The creativity with which people around the world have responded, and continue to respond, to this pandemic in addressing the needs of others is remarkable. Virtual educational services, or “EdTech”, are one of the most visible needs as schools around the world transition to online learning. Many companies are highlighting the educational aspects of their current products and services or creating entirely new products and services that fall squarely within the EdTech industry. The goal: to assist those who now find themselves trying to figure out how to be safe at home, “teach children,” and focus on the ninety-nine other tasks that have to be completed at the exact same time.

It’s one thing if you made your online guitar lessons free for a general audience (thank you, Fender), but another if you provide products and services for educational purposes. You may find yourself subject to several state and federal privacy laws. At least 40 states have one or more such laws.

This blog post highlights the state laws that regulate the EdTech industry by aligning with California’s 2014 law, known as the Student Online Personal Information Protection Act (“SOPIPA”). Twenty-four states and the District of Columbia have SOPIPA-type laws aimed at limiting the use of personal information (and similarly defined terms) collected from students through EdTech products or services.

Determining whether your product or service is subject to SOPIPA and/or other similar laws requires legal analysis. And without giving you legal advice here, we can give you an answer in true lawyer fashion: “it depends.” For example, under SOPIPA, K-12 school purposes are regulated. “K-12 school purposes” means purposes that customarily take place at the direction of the K–12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. This means that SOPIPA applies not only to activities under the direct control of the educational institution or based on a contract between the educational institution and a vendor, but also activities provided by other third parties if those activities are traditionally provided by educational institutions. Whether or not SOPIPA applies requires a fact-based analysis of the purpose of the product or service, an analysis that now requires consideration of a remote-learning environment. The applicability of other state privacy laws will likely require a similar—but not identical—fact-based analysis as to whether the law applies.

If any number of these state privacy laws do apply there are many restrictions concerning the use and sharing of information collected through that product or service. Those likely include some or all of the following prohibitions on the EdTech provider:

• Use of information collected through the service or product for targeted advertising.
• Use of information collected through the service or product to create profiles about K-12 students, unless in furtherance of the school purpose for which the information is collected.
• Sale of the information collected through such service or product.
• Disclosure of the personal information except for specific, limited purposes.

Many of these laws also require appropriate security measures, and deletion of information collected through the service or product if requested by the educational institution or district that controls the information.

There are of course exceptions to the general rule. For example, if information is de-identified or aggregated, the EdTech provider may be able to use it for purposes such as product improvement, marketing and development, and to improve educational sites, services or applications.

To date, states have not strictly enforced these laws. In fact, some states have never enforced their EdTech privacy laws. However, these laws—and privacy in general—have received a lot of attention recently because of how much we are all truly relying on a virtual world to keep us connected, learning, and working. Thus, it is possible this current traction will lead to more enforcement in the future. We do know that enforcement can lead to costly penalties and even jail time, depending on the state. In New York, a violation can lead to the greater of $5,000 or $10 per student, teacher, and principal whose data was released, up to $150,000.

The moral of the story: if you’ve stepped up to meet the educational needs of kids all over the country, make sure you know what state (and federal) laws apply to you. If you’re providing services globally, there are also international laws to consider that we did not address here.