Data Privacy in Ed-Tech Companies

28 August 2021
– Amardeep Mathur and Ayushi Modi

Introduction

The Education Technology or the Ed-tech industry has witnessed tremendous growth over the past few years. With providing educational solutions to vast users, by the use of an online platform which is accessible across the globe, Ed-tech sector is advancing at a rampant pace. The global investment in ed-tech sector is estimated to reach $350 Billion by 2025. In India the increasing reliance on online education has helped many ed-tech startups double its user base. According to reports India’s ed-tech sector is estimated to be worth USD 30 billion by 2032. Such fast growth of the EdTech sector, comes with responsibility and accountability in regard to the large amount of personal data it collects and handles.

Due to poor privacy protocols, the Ed-tech sector is prone to data breaches. Last year, one of the country’s leading ed-tech platform, suffered from massive data breach, resulting in personal and sensitive personal data of thousands of students and teachers, put for sale on the dark web. With the users of Ed-tech platforms constituting majority children and young adults, data protection and privacy is an under addressed issue in the ed-tech sector with the stakes for privacy at an all-time high.

This article explores the primary aspects of data privacy in the ed tech sector.

1: Collecting large amount of personal data

Limitation and Minimization regarding collection of personal data is one of the key principles of data privacy. When an organization receives and collect large amount of personal data, it brings along sets of obligation, to ensure that the data collected is not irrelevant or unnecessary and is utilized for the purpose of legitimate processing activities. Often data collected by ed-tech platforms are personal data of children, who form part of a vulnerable group. Data collected includes names, e-mail and contact numbers, user habits such as time taken to complete an assignment and social and emotional behavior.

Given the amount of data collected by ed-tech and the demographics they cater to, it is very important that such ed-tech companies pay proper attention to ensuring user privacy by collecting relevant data sets and ensuring that all stakeholders receive complete transparency and notice regarding the use, storage, retention, processing and sharing of the large amount of personal data collected.

2: Privacy Obligations while performing complex processing operations

Another crucial aspect is that the data is collected from a susceptible group of population, i.e., children and students. Such data is processed to draw inferences on abilities and intelligence, which forms part of sensitive personal data. New age features and functionality provided by EdTech platforms, equals to performing sophisticated processing operations, including, profiling and other means of automated decision making. Processing operations used to monitor user behavior further and to build marketing profiles, to obtain monetary advantage, is also a major policy concern. Artificial Intelligence and other modern means of automated processing, which help draw inferences, are relied at heavily by EdTech platforms to monitor and evaluate students’ performance metrics, throughout the course.

Data Processing must be done in a way which is not only informed and transparent but also, allows certain degree of control, when formulating profiling decisions based on automated processing. Express consent for processing using automation, can be a good measure to ensure that such processing operations do not deter privacy related rights and freedom of the individual. Such forms of processing, if carried out, should be made subject to conditions, and should allow individuals, to whom such personal data belongs, to exercise greater control or over the results / outcomes of such processing.

3: Securing Personal Data

A natural obligation resulting from collecting and receiving large amount of personal data, is ensuring that such data is kept secure and safe. Technical and organizational security measures form a necessary part of privacy compliance. It warrants that the organization formulate elaborate and appropriate security measures to safeguard personal data within its control, from unauthorized use transfer or processing.

Sharing data with global and transfer of data to third party vendors and service providers is a business necessity, however such transfers cannot be arbitrary, excessive, and unregulated. Privacy principles require that data transfers to third partis and even affiliated group companies be secured by way of specific modalities such as data protection agreements (‘DPA’), record keeping etc.

Along with transferring, the data collected is also hosted on a cloud. EdTech platforms, rely on these cloud servers and cloud data centers, for storage. Such storing of personal data on cloud raises alarms of privacy. Upon any data security incidents in the data base of cloud service providers, the personal data of the users of the EdTech platform, suffer the consequences. Well established, data sharing procedures and mechanisms provide the company, with safeguards to secure the data collected, stored or transferred to avoid any data breaches which may harm the data subject.

Handling Children’s Data- Global Perspective

As highlighted, ed-tech sector deals with personal data belonging to teachers, children and young adults, and often their parents. Privacy legislations prescribe special provisions when handling personal data of these subjects.

EU: According to Recital 38 of the EU-General Data Protection Regulations (GDPR), Children require special protection with regard to their personal data, as they are less aware of the risks, consequences and safeguards regulating the processing of personal data.

USA: The United States of America protects privacy of children below the age of 13 through the Children’s Online Privacy Protection Act (COPPA). COPPA applies to any websites or online services who are either directed at children under the age of 13 years old, or who have actual knowledge that they are collecting personal information online from kids under 13 years of age.

Conclusion

EdTech platforms thus, must ensure, that their platforms are designed keeping in mind the privacy issues which may arise from their functioning and operations. A dedicated data privacy strategy and compliance program will help these platforms to cater data privacy and protection requirements with ease and help the to meet their larger responsibility of ensuring privacy and security in their platform.

Published here: Data Privacy in Ed-Tech Companies (devdiscourse.com)

Disclaimer: This article is the copyright of Reina Consulting LLP. It is not intended to be a form of solicitation or advertising. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is viewed or that it will continue to be accurate thereafter. No person should act on such information without appropriate professional advice based on the circumstances of a particular situation. This information is not to be considered as legal advice or opinion and the firm shall not be liable for any action taken by the user, directly or indirectly, on the basis of such material.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.