Blog

EdTech Compliance Ostride Labs

Author:

Carl Weisman

Engineering Technical Writer and Copywriter

Carl has got a multi-year engineering career behind his back. Every kind imaginable: design engineer, project engineer, sales engineer and systems engineer

Regulations You Must Know About for Your EdTech SaaS

Updated 10 Jun 2022

Staying compliant when deploying an EdTech SaaS solution in a public cloud starts with understanding the regulations you need to comply with. SaaS EdTech companies may face the most unique situation because of all the different types of data they are responsible for.

First, there is the academic data. This includes things like report cards and student numbers. Then, of course, there is each student’s personal data (e.g., phone numbers, email), health information (e.g., medical conditions, insurance), parents’ data (e.g., credit card numbers, emergency contacts), and third-party data (e.g., usernames, passwords).

No matter what branch of EdTech your SaaS addresses, you will no doubt have multiple data types and regulations to be responsible for and address. In this article, we’ll point out some of the more important ones and give some tips for addressing them.

Key Regulations

FERPA

FERPA, or the Family Educational Rights and Privacy Act, is a US federal statute requiring schools to protect the privacy of student records. The Act is not new; it’s been around since 1974, long before the development of SaaS technology.

FERPA specifies two main things. First, it defines what information educators can collect, maintain and disclose. Second, it gives parents certain rights with respect to that information, including the right to inspect, review, and correct.

The idea behind the act is to give “parents or eligible students more control over their educational records, and it prohibits educational institutions from disclosing ‘personally identifiable information in education records’ without the written consent of an eligible student, or if the student is a minor, the student’s parents.”

You must keep these requirements in mind as you build out your EdTech SaaS. And while FERPA has been around a long time, it impacts how your organization manages its IT operations.

Staying in compliance with FERPA is really just about having good security hygiene. This includes things like encrypting your data, eliminating cloud vulnerabilities, using a SIEM, and having an up-to-date security plan.

COPPA

COPPA, or the Children’s Online Privacy Protection Act, is much newer than FERPA, having become effective in 2000. COPPA “gives parents control over what information websites can collect from their kids.” In that regard, COPPA applies to all websites, not just EdTech SaaS companies.

COPPA is targeted specifically to websites serving children under 13 years of age. But it also applies to websites that have “actual knowledge they are collecting, using or disclosing personal information from children under 13.” It even applies to websites that collect information for other websites. And COPPA applies even when the information collected is voluntary.

COPPA doesn’t just apply to websites. It generally applies to “online services.” These include things like mobile apps, IoT devices, and smart toys. So, if your EdTech SaaS doesn’t have a website, it may still have to comply with COPPA.

According to the US Federal Trade Commission, here is a six-step compliance plan for protecting children’s online privacy:

  1. Determine if your company is a website or online service that collects personal information from kids under 13.
  2. Post a privacy policy that complies with COPPA.
  3. Notify parents directly before collecting personal information from their Kids.
  4. Get parents’ verifiable consent before collecting personal information from their kids.
  5. Honor parents’ ongoing rights with respect to personal information collected from their kids.
  6. Implement Reasonable procedures to protect the security of kids’ personal information.

PPRA

PPRA, or Protection of Pupil Rights Amendment, is concerned with student surveys, analyses and evaluations, and all supporting material used in connection with them. The intent is to make sure these items are available for inspection by parents or guardians.

PPRA concerns the following eight protected areas:

  1. Political affiliations or beliefs of the student or the student’s parent
  2. Mental or psychological problems of the student or the student’s family
  3. Sex behavior or attitudes
  4. Illegal, anti-social, self-incriminating, or demeaning behavior
  5. Critical appraisals of other individuals with whom respondents have close family relationships
  6. Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers
  7. Religious practices, affiliations, or beliefs of the student or student’s parent
  8. Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program)

The rights under PPRA transfer from the parents to a student who is 18 years old or an emancipated minor under state law.

From a compliance standpoint, it’s best to “gather written consent from parents for federally funded surveys, allow a parent to opt a child out of non-federally funded surveys, and allow parents to opt a child out of any non-emergency physical exam administered by the institution.”

Best practices include the following:

  •       Maintain awareness of other relevant federal, state, tribal, or local laws
  •       Have policies and procedures to evaluate and approve proposed online educational services
  •       When possible, use a written contract or legal agreement
  •       Be transparent with parents and student

CIPA

CIPA, or Children’s Internet Protection Act, was enacted by the US Congress in 2000 to protect children from “obscene or harmful content over the Internet.” Deploying an EdTech SaaS shouldn’t really be a problem. However, the Act does impose certain requirements on schools and libraries that receive discounted Internet access rates. These required safety policies must address the following:

  •       Access by minors to inappropriate content on the Internet
  •       The safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communications
  •       Unauthorized access, including so-called “hacking” and other unlawful activities by minors online
  •       Unauthorized disclosure, use, and dissemination of personal information regarding minors
  •       Measures restricting minors’ access to materials harmful to them

The Cost of Non-compliance

Each one of these regulations comes with a penalty for non-compliance. Sometimes that penalty is a cash fine, and sometimes it’s lost future business opportunities or severe reputational damage.

For FERPA and PPRA, the penalty for non-compliance “can be withdrawal of US Department of Education funds from the institution or agency that violated the law. A third party who improperly discloses personally identifiable information from student records can be prohibited from receiving access to records at the education agency or institution for at least five years. State laws on privacy may also apply penalties.”

For COPPA, “A court can hold operators who violate the Rule liable for civil penalties of up to $46,517 per violation. The number of civil penalties the FTC seeks or a court assesses may turn on several factors, including the egregiousness of the violations, whether the operator has previously violated the Rule, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties, and the size of the company.”

For CIPA, “the law authorizes use of penalties available under the General Education Provisions Act, including withholding of further payments and issuance of a complaint to require compliance through a cease and desist order. Additionally, other laws, including criminal laws, provide serious penalties for providing fraudulent information or false certifications to the federal government.”

Conclusion

Deploying an EdTech SaaS solution is an effective way to bring education services to the masses, especially young children. That’s why the market is forecast to grow by over 16% per year from 2022 – 2030. But with that growth comes responsibility in the form of compliance.

In this article we covered four of the main regulations EdTech SaaS companies must adhere to. They are FERPA, COPPA, PPRA, and CIPA. There are others to be sure, as well as local and regional regulations which must be considered on a case by case basis. And there are consequences to not being in compliance.

If you’re preparing to launch an EdTech SaaS startup, don’t overlook the regulatory compliance requirements. They will undoubtedly impact your SaaS architecture and the way you conduct business.

Our newsletter (you’ll love it):

    Let's talk!