Please note that log in for BLAW products will be unavailable for scheduled maintenance on Sunday, February 5th from approximately 4 AM to 5 AM EST.
Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

‘Explosion’ in Distance-Learning Tech Sparks Privacy Worries (2)

April 6, 2020, 10:01 AMUpdated: April 6, 2020, 5:54 PM

The new coronavirus pandemic carries privacy risks for educators and technology companies that rushed to implement distance-learning apps to avoid canceling the school year.

The schools and companies can face legal jeopardy if they fail to notify parents or get their permission before using some platform capabilities, such as examining student downloads or assessing pupils’ performance with analytics.

“There is little time for true diligence or compliance vetting” when schools rush to use apps in an emergency, said Beth Jones, head of Womble Bond Dickinson’s education law team, which advises schools on compliance matters.

Schools and tech companies targeted with privacy-violation accusations before the pandemic may face more scrutiny as use of the apps proliferates nationwide. On April 2, a group of California parents accused Alphabet Inc.'s Google, in a federal lawsuit, of collecting millions of students’ face templates and voiceprints without permission with its G Suite platform.

Schools are worried about protecting themselves legally as they expand use of online platforms during the coronavirus, said Philip Stein, litigation practice group leader at Bilzin Sumberg.

The risks that schools and companies face include consumer-protection lawsuits for unfair or deceptive trade practices, and accusations of children’s privacy violations for collecting too much data, Stein said. They also face possible lawsuits if they access geolocation data without consent or have weak data security, he said.

Liability Risk

Schools should be concerned about privacy regulations because “there’s such an explosion” in the use of distance-learning apps, said Doug Casey, executive director of the Connecticut Commission for Educational Technology.

Tech companies are “playing in highly regulated sectors they have not historically targeted, and schools are trying to integrate new technology in a way they may not have ever fully explored,” Jones said.

The New York City Department of Education and the Fairfax County Public Schools in Virginia, for example, have approved Google distance learning tools for their students. The Arlington Public Schools in Virginia are letting schools use SeeSaw. The Fort Wayne Community Schools in Indiana have approved the use of DreamBox.

Seesaw allows students to upload videos so teachers can understand their thinking in completing assignments. DreamBox uses data analytics to monitor how students perform in real-time. The New York City and Farifax school districts didn’t immediately respond to requests for comment on how they are using the apps, nor did representatives for Arlington and Fort Wayne. Seesaw and DreamBox representatives said they comply with all federal and state privacy laws.

Still, the tools, if used improperly, can place schools and companies on the wrong side of laws such as the Family Educational Rights and Privacy Act and Children’s Online Privacy Protection Act.

The educational rights law applies to student education records, such as health information and other personally identifiable information, collected by a school. The Education Department can seek to withhold federal funding under violations of the law.

The children’s privacy protection statute requires parental permission for the collection of data through online services aimed at people under age 13. Schools can act on behalf of a parent if the data is collected for educational purposes.

Legal Actions

Google’s YouTube reached a $170 million settlement with the Federal Trade Commission in 2019 to end claims it collected kids’ data without parental consent. That’s because courts can give out penalties up to $43,280 per violation under the children’s privacy law. The FTC has brought 33 privacy probes under the law, according to the agency’s website.

New Mexico Attorney General Hector Balderas (D) sued Google Feb. 20 alleging that the company uses its educational products to collect the data of children under 13 without parental permission.

The California parents who sued Google on behalf of their kids April 2 allege the collection of students’ data violates the Illinois Biometric Information Privacy Act. They also claim the company tapped geolocation information in a breach of the children’s privacy law.

Google declined to comment on the California suit though said in a statement the New Mexico “claims are factually wrong.” G Suite lets educators control account access and “we do not use personal information from users in primary and secondary schools to target ads,” the statement said.

Zoom Video Communications Inc., which produces a popular video conferencing application used by some schools, faces questions from New York Attorney General Letitia James (D) about privacy practices. New York City has directed schools away from using Zoom as soon as possible. Users filed lawsuits against the company March 30 and 31 in California federal court, alleging privacy and security violations.

“Zoom is working around-the-clock to ensure that universities, schools, and other businesses around the world can stay connected and operational during this pandemic, and we take user privacy, security, and trust extremely seriously,” the company said in a statement.

Schools Targeted

School systems have also been targeted with lawsuits. In 2013, a dozen New York City public school parents sued the state education commissioner to stop use of InBloom, a non-profit program partly funded by the Bill & Melinda Gates Foundation. Schools shared information with InBloom to better tailor assignments to learners’ needs using data analytics. The suit led to the New York legislature banning the state’s schools from using the program.

Companies must get “verifiable parental consent” before collecting data for commercial purposes under the children’s privacy law, said John Davisson, counsel at the Electronic Privacy Information Center, a nonprofit public interest group. That is a “heavy burden,” because schools can’t consent on behalf of students and parents, he said.

“If I’m operating a remote-learning platform that students under 13 will use, and I intend to collect and use their data for commercial purposes, I can’t just have a school sign off on that,” Davisson said.

Districts should update responsible-use policies and tell students that they should not be recording or sharing their online instruction without permission, said Gretchen Shipley, a partner at Fagen Friedman & Fulfrost LLP, who advises school districts on technology matters.

Moondrop Entertainment, which created Drawp for School, works with vendors to ensure the company complies with privacy laws, said Rob Seitelman, a Moondrop vice president.

Seesaw lets students upload videos to show their work to help teachers understand learning comprehension, said company co-founder Carl Sjogreen. Video and other data collected are never shared or sold for any reason, he said.

Still, schools may not be focused enough on privacy during the “crisis and unknown territory” of the coronavirus outbreak, said Josh Golin, executive director of Campaign for a Commercial-Free Childhood. The Boston-based group seeks to end marketing to children.

“If being online is a mandatory part of fulfilling obligations as a student,” Golin said, “then you have to guarantee to parents that privacy is protected.”

—With assistance from Sara Merken (Bloomberg Law) and Hailey Waller (Bloomberg News)

For additional legal resources, visit Bloomberg Law In Focus: Coronavirus (Bloomberg Law Subscription)

(Adds Davisson comment. Earlier version corrected 21st paragraph to say companies need consent.)

To contact the reporters on this story: Daniel R. Stoller in Washington at;

To contact the editors responsible for this story: John Hughes at; Keith Perine at