November 9, 2021 Ask an attorney - SOPPA

 ASK AN ATTORNEY

Franczek P.C.: Dana Fattore Crumley & Kendra Yoch


What Do Special Education Leaders Need to Know about SOPPA?

Amendments to the Student Online Personal Protection Act (SOPPA) went into effect on July 1, 2021. SOPPA regulates the sharing of student data with K-12 education technology vendors. Your district likely has a technology or business official who is responsible for ensuring compliance, so why should special educators worry about the new requirements? Because special educators are creative and always looking for new tools to help their students. If we’re not careful, teachers and IEP teams can get out ahead of the district’s compliance efforts.

What do I need to know about SOPPA?

 SOPPA includes various prohibitions and responsibilities on vendors who provide websites, online services, and online or mobile applications that are used primarily for K to 12 purposes, referred to in the law as “operators.” The law prohibits operators from engaging in targeted advertising to students, amassing a profile on students, selling or renting student information, or using student information except in limited ways. Additionally, operators must maintain certain security protocols when storing student data, delete student data when requested by the district, and maintain a public privacy policy. 

The amendments that went into effect this summer include several new requirements. One significant change in the law is that a school district must have a written agreement with any operator that receives student data from the district. The agreement must contain several specific elements, including the student data shared, what happens in the case of a security breach, and the vendor’s obligations around the security of student data. Additionally, the district must post and maintain on its website a list of all operators with which it has a written agreement as well as the agreement itself; procedures for parents to review, request corrections to, and delete their child’s information; and a list of any breaches. Finally, the district must designate, by policy, who can sign contracts with operators. 

What should I look out for?  

Make sure that teachers and other team members know that before they use any technology that will collect student information (generally if the student has to sign in), that technology needs to be approved first. So when a teacher finds a new program that will allow students to practice their skills, add-on that will support student proof-reading, or an application that will track behaviors, before launching in and sharing student information, the teacher should check that the district already has a SOPPA-compliant written agreement with the operator. And if not, see if the district can negotiate such an agreement. The same guidance applies when a team is considering assistive technology for a student. 

Remember, if a service or application is “free,” your data may be being monetized, and clicking “accept” on the terms may expose student data. That click-through may also run afoul of SOPPA because only the district’s designated official is authorized to enter agreements with operators, the agreement has not been vetted to ensure it includes the required protections, and the agreement will not be appropriately posted on the district’s website. 

Even as we return to in-person learning, teams will continue to rely on the online curriculum and tools to support student learning. Taking careful steps to ensure that educators have the ability and flexibility to use these critical tools, while also maintaining student confidentiality and security, is paramount. 


ASK an ATTORNEY

This is your opportunity to ask our IAASE Attorneys any questions.  Attorneys will provide monthly updates via the IAASE Blog. Click here to contribute to the IAASE ASK an ATTORNEY form.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.