as they also provide alternatives that are comparable. But, if your company prides itself on addressing a unique issue (or doing it better than anyone else) how can a school provide a comparable alternative? It would be, at best, a challenge. And you don’t want to make doing business with you challenging for your customers!

Edtech companies may also face increased direct scrutiny for ADA compliance. Take MOOC provider edX: in May 2015, edX voluntarily settled with the U.S. Department of Justice (“DOJ”), who had claimed that the provisions of the ADA applied directly to edX as a “place of education.” Most notably, DOJ claimed that edX’s website, as well the MOOCs offered on the company’s platform were not fully accessible to deaf or hearing impaired students and also not fully accessible to blind or low vision students.

The legal specifics behind DOJ’s claims against edX are complicated and may not apply to all types of companies. But, companies that provide online learning content (whether for-profit or nonprofit, for a fee or for free) or that even enable the distribution of such content should be aware of DOJ’s interpretation of the law and be proactive. Closely analyze your compliance with the Web Content Accessibility Guidelines 2.0 (WCAG), and solicit and respond to user feedback.

As with so many things, considering these issues at an early stage is almost always less expensive long term versus having to make changes later.

4. Intellectual Property

I’m not an Intellectual Property (IP) attorney, but I can tell you this, companies: if you haven’t already, you should talk to a good IP attorney as soon as you can. IP is a broad term that covers, among other things, trademarks, copyrights, and patents. Under U.S. law, you can gain protections for IP in certain circumstances that protect your inventions, works, and logos. These can be beneficial when they protect your IP, but can also be used against you by others.

Consider potential IP weaknesses. For example, could a former employer cause you problems by claiming that an app belongs to them, even though you started to design it in your free time while working for the employer? Think strategically about what to patent—and whether you need to patent anything or not. In this day and age, not all patents are created equal, and some are more valuable than others; invest some time upfront to figure out which are which.

5. The Fundamental Issues

Remember that you still need to address the fundamental legal issues facing all emerging companies:

  • Is your corporate structure as advantageous as possible? For example, did you fully analyze the benefits or drawbacks of being a corporation or limited liability company?
  • Were you strategic about your state of incorporation?
  • Do you have a written founders’ agreement and did you issue stock to your founders? Do you have an optimal vesting schedule?
  • Does the company own all of the relevant IP, or are you licensing it from a founder?
  • Do you have a template client agreement that will be acceptable to clients while providing your company with adequate protection (for example, limiting liability or providing for convenient dispute resolution)?

Take the fundamentals seriously, as investors certainly do. Hopefully, you can answer “yes” to all (or most) of these questions. And if not, it isn’t too late to get started. Find a good attorney who can help you get squared away on these issues - the earlier you tackle them, the less painful they will be to resolve.

This list is only a start, as we didn’t even touch on difficult issues that some companies face like the school district procurement processes. But, hopefully, this reference gives you some ideas for prioritizing your resources.

Matthew Johnson (@CooleyLLP) is an attorney in Cooley's Education and Education Technology practice groups and is based in Cooley’s Washington, DC office. His practice primarily focuses on assisting education technology companies and education institutions regarding a variety of regulatory issues including state and federal student privacy and data security laws relevant at the K-12 and postsecondary levels.

Learn more about EdSurge operations, ethics and policies here. Learn more about EdSurge supporters here.

More from EdSurge

Get our email newsletterSign me up
Keep up to date with our email newsletterSign me up