As parents opt their college-bound children out of standardized testing and assessment vendors analyze social data streams to prevent cheating, a chill is falling over the edtech industry. How will vendors fulfill their promises to colleges if the real users of their products and services leave due to privacy and security fears? In order to protect themselves against current and future regulation, higher ed technology providers must reassess their privacy policies and security measures, as well as streamline students’ understanding of data privacy.

When it comes to data privacy and marketing, students and parents do not check their expectations at the doors to their college classrooms as they transition from K-12. Consequently, vendors that serve both K-12 and higher education student populations will be the first to deal with the challenges of protecting student data throughout this transition. These challenges will only become more pronounced with legislation on the horizon that is meant to improve data privacy by restricting what vendors can and cannot do with data and how they market to students.

Beyond regulating the storage and protection of sensitive student records, this legislation could impact vendors that market to students and their parents using information obtained through their relationships with colleges and universities. States like California have already made it illegal to market directly to students using data obtained from a K-12 school. If this legislation is interpreted—or if explicit legislation is introduced—to apply to colleges as well, the following scenarios could become a reality:

  • A vendor of used textbooks could not recommend a book to a student based on course enrollment data obtained through a relationship with a college’s bookstore.
  • A tuition repayment service provider could not offer a payment plan to a parent after learning about a gap in his or her child’s funding from information gleaned in its relationship with the financial aid office.

How Service Providers Should Prepare

With new venture-backed startups entering the education technology landscape on a nearly weekly basis, many of these experiments will fail. But what happens to student data when a company goes bankrupt or is sold? Specifically, where is the accountability for executing the mergers and acquisitions clauses of policies in their contracts with colleges? Situations like ConnectEDU’s 2014 bankruptcy and the subsequent acquisition of its student data assets shine a bright light on companies’ responsibility during these transitions.

With this in mind, take the following steps to protect student data:

  • Invest in your products and solutions in such a way that you have ready-made offerings to deal with privacy issues and gain a competitive advantage. In other industries, the vendors that anticipated regulatory changes (automotive emissions regulations, for example) and invested in adapting their products to meet these changes are seen as proactive thought leaders. By not innovating and avoiding issues of data privacy altogether, you risk losing a competitive advantage, being hit with unbudgeted cost increases due to compliance actions, or coming across as behind the times to your end users. While you should not be tone deaf to student concerns, do not make promises in your terms of use and privacy policies that you will not be able to honor during tumultuous times.
  • Adopt the model terms of service provided by the U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) as a good first step to meeting colleges’ privacy and security expectations. This resource identifies some best practices and example terms of service language that you can adopt in your own policies. Use commonly understood and broadly promoted language in your user agreements to reduce the time it takes buyers to evaluate your services from a student data privacy perspective.
  • Provide a safety net for your direct consumers. Faculty routinely use third-party tools outside the LMS in order to make up for perceived gaps in functionality. In doing so, they put student records into those systems outside the realm of institutional contracts. Such is the case with newer direct-to-consumer business models promoted by LMS vendors today. Schoology, Instructure Canvas, Blackboard and other major LMS players all offer the opportunity to test drive their enterprise solutions via free limited single-user experiences. If the vendor in these models were to shutter, the college would be put in a difficult place between its students and the vendor, even if it was not party to the vendor’s contract with the individual faculty member. Because there is no contractual relationship, colleges have no ability to retain the official records stored in these systems. The student records data stored on such systems could fall into limbo, with the students unaware that the college had not formally endorsed or supported the product. Vendors can and should provide options for faculty to back up, transport, or otherwise transfer their data to an institutionally supported information system through the use of open APIs or existing standards such as Common Cartridge. Providing such a safety net to their direct to consumer clients would calm concerns among current users.
  • Finally, you will not be able to overcome certain users’ uncertainty or fear about your solutions. For those users, provide clear instructions on how to opt out of data collection, reporting, or other features that collect student data. Use your opt out process as an opportunity to engage these users in a dialogue that educates them on how specifically their data will be used to improve products and services or to assist their colleges in improving the content, instruction, and campus experiences for all students. Any opportunity to engage end users about data privacy and security should be seen as an opportunity, not just a preemptive legal defense.