Online education and the responsibility to protect privacy
The COVID-19 pandemic has brought significant changes to the way children are learning. With increased uncertainty around learning models and delivery, both school boards and parents are becoming increasingly reliant on online educational tools to deliver innovative learning for children. Given this shift shows no signs of slowing down, there has been an increase in the number of online education companies targeting school boards. Likewise, they are targeting parents who are independently supplementing their children’s education with online tools. This increased demand for educational online tools has created a competitive space for online education companies.
Understandably, school boards and parents are concerned about what personal information online tools are collecting about children and with whom they may share that information. However, in the rush to get to market, many online education companies have failed to develop a mature privacy posture, which may pose a barrier for entrance into this space. To be successful in this market, online education companies will gain a competitive advantage by demonstrating privacy compliance in a creative manner that speaks to both school boards and parents.
The Legislative Landscape
Online education companies should be cognizant of school boards' privacy responsibilities to students, as that will impact whether they can engage the online platform. For instance, school boards in Ontario must comply with Ontario’s Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) to ensure online tools offered to their students have adequate privacy and security protections. Online education companies must also comply with Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). Although PIPEDA does not specifically provide prescriptive requirements on the collection, use and disclosure of children’s personal information, the privacy principles contained in the legislation, along with regulatory guidance, provide online education companies with direction on how to handle children’s personal information with particular sensitivity.
Privacy Implementation for Online Educational Tools
Online education companies hoping to either secure a contract with a school board or become a household brand will need to strategically shift the way they think about privacy. While there are a myriad of privacy considerations, the factors listed below require special attention by those companies who are collecting, using and disclosing children’s personal information and who aim to be successful in doing so:
Minimum user age for the website/application;
Clear description of how children’s personal information is collected, used, and disclosed;
Disclosure of personal information, including de-identified and aggregated information, to third parties and the purpose for the disclosure;
Instructions on how an individual may request access to personal information and request deletion;
Transparency about retention of personal information;
Monetization on advertisements; and
Security measures to limit access and protect the information.
2. Consent: Various legislation, such as PIPEDA and the U.S. Children's Online Privacy Protection Act (COPPA), along with regulatory guidance, provides direction on obtaining valid consent. Children’s online education companies must obtain parental consent before collecting personal information from a child under the age of 13. For youth ages 13 to 18, companies may consider developing a meaningful consent process that considers level of maturity. Given that children may easily lie about their age, companies should consider using a stringent vetting system, such as verifying age through parent phones or email. Lastly, the tool should make it very simple for users to withdraw their consent and understand the consequences of doing so.
4. Minimize the Data Collected: Child-focused online tools should be designed to require as little information about the child as possible. This “privacy by design” approach means that privacy is embedded into the design of the tool, rather than added as an afterthought. For example, apps or websites should be designed to avoid collecting personal information when an anonymous approach would work equally well. In some use-cases, companies may consider removing free-text boxes to avoid collecting unnecessary information from the child, and rather just rely on multiple choice questions.
5. Privacy Default Settings: Companies should ensure that user settings are defaulted to the most privacy-protected mode. For example, apps should, by default, disable use of the video camera and rather have users opt into using the camera.
Where there are options to enable a less privacy-protected functionality, provide a clear just-in-time notice so that the parent or child can make an educated and informed decision. The notice should explain what information is being collected, what it is being used for and with whom it may be shared.
6. Clearly Defined Data Sharing Agreements: When school boards and parents vet children’s online tools, they look to see who the personal information will be shared with and to what extent. A carefully crafted and outlined data sharing agreement between the online education company and its third party vendors is imperative to define and restrict use of the personal information by the vendor. For example, restriction of advertising or location tracking should be well documented. Given the sensitive nature of the data and heightened third party risks, companies should audit third parties to ensure they are not using the personal information for a secondary purpose not stipulated in the agreement.
7. Privacy Culture and Trust: Education companies should use privacy as a means of building public trust. Privacy can become a competitive advantage since consumers are more likely to use an online service if they are aware that privacy is at the forefront of a company’s mission and program.
A strong privacy culture may be achieved in various ways, including:
Developing privacy awareness and training for staff so that they not only understand their privacy responsibilities but also become the company’s best privacy advocates.
Engaging a privacy expert to conduct a Privacy Risk Assessment (“PRA”). Once risks have been remediated, obtain an updated PRA and voluntarily publish the results to customers. For example, a pre-published PRA would appeal to school boards as it will save them the time, effort and budget to vet the tool for privacy compliance.
Developing or adopting a privacy pledge or commitment, such as the Student Privacy Pledge, and include it on your public-facing website and marketing materials.
Given the current climate, online education companies are in a unique position to shape the future of learning and to help build an innovative educational environment that reaches children across the socio-economic spectrum. By putting privacy at the forefront of its core principles, a company can gain a competitive edge and ensure that the value placed on privacy leads to trust in its overall commitment to children’s education.
Co-written with Sharon Bauer, Lawyer and Founder of Bamboo Data Consulting