For students we do actually, except we put it on school districts and teachers to self enforce under penalty of being directly held liable for data breaches.
I work in school IT so I’m very familiar with the requirements (of my state anyway).
The system we have is fucked. Teachers (highly tech illiterate) have to use services that have signed our states privacy pledge, if they use a service that has not signed the pledge, and there is a data breach, they can be held directly liable.
The pledge states that the service shouldn’t store any PII on students, but there is no way for the state to verify this. I know first had that every software we have has PII of students (names for example). I doubt these services are storing encrypted display names for example. However a common naming convention for accounts in schools is to use parts of the students name. No idea of these services would store encrypted usernames or emails either. Failure to “follow the rules” might see the corporation sued by the state but again, never legally tested. This was all born out of a multistate lawsuit against Google because they were caught scraping student email account contents for targeted ads when they said they didn’t. In my district were moving forward with a new naming convention for students that is simply a random number to cut down on PII.
Anyway, the district is under no direct threat from the law, but does “require” it to list all the software they use. This requirement has no penalty for noncompliance.
None of this has been legally tested yet. The threat to teachers is high though (loss of license I think), so we try really hard to keep them informed and in compliance with the law.
For students we do actually, except we put it on school districts and teachers to self enforce under penalty of being directly held liable for data breaches.
I work in school IT so I’m very familiar with the requirements (of my state anyway).
The system we have is fucked. Teachers (highly tech illiterate) have to use services that have signed our states privacy pledge, if they use a service that has not signed the pledge, and there is a data breach, they can be held directly liable.
The pledge states that the service shouldn’t store any PII on students, but there is no way for the state to verify this. I know first had that every software we have has PII of students (names for example). I doubt these services are storing encrypted display names for example. However a common naming convention for accounts in schools is to use parts of the students name. No idea of these services would store encrypted usernames or emails either. Failure to “follow the rules” might see the corporation sued by the state but again, never legally tested. This was all born out of a multistate lawsuit against Google because they were caught scraping student email account contents for targeted ads when they said they didn’t. In my district were moving forward with a new naming convention for students that is simply a random number to cut down on PII.
Anyway, the district is under no direct threat from the law, but does “require” it to list all the software they use. This requirement has no penalty for noncompliance.
None of this has been legally tested yet. The threat to teachers is high though (loss of license I think), so we try really hard to keep them informed and in compliance with the law.