Student Data Privacy Regulations

Last week, a digital transformation leader at a major EU educational organization contacted me, concerned. Their entire staff had been told by a visiting “AI literacy” speaker that it was perfectly fine to upload student work into ChatGPT or Gemini for grading, as long as it was “anonymized.” They asked me: Is this correct? The answer is simple: No. You cannot simply strip names from student work and upload it to a large language model. This is a dangerous misconception. Why? Because AI systems are not the same as Word or Google Docs. The way GDPR and the EU AI Act apply to generative AI is profoundly different from traditional digital tools. Yet this was the official takeaway given to hundreds of staff. You can imagine my frustration. Organizations need to carefully vet the expertise of anyone they bring in to train staff on AI. 'Early' 2023 AI adoption, a large follower count, and a few self-published books are not proof of experience, deep technical competence, or governance fluency. In fact, the wrong advice can expose your institution to major harm, compliance, ethical, and reputational risks. So what does need to be in place before you let a large language model process student or employee work in Europe? At a minimum: 🔹 A data protection impact assessment (DPIA) addressing AI-specific risks 🔹 A clear legal basis for processing under GDPR (consent is rarely sufficient) 🔹 Contracts with providers that establish data use, retention, and security 🔹 Governance processes aligned with the EU AI Act , GDPR, and sector-specific safeguards 🔹 Human oversight mechanisms to prevent bias, error, or misuse Only then can AI be used to analyze, grade, or process human work. To support schools and education organizations, I’ve created a staff briefing note and a free reference sheet that outlines these requirements in plain language. This cheat sheet is written for the EU and UK, but other nations should take note, because similar regulation is already in place for you, or on the way. You’ll find it attached here. We need to move beyond “AI literacy” as a buzzword and toward AI responsibility as a practice. The future of education, and the trust of students, parents, and staff depends on it. Do you need support on this? Our team at Kompass Education can guide you through. Contact us at email: info@kompass.education Let AI governance be your North Star. #AIGovernance #AIinEducation #AICompliance #EdTech #DigitalSafety

Children's information and sharing it is top of mind for regulators, as we have been telling our clients for a while, and as we saw yesterday in a new CA AG $500,000 settlement with Tilting Point Media LLC (Tilting Point) for #CCPA and #COPPA compliance issues in mobile app game “SpongeBob: Krusty Cook-Off.” Practice points: Directed at children: 🔹 If you are aware that children under 13 are using your services - they are is directed to children. Saying in your terms of service and privacy policy that consumers under 13 are not authorized to use it - doesn't change this. Regulator 1, 2, 3: 🔹 CA AG will use every enforcement tool to ensure compliance with the law and that companies exercise diligence with privacy law requirements 🔹 If one regulator tells you that you are not compliant (here BBB National Programs CARU): assess your compliance with other laws you could be enforced against by another regulator Data minimization: 🔹 Don't collect more personal information than reasonably necessary for a child to participate. Mind your SDKs: 🔹An SDK facilitates data sharing that can be a sale (CCPA) and/or unfair/deceptive (FTC) and/or subject to COPPA just like any data sharing. 🔹 You need to know: what information each SDK collects; evaluate contracts re: sharing of data through them - making sure you have the right consent. 🔹 You may need a formal SDK governance framework. 🔹 Every year: assess data minimization and SDK usage. (ensuring data flows appropriately change based on the consumer's age). 🔹 Every year: conduct adequate training for personnel re sharing and SDKs Sale/share: 🔹 Disclose your sale and share correctly in your privacy notice 🔹 Don't sell/share personal information of under 13's without parental consent 🔹When you do sell/share: provide a just-in-time notice explaining what information is collected, the purpose, sale/share, link to privacy policy, & parental or opt-in consent required. [FTC also says this in BetterHelp] Mixed audience 🔹When using an age screen it has to be neutral. 🔹Neutral means: (1) ask age information in a neutral manner that does not default to a set age of 16 or above or encourage users to falsify age information; (2) not suggest that certain features will not be available; and (3) provide CLEAR AND CONSPICUOUS notice that the age entered should be accurate to the user and is collected to ensure data use and advertising is appropriate. 🔹If the person is under 13 or 16 - direct them to a portion of the service that doesn't use data other than as permitted by COPPA/CCPA or get parental / opt in consent For ads in your apps, make sure they are: 🔹Identified as being an ad; 🔹Include a prominent one-click “X” or “Close” button; 🔹Do not manipulate or deceive consumers into engaging 🔹Do not advertise activities/products in which children cannot legally engage/possess. #dataprivacy #dataprotection #privacyFOMO Complaint: https://rb.gy/enu19e Agreement: https://rb.gy/jq6lke

