State Student Privacy Law Policy

Introduction and Purpose

  1. The State Student Privacy Law Compliance Policy sets out the rules and guidance for all individuals within the 美国电影 Group, regarding the handling of children’s data in the USA.

  2.  It applies to the 美国电影, Hello World 美国农夫导航 (Ireland), 美国电影 North America, and 美国经典三级 Pi Educational Services Private Limited (India) (the ‘RPF Group’ or ‘美国农夫导航’) and any other entities added to the group. 

  3. In addition to federal laws like the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA), many individual U.S. states have enacted their own student privacy laws. These state laws often impose additional or more stringent requirements on K-12 schools and their third-party service providers (like the 美国农夫导航).

  4. The 美国农夫导航 is committed to adhering to all applicable federal and state student privacy laws when providing educational services and platforms to K-12 schools and districts ("Schools") in the United States. This policy outlines the 美国农夫导航's approach to identifying, understanding, and complying with the diverse landscape of state-specific student privacy legislation.

  5. The purpose of this policy is to:

    • Affirm the 美国农夫导航's commitment to comply with all relevant state student privacy laws.

    • Establish a systematic process for monitoring and adapting to new and evolving state privacy requirements.

    • Define responsibilities for ensuring compliance across all relevant 美国农夫导航 functions.

    • Provide assurance to Schools that their data is handled in accordance with their state-specific legal obligations.

  6. All individuals working for, or on behalf of, the RPF Group who are involved in the development, deployment, support, or data management of Services used by K-12 Schools in the USA must adhere to this policy.

Definitions

Applicable State Law(s): Any state statute or regulation in the United States that governs the privacy, security, or handling of student data, pupil records, or similar educational information, and applies to the 美国农夫导航's operations within that state.

Data Processing Agreement (DPA): A legally binding contract between the 美国农夫导航 and a School that outlines the terms of data processing, including privacy and security obligations. DPAs are critical for incorporating state-specific requirements.

Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual's identity, as broadly defined by applicable state laws (which may extend beyond FERPA's definition).

Student Data: A broad term referring to any information related to a student, including PII, education records, and other data collected or generated in the educational context, as defined by relevant state laws.

Guiding Principles for State Law Compliance

7. The 美国农夫导航's approach to state student privacy law compliance is guided by the following principles:

  • Proactive Monitoring: We continuously monitor legislative developments at the state level to identify new or amended student privacy laws.

  • Most Stringent Standard: Where state laws impose requirements more stringent than federal law (FERPA/COPPA) or general best practices, the 美国农夫导航 will endeavour to adopt these higher standards as our baseline for operations in that state, or more broadly where feasible and practical.

  • Contractual Alignment: Our Data Processing Agreements (DPAs) will be regularly reviewed and updated to reflect specific mandates from applicable state laws, particularly regarding data use limitations, security obligations, and breach notification.

  • Transparency: We will be transparent with Schools about how our Services and policies align with state privacy requirements.

  • Purpose-Driven Data Use: Student data will only be collected and used for legitimate educational purposes as defined by the school and permitted by state law.

  • No Commercial Exploitation: Student data will not be sold, rented, leased, or used for targeted advertising, or for creating commercial profiles of students, in accordance with prohibitions common in many state student privacy laws (e.g., California SOPIPA, Illinois SPPA, etc.).

Compliance Framework and Responsibilities

8. The 美国农夫导航 implements a structured framework to ensure ongoing compliance with state student privacy laws:

  • a. Legal and Regulatory Monitoring:

    • The Legal and/or Compliance Department is responsible for identifying, tracking, and analysing new and amended state student privacy legislation and relevant regulatory guidance.

    • Subscription to legal updates, industry groups (e.g., SDPC), and legislative tracking services will be maintained.

  • b.  Impact Assessment and Implementation:

    • Upon identifying new or changed Applicable State Laws, the Legal Team will conduct an impact assessment to determine how the law affects the 美国农夫导航's data processing activities and contractual obligations.

    • Cross-functional teams (e.g., Digital Product, IT, Legal) will be convened to implement necessary changes to:

      • Service features or data collection practices.

      • Internal policies and procedures.

      • Data Processing Agreement (DPA) templates.

      • Security measures.

  • c. Data Processing Agreements (DPAs):

    • The 美国农夫导航's DPA template is designed to incorporate a broad range of common state student privacy requirements.

    • Where a specific state law mandates unique contractual clauses (e.g., explicit prohibitions on data mining, specific breach notification timelines, requirements for specific data deletion instructions), the DPA will be tailored, or an addendum will be used to ensure compliance for Schools in that state.

    • Schools will be required to execute a DPA that adequately covers relevant state privacy obligations before processing any student data for them.

