Updated 10 Jun 2022
Staying compliant when deploying an EdTech SaaS solution in a public cloud starts with understanding the regulations you need to comply with. SaaS EdTech companies may face the most unique situation because of all the different types of data they are responsible for.
First, there is the academic data. This includes things like report cards and student numbers. Then, of course, there is each student’s personal data (e.g., phone numbers, email), health information (e.g., medical conditions, insurance), parents’ data (e.g., credit card numbers, emergency contacts), and third-party data (e.g., usernames, passwords).
No matter what branch of EdTech your SaaS addresses, you will no doubt have multiple data types and regulations to be responsible for and address. In this article, we’ll point out some of the more important ones and give some tips for addressing them.
FERPA, or the Family Educational Rights and Privacy Act, is a US federal statute requiring schools to protect the privacy of student records. The Act is not new; it’s been around since 1974, long before the development of SaaS technology.
FERPA specifies two main things. First, it defines what information educators can collect, maintain and disclose. Second, it gives parents certain rights with respect to that information, including the right to inspect, review, and correct.
The idea behind the act is to give “parents or eligible students more control over their educational records, and it prohibits educational institutions from disclosing ‘personally identifiable information in education records’ without the written consent of an eligible student, or if the student is a minor, the student’s parents.”
You must keep these requirements in mind as you build out your EdTech SaaS. And while FERPA has been around a long time, it impacts how your organization manages its IT operations.
Staying in compliance with FERPA is really just about having good security hygiene. This includes things like encrypting your data, eliminating cloud vulnerabilities, using a SIEM, and having an up-to-date security plan.
COPPA, or the Children’s Online Privacy Protection Act, is much newer than FERPA, having become effective in 2000. COPPA “gives parents control over what information websites can collect from their kids.” In that regard, COPPA applies to all websites, not just EdTech SaaS companies.
COPPA is targeted specifically to websites serving children under 13 years of age. But it also applies to websites that have “actual knowledge they are collecting, using or disclosing personal information from children under 13.” It even applies to websites that collect information for other websites. And COPPA applies even when the information collected is voluntary.
COPPA doesn’t just apply to websites. It generally applies to “online services.” These include things like mobile apps, IoT devices, and smart toys. So, if your EdTech SaaS doesn’t have a website, it may still have to comply with COPPA.
According to the US Federal Trade Commission, here is a six-step compliance plan for protecting children’s online privacy:
PPRA, or Protection of Pupil Rights Amendment, is concerned with student surveys, analyses and evaluations, and all supporting material used in connection with them. The intent is to make sure these items are available for inspection by parents or guardians.
PPRA concerns the following eight protected areas:
The rights under PPRA transfer from the parents to a student who is 18 years old or an emancipated minor under state law.
From a compliance standpoint, it’s best to “gather written consent from parents for federally funded surveys, allow a parent to opt a child out of non-federally funded surveys, and allow parents to opt a child out of any non-emergency physical exam administered by the institution.”
Best practices include the following:
CIPA, or Children’s Internet Protection Act, was enacted by the US Congress in 2000 to protect children from “obscene or harmful content over the Internet.” Deploying an EdTech SaaS shouldn’t really be a problem. However, the Act does impose certain requirements on schools and libraries that receive discounted Internet access rates. These required safety policies must address the following:
Each one of these regulations comes with a penalty for non-compliance. Sometimes that penalty is a cash fine, and sometimes it’s lost future business opportunities or severe reputational damage.
For FERPA and PPRA, the penalty for non-compliance “can be withdrawal of US Department of Education funds from the institution or agency that violated the law. A third party who improperly discloses personally identifiable information from student records can be prohibited from receiving access to records at the education agency or institution for at least five years. State laws on privacy may also apply penalties.”
For COPPA, “A court can hold operators who violate the Rule liable for civil penalties of up to $46,517 per violation. The number of civil penalties the FTC seeks or a court assesses may turn on several factors, including the egregiousness of the violations, whether the operator has previously violated the Rule, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties, and the size of the company.”
For CIPA, “the law authorizes use of penalties available under the General Education Provisions Act, including withholding of further payments and issuance of a complaint to require compliance through a cease and desist order. Additionally, other laws, including criminal laws, provide serious penalties for providing fraudulent information or false certifications to the federal government.”
Deploying an EdTech SaaS solution is an effective way to bring education services to the masses, especially young children. That’s why the market is forecast to grow by over 16% per year from 2022 – 2030. But with that growth comes responsibility in the form of compliance.
In this article we covered four of the main regulations EdTech SaaS companies must adhere to. They are FERPA, COPPA, PPRA, and CIPA. There are others to be sure, as well as local and regional regulations which must be considered on a case by case basis. And there are consequences to not being in compliance.
If you’re preparing to launch an EdTech SaaS startup, don’t overlook the regulatory compliance requirements. They will undoubtedly impact your SaaS architecture and the way you conduct business.
Our newsletter (you’ll love it):