Who Is Affected?
The law is primarily aimed at the fast-growing Ed Tech sector. Organizations may be affected whether or not they have a contract with a school, school board, or the State of North Carolina. The statute applies to the operators of websites, online services, online applications, or mobile applications who know that the site, service, or application is used primarily for K-12 school purposes. School boards are also affected, because they should ensure that their contracts with providers of online services require those providers to comply with the new law.
Like the existing student privacy statute, the law applies to public schools only. Private schools, and their service providers, will remain unaffected. (If private schools wish to protect the privacy of their students, they must do so by including contractual protections with their service providers. I would strongly suggest that they do so.)
Online operators are prohibited from selling or renting a student's information without parental consent. They are also generally prohibited from disclosing a student's covered information (defined below) except for six specific purposes. The permissible disclosures include disclosures to a subcontractor who is contractually prohibited from further disclosure of the information and who agrees to implement reasonable security procedures.
Online operators may not engage in so-called "targeted advertising" (better known as "behavioral advertising") based on information received for "school purposes." "Targeted advertising" means presenting an advertisement to a student where the advertisement is selected based on information obtained (or inferred over time) from that student's online behavior, usage of applications, or covered information. Furthermore, they are prohibited from "amassing a profile" of a student except for school purposes.
In addition to proscribing new limitations, the statute imposes two new obligations on online operators. All operators must "implement and maintain reasonable security procedures" and "protect covered information from unauthorized access, destruction, use, modification, or disclosure." Operators are also required to delete a student's information at the request of the school board, or when the operator stops providing service to the school board, unless the student's parent consents to the record retention.
Broader Scope of Covered Information
Although the student privacy statute already contained a definition of the term "personally identifiable information," the new statutes creates a significantly more broad definition of the same term that is applicable only for purpose of online privacy protections. It includes twenty nine (29) categories of information.
Interaction with Existing Law
You may recall that I wrote in mid-2014 about a then-new student privacy law in North Carolina. You can read that summary here. Titled "An Act to Ensure the Privacy and Security of Student Educational Records," the law prohibited schools from collecting certain categories of information, restricted the disclosure of personally identifiable student data, required school boards to give parents an annual summary of parental rights and opt-out opportunities, and directed the State Board of Education to make rules regarding privacy standards, audits, breach notification and data retention and destruction policies. The 2016 law described in this article amends and enhances the 2014 statute.
It should be noted that the federal Children's Online Privacy Protection Act (better known as COPPA) already protects children's online privacy in the educational context as well as in all other contexts. Any organization affected by North Carolina's new statute should already be in compliance with COPPA, but if it is not, there is no better time than now to become compliant.
Don't Get Sent to the Principal's Office!
Education technology companies and school boards have very little time to revise their policies and practices in order to comply with the new statute. They should consult with their privacy counsel quickly so that they will not be "sent to the principal's office" when the summer break ends!
You can find more posts like this by Ward and Smith, P.A. attorney and Certified Information Privacy Professional (CIPP/US) Matt Cordell at the North Carolina Privacy and Information Security Law Blog: www.PrivacyLawNC.com. Matt Cordell practices in the areas of privacy law, information security law, data use law and related consumer protection laws, and has offices in Raleigh, New Bern, Greenville, Wilmington and Asheville. This article is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this article without obtaining the advice of an attorney.