Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the...
Transcript of Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the...
![Page 1: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/1.jpg)
Student Privacy Boot Camp for EdTech Companies
COPPA and FERPA
March3,2016
EmilyS.Tabatabai
NOTHINGINTHISPRESENTATIONISINTENDEDTOCONSTITUTEALEGALOPINION
![Page 2: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/2.jpg)
2
COPPA Children’s Online Privacy Protection Act
![Page 3: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/3.jpg)
3
Children’s Online Privacy Protection Act
• WhatisCOPPA?
• Children’sOnlinePrivacyProtecLonAct-Federallawenactedin1998
• LawdirectedtheFederalTradeCommission(FTC)tocreateandenforcerulesrelaLngtotheonlineprivacyofchildren’sinformaLon.TheFTC’sChildren’sOnlinePrivacyProtecLonRulewaseffecLvein2000andamendedin2012.
• EnforcementandpenalLes
• ViolaLonscancarrypenalLesupto$16,000perviolaLon.
• PenalLesalsoincludedatadestrucLon,20yearreporLngrequirements
• FTCenforcesaggressively(25publicconsentdecreessince1999)
• PenalLesrangefrom$35,000-$3,000,000
• StateA]orneysGeneralmayalsoenforcetheRule
![Page 4: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/4.jpg)
4
Who is Covered?
TheRuleappliestooperatorsofcommercialwebsitesandonlineservices(includingmobileapps)thatcollect,useordisclosepersonalinformaLonfromchildrenunder13inthefollowinginstances:
1. Thewebsiteoronlineservicesisdirectedtochildrenunder13,or
2. ThegeneralaudiencewebsiteorservicehasactualknowledgethatitiscollecLnginformaLonfromchildrenunder13.
“Directed To” “General Audience Site”
Subject matter Visual content Use of animated characters Child-oriented activities Music or audio content Age of models Child celebrities Language Advertising directed to kids Intended audience
Collect birth date Notified by child or parent also , Knowledge that operator is collecting info from kids on a site that is directed to kids (i.e. plug-ins, ad networks)
![Page 5: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/5.jpg)
5
What is Personal Data?
“PersonalInformaLon”ofchildrenunder13isdefinedverybroadlytoinclude:
• Firstandlastname
• homeaddressincludingstreetnameandnameofcity
• onlinecontactinformaLon(emailaddress,username,screenname)
• telephonenumber
• socialsecuritynumber
• persistentidenLfier(ex.cookie)thatcanbeusedtorecognizetheuseroverLme
• photograph,videooraudiofilethatcontainsthechild’simageorvoice
• geolocaLoninformaLonsufficienttoidenLfystreetnameandnameofcity
• informaLoncollectedbythirdpartywhosecontentorpluginiscollecLnginformaLonontheOperator’ssite
• anyotherinformaLonaboutthechildorthechild’sparentsthattheoperatorcombineswiththeidenLfiersdescribedabove
![Page 6: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/6.jpg)
6
What is Required?
• Postaclearandcomprehensiveonlineprivacypolicy
• Providedirectno3cetoparentsandobtainverifiableparentalconsentbeforecollecLngPIonlinefromchildren
• GiveparentsthechoiceofconsenLngtotheoperator’scollecLonanduseofachild’sPI,butprohibiLngtheoperatorfromdisclosingthatPItothirdparLes(unlessdisclosureisintegraltothesiteorservice,inwhichcase,thismustbemadecleartoparents)
• Provideparentsaccesstotheirchild'sPItoreviewand/orhavetheinformaLondeleted
• Giveparentstheopportunitytodenyorrescindconsenttousechild’sPI
• Maintaintheconfiden3ality,security,andintegrityofinforma3ontheycollectfromchildren,and
• RetainPIcollectedonlinefromachildforonlyaslongasisnecessarytofulfillthepurposeforwhichitwascollectedanddeletetheinformaLonusingreasonablemeasurestoprotectagainstitsunauthorizedaccessoruse.
![Page 7: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/7.jpg)
7
What Can I Collect Without Parental Consent?
