Colleges and Universities Tracking Prospective and Current Students Raises Data Privacy Concerns

As the world continues to adapt to challenges and shutdowns caused by the COVID-19 pandemic, colleges and universities are reviewing various ways to safely reopen their campuses, while protecting both employees and students to the greatest extent possible. Some are turning to the use of apps to assist with various government-imposed reopening requirements, such as temperature checks and health screening surveys, while others are turning to the use of contact-tracking apps that monitor locations previously visited by students or employees. These apps, marketed as systems to assist institutions with compliance, have recently come under scrutiny at a number of levels regarding potential data privacy risks. Some newer, yet-to-be-vetted apps may contain software written with speed over substance, an inviting prospect for hackers looking to exploit personal data.1 More established apps, which also use smartphone technologies such as GPS and Bluetooth, collect, share and potentially sell collected data on terms that may or may not be legally compliant.2

Even before the COVID-19 pandemic began, many colleges and universities were using tracking software on their websites to learn more about prospective students and predict which students would make the best candidates for admission.3 The software, which is usually installed and managed by external vendors, tracks the online activities of prospective students who visit school websites and collects their personal data,4 which can include test scores, zip codes, high school transcripts, academic interests, web browsing histories, ethnic backgrounds and household incomes.5 The software then analyzes the collected data and formulates predictions that will help the schools determine several things about the students, including which students are likely to enroll at the school and those who can afford to pay tuition.6 Prior to the pandemic, college administrators were already using apps to track student attendance, movement and behavior patterns.7

The installation and use of any of these types of tracking software implicate several data privacy laws that schools must be careful to comply with, including the Family Educational Rights and Privacy Act (FERPA), General Data Protection Regulation (GDPR), New York State Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), California Online Privacy Protection Act (CalOPPA) and California Consumer Privacy Act (CCPA).8 These laws impose several requirements which, inter alia, aim to protect the privacy rights, personal data and personal information of students (prospective and enrolled).

For example, the CalOPPA dictates that schools must conspicuously post a privacy policy on their websites.9 The privacy policy must:

  1. Inform a visitor of the categories of personal data10 that the school will collect;
  2. Disclose the third parties with which the school may share visitors’ personal data;
  3. Explain how visitors can request changes to their personal data on record;
  4. Explain the process for informing visitors of changes to the policy;
  5. Disclose the date when the policy was last updated;
  6. Disclose how the website responds to “Do Not Track” requests from visitors; and
  7. Disclose details of third parties that collect personal data through the website.11

International privacy requirements and cybersecurity safeguards apply where students can access the school’s website from within the United States or the European Union.12 These requirements and safeguards contain substantial penalties for violations, including, in the right case, a penalty of up to 4 percent of the violating school’s global annual revenue or €20m, whichever is greater.13

Additional data privacy requirements can include:

  1. Refraining from disclosing an eligible student’s personally identifiable information to third parties without first obtaining the written consent of the student or the student’s parent14;
  2. Implementing reasonable cybersecurity safeguards,15 including requiring third-party vendors to supply certain safeguards, when collecting “private information” from website visitors;16 and
  3. Promptly reporting a personal data breach when the school becomes aware of the breach.17

In light of these privacy laws and the liability triggered by noncompliance, it is essential that schools using tracking software and apps do the following:

  1. Learn about all applicable data privacy laws and cybersecurity safeguards, and institute measures to comply with these laws and safeguards;
  2. Work with counsel to draft privacy policies that comply with all applicable laws;
  3. Review terms of vendor contracts to ensure compliance with all applicable data privacy regulations;
  4. Review indemnification agreements and the ability to collect or be reimbursed in the event of a data breach;
  5. Make appropriate revisions to existing data security compliance policies and procedures, including who to notify in the event of a breach; and
  6. Engage counsel to fully vet data use, purchase, processing, and storage policies and agreements.

Additional Assistance

For further assistance, please contact a member of the Education Practice Team, the Data Security & Privacy Practice Team, or the Phillips Lytle attorney with whom you have a relationship.

  1. See Tim Starks, Early COVID-19 Tracking Apps Easy Prey for Hackers, and It Might Get Worse Before It Gets Better (July 6, 2020), https://www.politico.com/news/2020/07/06/coronavirus-tracking-app-hacking-348601.
  2. See Jennifer Valentino-DeVries, Natasha Singer, Michael H. Keller and Aaron Krolik, Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret (Dec. 10, 2018), https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html.
  3. See Douglas MacMillan and Nick Anderson, Student Tracking, Secret Scores: How College Admissions Offices Rank Prospects Before They Apply (Oct. 14, 2019), https://www.washingtonpost.com/business/2019/10/14/colleges-quietly-rank-prospective-students-based-their-personal-data/.
  4. Id.
  5. Id.
  6. Id.
  7. See Drew Harwell, Colleges Are Turning Students’ Phones Into Surveillance Machines, Tracking the Locations of Hundreds of Thousands (Dec. 24, 2019), https://www.washingtonpost.com/technology/2019/12/24/colleges-are-turning-students-phones-into-surveillance-machines-tracking-locations-hundreds-thousands/.
  8. The specific data privacy law that would apply in a given situation would depend on the state or country where the student resides.
  9. See California Online Privacy Protection Act [Cal. Bus. & Prof. Code § 22575(a) (Westlaw 2020) (effective Jan. 1, 2014)].
  10. Personal data or information means information “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” California Consumer Privacy Act [Cal. Civ. Code § 1798.140(o)(1) (Westlaw 2020)].
  11. Cal. Bus. & Prof. Code § 22575(b) (Westlaw 2020) (effective Jan. 1, 2014). In addition to posting a detailed privacy policy that, among other things, informs a visitor of the categories of personal data that the school will collect, schools, in certain situations, must also be prepared to disclose to certain visitors, upon their request, the specific information that the school collected about them. California Consumer Privacy Act [Cal. Civ. Code § 1798.100(a) (Westlaw 2020)].
  12. General Data Protection Regulation, G.D.P.R. Art. 3.
  13. Id. Art. 83.
  14. See Family Educational Rights and Privacy Act [20 U.S.C.A. § 1232g (b)(1) (Westlaw through Pub. L. No. 116-147)]. This rule, however, has certain exceptions. See id. § 1232g (b)(1)(A) – (L).
  15. The New York “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act), N.Y. Gen. Bus. Law § 899-bb (2) (Westlaw through L.2019 ch. 758, L.2020 ch. 1 to 56, 58 to 127).
  16. Id. § 899-bb (2)(b)(A)(5).
  17. General Data Protection Regulation, G.D.P.R. Art. 33-34.