School districts in Connecticut are busy pulling together plans to educate students at home — whether through formal “distance learning” or otherwise — during the public health emergency spurred by the COVID-19 pandemic.  While plans may include hardcopy paperwork being sent home, many if not all of those plans will include a component of online learning, which may trigger Connecticut’s student data privacy laws, Connecticut General Statutes §§ 10-234aa through dd.  Connecticut public school districts are cautioned to understand these laws and keep them in the forefront when planning remote learning for students.

As relevant to these circumstances, Connecticut’s student data privacy laws require school districts to enter into written contracts with operators prior to the operator being provided or having access to student records, student information or student-generated content. The written contract must include, at minimum, the ten requirements identified in Conn. Gen. Stat. § 10-234bb. An operator is defined as “any person who (A) operates an Internet web site, online service or mobile application with actual knowledge that such Internet web site, online service or mobile application is used for school purposes and was designed and marketed for school purposes, to the extent it is engaged in the operation of such Internet web site, online service or mobile application, and (B) collects, maintains or uses student information.” One of the triggers for the contracting requirement is that the online service is being used for “school purposes,” which means “purposes that customarily take place at the direction of a teacher or a local or regional board of education, or aid in the administration of school activities, including, but not limited to, instruction in the classroom, administrative activities and collaboration among students, school personnel or parents or legal guardians of students,” and does not include actions taken unilaterally by parents.

When determining an appropriate remote learning plan for students, schools in Connecticut should, if possible, use online programs and services that were used prior to the closing of schools related to COVID-19. Teachers and students are familiar with these programs and the student data privacy contracting requirements related to these tools were likely already satisfied, if such were necessary. Further, some online tools, such as videoconferencing services, fall outside of the student data privacy contracting requirements, as they are not marketed for school purposes; however, schools should still ensure that privacy considerations are taken into account when using these products, including but not limited to closely reviewing any applicable privacy policy and terms of service and ensuring compliance with the Family Educational Rights and Privacy Act (“FERPA”).

At this time, the student data privacy requirements have not been waived by Governor Lamont and thus schools continue to be obligated to secure written contracts with operators before providing them with any student data. Schools must continue to protect student data in accordance with state law, even in the face of these unprecedented times. Schools should consult the Connecticut Commission for Educational Technology for educational resources for remote learning during the COVID-19 emergency and additional information about student data privacy requirements.

Please continue to monitor ctschoollaw.com for updates concerning COVID-19.  If you have specific questions about online learning tools and contract requirements, please contact Chris Tracey at ctracey@goodwin.com or Gwen J. Zittoun at gzittoun@goodwin.com.