• Mustobtainparentalconsentbeforecollec3ngpersonalinforma3onfromthechild,unlessthecollec3onfitsintooneofthelimitedexcep3onstopriorparentalconsent
• Excep3onstopriorparentalconsent
• Forpurposeofobtainingconsent-WhensolepurposeofcollecLonistoprovidenoLcetoparentandobtainparentalconsent.Maycollectname,emailaddressandemailaddressofparent.Ifconsentisnotobtained,mustdeletetheinformaLon.
• OneLmecontact-WhenoperatorcollectsonlinecontactinformaLonandnootherinformaLon,forthesolepurposeofrespondingoneLmetothechild;PIisnotusedforanyotherpurposeortore-contactthechild;PIisdeletedaierone-Lmecontact
• InternalOperaLons-WhenoperatorcollectsapersistentidenLfierandnootherinformaLonanditisusedsolelytoprovidesupportforinternaloperaLonsofthewebsite
![Page 8: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/8.jpg)
8
How Can I Get Parental Consent?
Email Plus If operator uses information only for internal purposes and will not share the information with third parties, you may use “Email Plus”
1. Send email notice to parent that provides information on the collection and use of child’s information (Rule sets forth what must be included in notice)
2. Receive parental consent (usually via reply email)
3. Follow up with confirmation email, fax, or telephone call to parent. Include parental notice information again, along with instructions on how to opt-out.
Verifiable Parental Consent If operator uses information to share with third parties or to share publicly (or facilitate a means by which the child can share publicly), you must obtain verifiable parental consent. Methods:
§ consent form to be signed by parent and returned by mail, fax, or electronic scan
§ credit or online payment transaction ($$)
§ taking phone calls through toll-free telephone number or engaging in video conference
§ checking form of government-issued ID
§ knowledge-based identification
§ consent mechanism provided by Safe Harbor provider
Operator must obtain parental consent through a means “reasonably calculated,” in light of available technology, to ensure that the person providing consent is the child’s parent.
![Page 9: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/9.jpg)
9
How Can I Avoid The Hassle and Expense?
Mostcompaniesgotogreatlengthstoavoidcollec3nginforma3onfromchildrenthatwouldtriggerCOPPAparentalconsentrequirements.
• DonotcollectpersonalinformaLon
• CollectonlypersistentidenLfiersthatwillbeusedsolelytosupportinternaloperaLons
• ImplementanAgeScreentoscreenoutkidsunder13.Ifyouhaveageneralaudiencesite(i.e.,thesiteisnotdirectedtokidsunder13),youcanblockkidsunder13fromprovidingpersonalinformaLonbyimplemenLnganAgeScreen
Neutral Age Screen
Age screen mechanism must be age-neutral and not encourage falsification
Mechanism should request user to enter age accurately (i.e., require user to freely enter day, month, and year)
Do not warn the kid that users under 13 will not be permitted to participate
Use non-specific language when user is blocked (“Sorry, you are not permitted to register at this time)
Use cookie to prevent back-buttoning to try again
![Page 10: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/10.jpg)
10
COPPA and Schools
Ifanoperatorisofferinganonlineprogramsolelyforthebenefitofstudentsandtheschool,theschoolcanactastheparent’sagentandcanconsenttothecollec3onofkids’informa3onontheparent’sbehalf
• SchoolcanconsenttothecollecLonofchildren’sinformaLonsolelyforeducaLonalpurposes,andnoothercommercialpurpose
— i.e.,operatorcannotusechildren’sdataforotherpurpose,likemarkeLng,adverLsing,sharingwithotherparLesunrelatedtotheeducaLonalcontext.IfOperatorwantstousestudentdataforothercommercialpurpose,mustgetparentalconsent
• OperatormustprovideschoolwithCOPPAnoLces,andprovide(onrequest)adescripLonofPIcollected,anopportunitytoreview/deletethechild’sPI,andopt-outoffurthercollecLon
• Preferconsenttocomefromtheschoolordistrict,ratherthanteacher.SchoolshouldhavecontractwithOperator
• Mustdeletechildren’sPIonceinformaLonisnolongerneededforeducaLonalpurpose
• BestpracLce:SchoolshouldprovideparentswithnoLceofoperatorswhocollectandusechildren’sinformaLon(AcceptableUsePoliciesforInternetUse)
• ExamplesofOperatorswhomaypresumeconsentfromSchools:homeworkhelplines,educaLonmodules,researchtools,web-basedtesLngservices
![Page 11: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/11.jpg)
11
COPPA Safe Harbor Programs
• Rule created “Safe Harbor” program whereby an Operator is deemed to be in compliance with COPPA if it adheres to a set of self-regulatory guidelines approved by the FTC. To be approved by the FTC, the guidelines must be at least as restrictive as COPPA.
