Policy

COPPA Best Practices: Advice for Schools on Staying on the Right Side of the Law

By Tina Nazerian     May 9, 2018

COPPA Best Practices: Advice for Schools on Staying on the Right Side of the Law

It’s not just edtech companies and app developers who have to think about complying with COPPA, the Children’s Online Privacy Protection Act, which was designed to protect the privacy of kids under 13 years of age. School districts and schools bear part of the responsibility as well—and navigating the federal law can be tricky.

Justin Bathon, a lawyer and associate professor in the Department of Educational Leadership Studies at the University of Kentucky, says that because of this complexity, school district attorneys have an inclination to not use technology. That puts schools and school administrators in a difficult position, because they want to prepare kids for the 21st century with the necessary digital skills.

For schools that use technology, here is some advice from Bathon and two school district professionals on best practices for keeping student data safe.

Transparency

Amy Liang, the director of instructional technology at Cupertino Union School District in Calif., tells EdSurge that school districts should be thorough about their process for selecting and using apps. She adds that if schools have the opportunity to speak with app developers during contract negotiations, they should do their best to ensure apps are COPPA compliant.

“We go back and forth with the developers to make sure we are in agreement with the language on the contract, which often takes a few iterations,” Liang explains. For guidance on these and other matters, her district works with the California Student Privacy Alliance and their student data privacy agreement, a template document districts can use as a contract with providers. “The agreement is very robust and provides a good launching point for conversation.”

In addition to seeking transparency with vendors, Liang advocates that schools demonstrate transparency themselves. She says some edtech tools require verifiable parental consent, and that although school districts sometimes have the opportunity to give that consent on behalf of the parents, they should continue to do their due diligence as often as possible.

“I think it’s really important to make sure that you continue to get consent, or at the very least be very transparent and communicate with your community around what apps you’re using,” Liang says, so that parents and other stakeholders have an opportunity, to review privacy policies as well.

At Cupertino, each school in the district must send home a consent letter that lists the apps in use, and a link to their privacy policies and terms of service. The parents and guardians sign the letter electronically.

While Liang’s district does circumvent the parental consent process for tools where a student data privacy agreement between the provider and the district is already in place, parents are still given a choice to opt out, she says.

Bathon adds another way schools can be transparent: by keeping a “tight front-end management” system that lets technology staff see which apps are being put on devices, and remove any that aren’t approved.

Seek Outside Help

Rob Landers, the director of technology at the School District of Washington in Missouri, thinks school districts should get guidance from vendors “outside of the regular education environment” that have the “resources, time and expertise” to look at the privacy policies and terms of service of apps. He points to his own district, which uses Education Framework, a tool that reports on how various edtech products use student data, to help them review and manage the app approval process.

Landers also recommends that schools “seek advice and guidance from other schools who are farther along in the process,” adding that he doesn’t think average- and small-sized school districts are “likely to have the manpower or resources needed to fully vet” all the apps, extensions and web 2.0 tools teachers want to use in their classrooms.

When seeking advice from other districts, Landers suggests asking what the district is doing about data privacy and approving apps that teachers are using.

“And then just listen and take notes,” explains Landers, noting that when he first started in his role, he asked that question to all the technology directors in his area and at state and regional conferences.

“We took all of that information from their responses, combined it with our own research and even partnered with another area district, Mehlville R-9, to develop the plan that we now have in place,” he writes. “Since then, I’ve taken calls from other districts in Missouri, and in other states, looking for a place to start with their process and I’m always happy to share what we’re doing.”

As far as attorneys go, Landers tells EdSurge that in most cases it’s too expensive to have attorneys review privacy policies and terms of service for every app teachers ask to use. He clarifies that if a school were to have an attorney review these policies, then it would “want one that specializes in data privacy legislation, and not necessarily focused on school law.”

“Data privacy laws are changing so rapidly, both due to new legislation and precedents set on existing legislation, that it takes an attorney who is focused solely on these matters to really understand the implications of clicking that ‘I have read and understand’ button on these apps and websites,” he adds.

Bathon argues for a “consortium-type approach” to get legal expertise and points to what he’s seen in Kentucky as an example.

“We rely on our state department of education’s technology staff to help give guidance to local school districts,” Bathon says.

A ‘Top-Down’ Approach

In addition to transparency and getting outside help, schools and districts should also think about how they structure the app approval process. Landers says when his district first began its 1:1 device program five years ago, teachers were in charge of which edtech apps and tools were used in their classrooms.

“Initially it was kind of a free for all, the wild, wild west,” he says. “If it’s free, hey use it.”

In 2017, however, the district adopted a new approach where teachers submit apps for approval and district administrators and technology staff decide whether to whitelist, or approve, their use based on a careful review of the terms of service.

Landers says some teachers are upset about that change, but notes that it took “a lot of time off their hands” and “a lot of stuff off their plate,” given that they were no longer responsible for vetting new tools.

“We believe that student data safety is a district level initiative, it’s not a classroom level initiative,” he explains.

Bathon says from a legal standpoint, he “must advocate” for a top-down approach, and from what he’s seen personally, he says school districts are moving more in that direction. However, he cautions that this approach means teachers will have to think even further ahead to the tools they need for their lessons. In that sense, it limits their ability to modify their curriculums in “real time”—if a student shows them a new app, the teacher can’t immediately use it in a class project.

“You might have a three month approval cycle before you could use that app with the classroom,” Bathon says. “It really hampers innovation, but I think that it might be a necessary restriction given the complex world of data privacy and the number of sites out there that are seeking to gain more information about these kids.”

