This Sunday is Data Privacy Day., so I thought I would list some of the more “interesting” interpretations I have heard (and read) about COPPA, FERPA and how schools approve educational services.
I eventually plan to write up an annotated version of this list, so if you have additions, please tweet them to me @jsiegl
Laws and Consent: COPPA, FERPA et al.
- If a vendor says they are “FERPA compliant”, that means something,
- A vendor can designate themselves as a “school official” by saying so in their terms.
- If an online services requests “only” directory information to sign up, it is OK for schools to sign students up, or have them sign up.
- If it involves student health information, you have to comply with HIPAA,
- COPPA covers information collected about children under 13,
- If the student is 13 or over, as a teacher, I don’t need to get parental consent,
- “COPPA compliant” means the information is kept private,
- As a vendor, you can comply with COPPA if you just say “this site is not for children, if you are under 13 you may not access this site” , regardless of anything else,
- It is a valid COPPA workaround for a vendor, in their terms, to tell a teacher that to comply with COPPA, for them to sign up the student, or create an account using their email address,
- Vendors can say in their Terms of Service that schools are responsible for complying with COPPA.
- “In Loco Parentis” means schools/teachers can consent to students use of any online services on parent’s behalf,
- I only have to get permission if I am creating student accounts/the student is logging in,
- Vendors can delegate collecting and managing parental permission to schools even if the school is not “contracting with the vendor to perform an educational purpose”,
- Research (e.g. Teachers Action Research, or a University or vendor’s study) falls under the audit/evaluation exception.
- If it is in the vendor’s policy/terms, then it must be true,
- Not private by default is fine, because students and teachers can just change it to be private,
- A tool that only offers the option of public posting is OK as long as you get permission, (“privacy as a premium”)
- Related-A tool that only offers the option of public posting is OK as long as long as students are over 13…., (“privacy as a premium”)
Security and Confidentiality
- It does not matter if a password protected site is secure if it does not collect any sensitive data.
- If the site uses https, it means the product is secure,
- “Security by obscurity” is security,
- Student IDs are not confidential, so are a good choice for student usernames/email addresses,
- Student IDs are not confidential, and can be used to pay for lunches or to post grades,
- Anonymized and Aggregated data are the same thing,
- Anonymous and Pseudonymous are the same thing,
- Related-Creating Pseudonymous accounts (e.g. usernames that do not have the student’s full name or ID) is a valid “workaround” to avoid the challenges of complying with FERPA or COPPA,
3rd Party Data Collection and Signon
- Ad networks and data brokers are same thing,
- Related-Ad networks sell or trade user data
- Ad networks and analytics are same thing,
- Social Login, (that “Login with X” button e.g. twitter, O365, Google Facebook etc.) means you are just logging in and not really creating an account on the site,
- Related-“Login with X” means that you are “just” creating an account,
Happy Data Privacy Day