• Most are merely self-regulatory compliance programs, which are overseen and audited by the organization. PRIVO, Imperium (ChildGuard Online), and Aristotle (Integrity System) have parental consent tools as well.
• TRUSTe consent decree (November 2014) found that TRUSTe did not adequately maintain its oversight function and misled consumers as to the strength of its program.
Approved Safe Harbor Programs (as of 12/2015)
• CARU
• ESRB
• Privo
• TRUSTe
• Aristotle International, Inc. (“Integrity”)
• kidSafe
• Imperium (“ChildGuard Online”)
• iKeepSafe
![Page 12: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/12.jpg)
12
Resources
• ReadtheRuleh]p://www.ecfr.gov/cgi-bin/text-idx?SID=4939e77c77a1a1a08c1cbf905fc4b409&node=16:1.0.1.3.36&rgn=div5
• ReadtheFAQs(lastrevisedMarch20,2015)h]p://www.business.ic.gov/documents/0493-Complying-with-COPPA-Frequently-Asked-QuesLons#GeneralQuesLons
• FTC6-StepCompliancePlanforYourBusinessh]p://www.business.ic.gov/documents/bus84-childrens-online-privacy-protecLon-rule-six-step-compliance-plan-your-business
• BrowsetheFTCwebsitesecLononchildren'sprivacy
![Page 13: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/13.jpg)
13
FERPA Family Educational Rights and Privacy Act
![Page 14: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/14.jpg)
14
Family Educational Rights and Privacy Act
WhatisFERPA?
• FederallawthatappliestoeducaLonalinsLtuLonsthatacceptpublicfunds
• Prohibitsaschoolfromdisclosingpersonallyiden3fiableinforma3onfromastudent’seduca3onalrecordtoathirdpartywithoutconsentfromtheparent.ThereareseveralexcepLons,however.
• ProvidesparentstherighttoinspectandcorrecttheinformaLoncontainedinthestudentrecord
• Rightstransfertothestudentwhenthestudentturns18orentersHigherEdatanyage.
Enforcement
• FERPAisenforcedbytheDepartmentofEducaLon.Schoolisresponsiblefor(andliablefor)complianceofitsvendorsandserviceproviders.
• Issueacomplaint,ceaseanddesistorder,withholdfurtherfundingfromDept.
• SeeksvoluntarycompliancebeforeimposingsancLons
![Page 15: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/15.jpg)
15
What Type of Data Does FERPA Protect?
“Educa3onalRecords”–RecordsthataredirectlyrelatedtoastudentandaremaintainedbyaneducaLonalagencyorinsLtuLonorbyapartyacLngfortheeducaLonalagencyorinsLtuLon
“PersonalInforma3on”–directiden3fiers(suchasastudent’sorfamilymember’sname)andindirectiden3fiers(suchasdateofbirth,mother’smaidenname)
• ExcepLons:
• De-idenLfiedData–De-idenLfieddataisdatawhichhasbeenstrippedofalldirectidenLfiersaswellasindirectidenLfiersthatmayincombinaLonidenLfyaparLcularindividual,maybesharedwiththirdparLeswithoutconsent
• Metadata–MetadataiscontextualortransacLonaldata(ex.dataabouthowlongastudenttookforaparLcularacLvity,whentheacLvitywascompleted,etc.)thathasbeenstrippedofalldirectandindirectidenLfiersisnotcoveredbyFERPA
• (ThesedatapointscouldsLllbePersonalInformaLonifareasonablepersoninthecommunitycouldidenLfytheindividualstudentwiththisdataincombinaLonwithreadilyavailablepublicinformaLon).