Policy

COPPA Best Practices: Advice for Schools on Staying on the Right Side of the Law

By Tina Nazerian     May 9, 2018

COPPA Best Practices: Advice for Schools on Staying on the Right Side of the Law

It’s not just edtech companies and app developers who have to think about complying with COPPA, the Children’s Online Privacy Protection Act, which was designed to protect the privacy of kids under 13 years of age. School districts and schools bear part of the responsibility as well—and navigating the federal law can be tricky.

Justin Bathon, a lawyer and associate professor in the Department of Educational Leadership Studies at the University of Kentucky, says that because of this complexity, school district attorneys have an inclination to not use technology. That puts schools and school administrators in a difficult position, because they want to prepare kids for the 21st century with the necessary digital skills.

For schools that use technology, here is some advice from Bathon and two school district professionals on best practices for keeping student data safe.

Transparency

Amy Liang, the director of instructional technology at Cupertino Union School District in Calif., tells EdSurge that school districts should be thorough about their process for selecting and using apps. She adds that if schools have the opportunity to speak with app developers during contract negotiations, they should do their best to ensure apps are COPPA compliant.

“We go back and forth with the developers to make sure we are in agreement with the language on the contract, which often takes a few iterations,” Liang explains. For guidance on these and other matters, her district works with the California Student Privacy Alliance and their student data privacy agreement, a template document districts can use as a contract with providers. “The agreement is very robust and provides a good launching point for conversation.”

In addition to seeking transparency with vendors, Liang advocates that schools demonstrate transparency themselves. She says some edtech tools require verifiable parental consent, and that although school districts sometimes have the opportunity to give that consent on behalf of the parents, they should continue to do their due diligence as often as possible.

“I think it’s really important to make sure that you continue to get consent, or at the very least be very transparent and communicate with your community around what apps you’re using,” Liang says, so that parents and other stakeholders have an opportunity, to review privacy policies as well.

At Cupertino, each school in the district must send home a consent letter that lists the apps in use, and a link to their privacy policies and terms of service. The parents and guardians sign the letter electronically.

While Liang’s district does circumvent the parental consent process for tools where a student data privacy agreement between the provider and the district is already in place, parents are still given a choice to opt out, she says.

Bathon adds another way schools can be transparent: by keeping a “tight front-end management” system that lets technology staff see which apps are being put on devices, and remove any that aren’t approved.

Seek Outside Help

Rob Landers, the director of technology at the School District of Washington in Missouri, thinks school districts should get guidance from vendors “outside of the regular education environment” that have the “resources, time and expertise” to look at the privacy policies and terms of service of apps. He points to his own district, which uses Education Framework, a tool that reports on how various edtech products use student data, to help them review and manage the app approval process.

Landers also recommends that schools “seek advice and guidance from other schools who are farther along in the process,” adding that he doesn’t think average- and small-sized school districts are “likely to have the manpower or resources needed to fully vet” all the apps, extensions and web 2.0 tools teachers want to use in their classrooms.

When seeking advice from other districts, Landers suggests asking what the district is doing about data privacy and approving apps that teachers are using.

“And then just listen and take notes,” explains Landers, noting that when he first started in his role, he asked that question to all the technology directors in his area and at state and regional conferences.

“We took all of that information from their responses, combined it with our own research and even partnered with another area district, Mehlville R-9, to develop the plan that we now have in place,” he writes. “Since then, I’ve taken calls from other districts in Missouri, and in other states, looking for a place to start with their process and I’m always happy to share what we’re doing.”

As far as attorneys go, Landers tells EdSurge that in most cases it’s too expensive to have attorneys review privacy policies and terms of service for every app teachers ask to use. He clarifies that if a school were to have an attorney review these policies, then it would “want one that specializes in data privacy legislation, and not necessarily focused on school law.”

“Data privacy laws are changing so rapidly, both due to new legislation and precedents set on existing legislation, that it takes an attorney who is focused solely on these matters to really understand the implications of clicking that ‘I have read and understand’ button on these apps and websites,” he adds.

Bathon argues for a “consortium-type approach” to get legal expertise and points to what he’s seen in Kentucky as an example.

“We rely on our state department of education’s technology staff to help give guidance to local school districts,” Bathon says.

A ‘Top-Down’ Approach

In addition to transparency and getting outside help, schools and districts should also think about how they structure the app approval process. Landers says when his district first began its 1:1 device program five years ago, teachers were in charge of which edtech apps and tools were used in their classrooms.

“Initially it was kind of a free for all, the wild, wild west,” he says. “If it’s free, hey use it.”

In 2017, however, the district adopted a new approach where teachers submit apps for approval and district administrators and technology staff decide whether to whitelist, or approve, their use based on a careful review of the terms of service.

Landers says some teachers are upset about that change, but notes that it took “a lot of time off their hands” and “a lot of stuff off their plate,” given that they were no longer responsible for vetting new tools.

“We believe that student data safety is a district level initiative, it’s not a classroom level initiative,” he explains.

Bathon says from a legal standpoint, he “must advocate” for a top-down approach, and from what he’s seen personally, he says school districts are moving more in that direction. However, he cautions that this approach means teachers will have to think even further ahead to the tools they need for their lessons. In that sense, it limits their ability to modify their curriculums in “real time”—if a student shows them a new app, the teacher can’t immediately use it in a class project.

“You might have a three month approval cycle before you could use that app with the classroom,” Bathon says. “It really hampers innovation, but I think that it might be a necessary restriction given the complex world of data privacy and the number of sites out there that are seeking to gain more information about these kids.”

Next In Policy

STAY UP TO DATE ON EDTECH
News, research, and opportunities - sent weekly.
STAY UP TO DATE ON EDTECH
News, research, and opportunities - sent weekly.