Is your institution's 'FERPA fear' killing AI innovation? Stop using student privacy as an excuse! 🔥 Our #GenerationAI episode reveals the TRUTH about what's actually allowed. 📚💻 If you're confused about how these two interact (like many attendees at our recent AI Engagement Summit were), this one's for you ⬇️ FERPA has become a common roadblock for institutions trying to adopt AI tools. Many leadership teams simply don't understand how to implement AI while staying compliant with student data privacy laws. 🔐 What FERPA actually is and what student data it protects - It's the Family Educational Rights and Privacy Act from 1974 - Protects all educational records from unauthorized access - Applies to any institution receiving federal funding 📄 How the "school official exception" works - This is why your institution CAN work with vendors - Vendors must perform services the school would otherwise do itself - Schools must maintain control over how data is used ⚠️ The real AI risks with FERPA - Using public AI tools like ChatGPT with student data = BIG NO! - Many AI models store and use interactions for training - Free versions never offer data protection options ✅ What to look for in AI vendor contracts - SOC 2 Type 2 certification is the gold standard - Clear data deletion policies are essential - No training on user data without explicit permission 🛡️ How Element451 ensures FERPA compliance - We authenticate users before sharing any personal info - All student records are encrypted in transit and at rest - Our AI inherits your institutional security policies Listen to the full episode to understand how your institution can safely implement AI while protecting student privacy! (link in comments) #HigherEd #FERPA #AIinHigherEd #StudentPrivacy

The landscape of student privacy is evolving as schools navigate an increasingly digital education environment. Ohio's latest legislation (SB29, effective October 24, 2024) offers a glimpse of how states are adapting to these new realities. https://lnkd.in/eYQUD53i Key Changes: Creates protected "educational support services data" category - covering programs designed to reduce educational disparities and promote equity Requires tech providers to treat educational records as district property and destroy/return within 90 days of contract end Limits device monitoring (location, audio/visual, keystrokes, browsing) except for specific educational purposes Mandates parent notification annually about tech contracts and within 72 hours of any monitoring While much aligns with existing FERPA guidelines, the explicit rules around monitoring and new data protections mark an important evolution in education privacy law. Interested in seeing if other states follow Ohio's lead on this. #EdTech #K12 #EducationPolicy #StudentPrivacy What are your thoughts on balancing student privacy with educational technology needs?

🇮🇪 The Data Protection Commission (DPC, Ireland) has published a “Data Protection Toolkit for Schools” (”toolkit”), a new resource dedicated to further assisting schools in meeting their data protection obligations when processing the personal data of children. The toolkit covers the following: 1. A detailed guidance piece on different aspects of data protection law in the specific context of schools 2. An FAQ section containing answers to questions commonly received by the DPC from the education sector 3. An appendix containing three helpful resources for schools, namely: - A sample template for Data Protection Impact Assessments (DPIAs) - An infographic on what information to include in a Privacy Policy - A “checklist” for schools on how to respond to a Subject Access Request (SAR) #privacy #europe #ireland #gdpr #children #dataprotection #dpia

100s of professionals have added "Data Privacy" to their LinkedIn profile. But a very few of them have read Section 9 of the DPDP Act. There is a difference between a privacy professional and someone with privacy in their job title — and organisations are about to find out which one they hired. Section 9 is the children's data provision. It prohibits Data Fiduciaries from processing children's personal data without verifiable parental consent. It bans behavioural tracking of children entirely. It requires age verification mechanisms that actually work — not a checkbox asking "are you 18?" It is also the provision that will produce India's first high-profile DPDP enforcement action. Because almost every organisation processing personal data touches children's data in some form — schools, edtech platforms, healthcare apps, e-commerce sites, gaming companies, HR systems at companies that collect employee family data — and almost none of them have a compliant children's data protocol in place. Here is my test for any privacy professional, in any role, at any level: Can you answer these 5 questions without searching? 1. What is the exact definition of a "child" under the DPDP Act 2023? 2. What does "verifiable parental consent" require in practice — and what does it specifically prohibit? 3. Which category of Data Fiduciaries may be exempted from Section 9 obligations — and under what conditions? 4. If your organisation's app allows users to self-declare their age — is that sufficient under the Act? 5. What is the consequence of processing a child's data without valid parental consent — and who is personally liable? If you hesitated on more than two of those, you are not alone. But you are also not yet equipped to carry the title on LinkedIn profile. This is not a criticism. It is a diagnostic. The DPDP Act has 44 sections. Most privacy training in India currently covers about 12 of them in any real depth. Section 9 is almost always treated as a footnote — a brief mention before moving on to consent frameworks and breach notification. It will not be a footnote when the Data Protection Board of India issues its first enforcement notice. The organisations that survive the first wave of DPDP enforcement will not be the ones that hired the most people with privacy in their job title. They will be the ones that insisted on people who had actually read the whole Act. Are you one of them? Drop your answers to the 5 questions in the comments. I read every single one — and I will tell you exactly where the gaps are. ___________________________________ → World Cyber Security Forum (WCSF)®'s "Hands on Training on DPO & Audit Professional" training covers all 44 sections in practice (tool training). Link in comments. #DPDPAct #DataPrivacy #DataProtection #PrivacyProfessionals #DPO #CyberLaw #WCSF