![Page 16: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/16.jpg)
16
When is consent not required for disclosure?
AneducaLonalagencyorinsLtuLonmaydisclosepersonallyidenLfiableinformaLonfromtheeducaLonalrecordwithoutconsentinlimitedcircumstances,including:
• ToaSchoolOfficialwithalegiLmateeducaLonalinterest
• TofederalorstateeducaLonalauthorityinconnecLonwithauditandevaluaLonoffederallysupportededucaLonprogram
• ToarepresentaLveoftheA]orneyGeneralforlawenforcementpurposes
• InconnecLonwithastudent’sapplicaLonforfinancialaid
• Persondesignatedinafederalgrandjurysubpoenaorothersubpoena
• AccrediLngorganizaLonscarryingoutaccrediLngfuncLons
• OrganizaLonsconducLngstudiesforpurposesofdeveloping,validaLng,administeringpredicLvetests,administeringstudentaidprograms,improvinginstrucLon
• DirectoryinformaLonnotsubjecttothesedisclosurelimitaLons,aslongasstudentcanopt-out
![Page 17: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/17.jpg)
17
Directory Information
• “DirectoryInformaLon”–informaLoncontainedintheeducaLonalrecordthatwouldnotgenerallybeharmfulifdisclosed,includingstudentnameandaddress.
• Usually,directoryinformaLonincludesname,telephonenumber,dateandplaceofbirth,honorsandawards,clubsandsports,datesofa]endance
• Schoolshouldestablishwhichelementsareconsidered“directoryinformaLon”andnoLfyparentsthatthisinformaLonmaybesharedpublicly.Parentsusuallyhavetherighttoopt-outofthesharingofdirectoryinformaLon
àBecauseparentshavetheabilitytoopt-outofDirectoryInformaLondisclosures,thismakesitdifficultforEdTechproviderstorelyonDirectoryInformaLontosupplynecessarystudentdata
![Page 18: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/18.jpg)
18
To Be a “School Official”
Schoolsusuallysharedatawithavendor/providerunderthe“SchoolOfficial”excep3ontoFERPA.Underthisexcep3on,SchoolsmaysharePIIfromtheeduca3onalrecordwithoutparentconsentaslongastheprovider:
• PerformsaserviceorfuncLonforwhichtheschoolwouldotherwiseuseitsownemployees(i.e.,actsasaoutsourcedserviceprovider)
• IsunderthedirectcontroloftheschoolwithregardtothecollecLonanduseofdata
• Usesdataonlyforauthorizedpurposesanddoesnotre-disclosePIIfromeducaLonalrecordtootherparLesunlesswithconsentofSchoolorpermi]edbyFERPA
• TIP:TheserestricLons(i.e.,DirectControl;authorizeduse;andprohibiLonagainstre-disclosure)shouldbeestablishedinthecontractbetweentheschoolandtheprovider.SomeLmes,thesecanbeestablishedintheonlineTermsofService(TOS)
• Seeslideon“Tip:ElementstoIncludeinaContract”atendofpresentaLon
![Page 19: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/19.jpg)
19
Obligations of EdTech vendors
• Remember,whenPersonalInformaLonisdisclosedtotheEdTechvendor,FERPAsLllgovernsitsuse!AndtheSchoolisincontrolof,andresponsiblefor,itsprotecLon.