As the world increasingly focuses on developing safe spaces for children online, such as the establishment of California’s Age-Appropriate Design Code and the United Kingdom’s Online Safety Bill, Indonesia’s government has launched its first draft on Child Protection Governance under Electronic System Operation (RPP PAPS). This draft regulation, developed by adopting global best practices, is the implementing regulation of the recently amended Indonesia’s Information Electronic Transaction Law (UU ITE 2024), which mandates more stringent measures for online child protection. This draft regulation also intersects with Indonesia’s Personal Data Protection Law (UU PDP 2022) and Draft Implementing Regulation of PDP Law, which explicitly states that children’s personal data processing shall be governed specifically by other regulations. Therefore, any organization processing children’s personal data must consider the provisions under RPP PAPSE. Key Highlights: - Enhanced Protection: The draft regulation sets stringent standards for ensuring the safety and privacy of children online. - Compliance with UU PDP Indonesia and RPP PDP: It aligns seamlessly with Indonesia’s Personal Data Protection Law (UU PDP 2022) and the draft implementing regulation, emphasizing the need for robust data protection measures specifically tailored for children. - Mandatory Assessments: Introduces new requirements for assessing whether products, services, or online features are suitable for children and mandates Data Protection Impact Assessments (DPIAs). DPIA must be done before three months of product launching and reviewed at least two years or whenever changes in product, service or system. Muhammad Deckri Algamar and I believe it is essential to provide a summary and our comments on the regulation to help companies translate, interpret, and understand it better. In addition, with our extensive experience in implementing data protection and privacy across multiple companies, we aim to assess how these two regulations complement each other. We will provide insights on how companies can integrate this draft regulation into their ongoing PDP regulation implementation journey. You can access the draft regulation in this link: https://lnkd.in/gET5ZgDv The draft also calls for public consultation from 16 to 31 May 2024, any inputs or response can be delivered to hkaptika@kominfo.go.id. Special shout out to PDP leaders Alex Cheung Adoeardo Soediono Priscilia Sinata Budianto . Albert Wongso Henry Ligian Teofilus Jeremy Soebianto #ChildProtection #DataPrivacy #DigitalSafety #PDP #Indonesia #RegulationUpdate #DataProtection #OnlineSafety

#Kidprivacy enforcement is not limited to #coppa. This settlement out of the Office of the New York State Attorney General focusing on #teen #privacy is a good reminder that many #StateAG offices have emphasized teen privacy is a priority area, which means we’re likely to see more settlements and litigation on such topics in 2025. Among other things, this enforcement highlights the importance of having rigorous authentication measures for any teen focused platform; privacy forward default settings; and a reminder that all of your public statements will be scrutinized for accuracy. Pro tip: review any injunctive terms in new privacy settlements for insights on what regulators view as requirements under their laws or required measures following a violation. Here, the settlement requires the company to: 1. Notify current users regarding app verification changes 2. Provide users with options to modify their privacy settings. 3. Provide all current and future users under the age of 18 with enhanced privacy options, such as hiding social media accounts from non-friends and prompt all users under 18 to review their privacy settings every six months. 4. Hide the personal information of current users under 18 until company obtains informed consent to the new app terms. 5. Requires company to limit the visibility of information about non-app-using students that other app users may enter into the app, such as the non-app user’s class enrollment or event attendance. 6. Prohibits company from making any future claims about user safety or user verification unless the company has a reasonable basis for making the claim based on competent and reliable scientific evidence. 7. Requires company to allow teachers to block their name, initials, or other personal identifier from appearing in the app’s class schedule feature. 8. Delete retained copies of the phone contact books of certain users. Also a $650K monetary provision. #privacylaws not just #ccpa #udaplaws #udap #stateattorneysgeneral Kelley Drye & Warren LLP https://lnkd.in/eByWuNDW

You've heard of #COPPA and you're pretty sure kids' privacy laws don't apply to you? Well, think again! With renewed efforts at passing federal youth safety and privacy laws, including the Kids Online Safety Act #KOSA and COPPA 2.0, it's time for a rethink about how you interact with the personal data of anyone under 17. (I really mean it.) In my column this week, I explain the overlapping circles of scope within the updated draft of KOSA as well as the importance of an expanded knowledge standard for COPPA. https://lnkd.in/e7hwrh9n But wait, there's more! Even without Congressional action, COPPA will soon be updated by the Federal Trade Commission. IAPP's Westin Fellow Andrew Folks just published an excellent analysis of the top takeaways from the proposed COPPA Rule update here: https://lnkd.in/e3PwC72M