• EdTechvendormust:
• RequestonlythepersonalinformaLonrequiredforaparLculartask
• NotusepersonalinformaLonforpurposesotherthanthosedisclosedinthecontractwiththeschool
• NotdisclosestudentdatatoathirdpartywithoutdirecLonfromandconsentofschool
• Maintainappropriatephysical,technicalandadministraLvesafeguardstoprotectstudentpersonalinformaLon
• CreateandmaintaincomprehensivesecurityincidentresponsepolicyandplantonoLfyintheeventofabreach
• DestroypersonalinformaLonattheendofthecontractterm
![Page 20: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/20.jpg)
20
FERPA Resources
FERPARegula3ons,hWps://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf
FinalRegula3ons,withcomments,publishedbyDepartmentofEduca3on,hWp://www.gpo.gov/fdsys/pkg/FR-2011-12-02/pdf/2011-30683.pdf
PrivacyTechnicalAssistanceCenter:
• Protec3ngStudentPrivacyWhileUsingOnlineEduca3onalServices:RequirementsandBestPrac3ces,hWps://tech.ed.gov/wp-content/uploads/2014/09/Student-Privacy-and-Online-Educa3onal-Services-February-2014.pdf
• Responsibili3esofThirdPartyServiceProvidersUnderFERPA,hWp://ptac.ed.gov/sites/default/files/Vendor%20FAQ.pdf
• ModelTermsofService,hWp://ptac.ed.gov/sites/default/files/TOS_Guidance_Jan%202015_0.pdf
![Page 21: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/21.jpg)
21
Other Rules that May Apply
• Protec3onofPupilRightsAmendment(PPRA)–(amongotherthings)requiresschooltoprovidenoLceandopt-outrightstoparentsifstudentsaregoingtoparLcipateinanacLvityinvolvingthecollecLon,disclosure,oruseofPIcollectedfromstudentsandthatwillbeusedformarkeLngpurposes(appliesonlytoK-12insLtuLons)
• EuropeanDataProtec3onDirec3ve–Generally,thesameEUdataprotecLonlawappliestostudentdataaswell,andmaybemorerestricLve
• BreakingNews:US-EUSafeHarbordeemedinvalidonOct6,2015
• AwaiLngdetailsonUS-EUPrivacyShield
![Page 22: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/22.jpg)
22
TIP: Elements to Include in Contract
Toqualifytoreceivestudentrecordsunderthe“SchoolOfficial”excep3on,theserviceprovidershouldagreetocertaincontractualprovisions.ProvisionsalsorequiredunderStateLaws.
• EstablishthattheSchool“owns”thedataandvendorwilluseitonlyaccordingtotermsofthecontractandforthepurposetobenefittheSchool
• WhatdataelementswillbecollectedorreceivedfromtheSchool
• Howdatawillbeusedbythevendor(explicituse)
• RestricLonsagainstabilitytoshare/re-disclosedatatothirdparLes,unlessspecificallyconsentedtointheagreement
• RestricLonsagainstusingdataformarkeLng,includingbehavioraltargeLng,orprofile-building
• Caveatthatvendormayusede-idenLfieddata,metadataordatathatissharedunder“directoryinformaLon”excepLonforitsownpurposes,includingtosharewiththirdparLes
• DataretenLonanddestrucLonpolicy
• Datasecurityprovisions,includingeachparty’sresponsibiliLesintheeventofadatabreach
TIP:ManySchoolsareunder-staffedandlacklegalcounsel,andSchoolrepresenta3veslooktotheServiceProvidertoconfirmcompliancewithFERPA,COPPAandstatelaws
![Page 23: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/23.jpg)
23
Emily S. Tabatabai Emily S. Tabatabai is a founding member of Orrick’s Cybersecurity and Data Privacy team, which is nationally ranked by the Legal 500 US. As a Certified Information Privacy Professional in both European and US law (CIPP/EU, CIPP/US), she counsels companies on all matters of data privacy and consumer protection law, with a special focus on retail products, EdTech, online dating and social media, mobile and online gaming, and all manner of entrepreneurial start-up endeavors. Emily works with clients to evaluate compliance with multi-national laws, regulations, and best practices, and represents companies subject to regulatory investigations or litigation involving a spectrum of federal and state laws.
blogs.orrick.com/TrustAnchor
@EmilyTabatabai
![Page 24: Student Privacy Boot Camp for EdTech Companies · • Rights transfer to the student when the student turns 18 or enters Higher Ed at any age. Enforcement • FERPA is enforced by](https://reader033.fdocuments.in/reader033/viewer/2022042804/5f598bfebc41a4425b42b6f1/html5/thumbnails/24.jpg)
Orrick, Herrington & Sutcliffe LLP | October 2015