  • d. Employee Training:

    • All staff involved in handling US student data will receive regular training on the importance of student privacy, including a general overview of state privacy law trends and specific instructions on how to adhere to the 美国农夫导航's policies.

    • Specific training will be provided to relevant teams on state-specific contractual requirements.

  • e. Data Practices:

    • Data Minimisation: Collection of student data will be limited to what is strictly necessary to perform the educational services for the school, aligning with state requirements to avoid over-collection.

    • Data Retention & Disposal: Student data will be retained only as long as necessary for the educational purpose and in accordance with the DPA and the 美国农夫导航's Data Retention Policy, which will respect specific state-mandated retention limits if applicable. Secure deletion methods will always be used.

    • No Targeted Advertising/Commercial Use: The 美国农夫导航 explicitly commits to not using student data for targeted advertising or building profiles for non-educational purposes, consistent with prohibitions in many state laws.

  • f. Security Measures:

    • The 美国农夫导航's policies and practices are designed to meet or exceed security requirements found in various state student privacy laws, including measures for data encryption, access controls, vulnerability management, and incident response.

Specific State Law Considerations (Illustrative Examples - Not Exhaustive)

9. While specific legal requirements may vary by state, the 美国农夫导航's policies and practices are designed to address common themes found in many state student privacy laws, including:

  • Prohibitions on Commercial Use: Many states (e.g., CA SOPIPA, IL SPPA, CT PA 16-189, MD Online Data Privacy Act) prohibit operators from using student data for targeted advertising, creating profiles for non-educational purposes, or selling/renting student data. The 美国农夫导航's policies explicitly align with these prohibitions.

  • Data Deletion Requirements: Some states mandate the deletion of student data upon request from the school or at the end of a contract, often with specific timelines. Our Data Retention Policy and DPA facilitate these requirements.

  • Breach Notification: State laws often have specific timelines and content requirements for data breach notifications, in addition to FERPA's general guidance. Our Data Breach Response plan incorporates these state-specific notification obligations to Schools.

  • Contractual Mandates: Many states require specific clauses in contracts between schools and third-party vendors, such as limitations on data use, security obligations, and parental rights. Our DPA template is regularly updated to include these.

  • Transparency Requirements: Some state laws (e.g., VA Student Data Privacy Act) emphasise transparency in data practices, requiring vendors to provide clear privacy policies. The 美国农夫导航's public-facing Privacy Policy and Direct Notices support this.

Note: This section provides illustrative examples and is not an exhaustive list of all state laws or their specific provisions. The 美国农夫导航's LegalTeam maintains detailed internal documentation of current state-specific obligations.

Cooperation with Schools

10. The 美国农夫导航 recognises that Schools are ultimately responsible for compliance with FERPA, COPPA, and state student privacy laws. The 美国农夫导航 commits to:

  • Assisting Schools with Parental/Student Rights: Cooperating with Schools to fulfil parental or eligible student requests for data access, amendment, or deletion, as required by FERPA and supplemented by state laws.

  • Providing Documentation: Supplying Schools with necessary documentation (e.g., security information, audit reports, DPA details) to assist them in demonstrating their own compliance.

  • Responding to Inquiries: Promptly responding to legitimate inquiries from Schools regarding the 美国农夫导航's data handling practices and compliance with state laws.

Policy Review and Maintenance

11. This State Student Privacy Law Compliance Policy will be reviewed at least annually. Reviews will also be triggered by:

  • Significant changes in state privacy legislation.

  • Updates to regulatory guidance from state education agencies or attorneys general.

  • Changes in the 美国农夫导航's Services or data processing activities.

  • Lessons learned from internal audits or external assessments.

Any updates to this policy will be communicated to relevant 美国农夫导航 staff.

Annex A: California Student Privacy Guidelines

1. Introduction and Purpose

This Annex outlines the 美国电影's specific operational guidelines for complying with key California student privacy laws, primarily the Student Online Personal Information Protection Act (SOPIPA) and Assembly Bill 1584 (AB 1584). It supplements the 美国农夫导航's overarching "State Student Privacy Law Compliance Policy" and reinforces our commitment to safeguarding student data for K-12 schools in California.

2. Guiding Principles for California Compliance

The 美国农夫导航's compliance with California student privacy laws is founded on the following principles:

  • Prohibition on Commercial Use: Strict adherence to California's prohibitions on using student data for targeted advertising, commercial profiling, or sale.

  • Contractual Specificity: Ensuring Data Processing Agreements (DPAs) with California schools include all legally mandated provisions.

  • School as Controller: Recognising and supporting the school's primary role and responsibilities for student data under California law.

3. Data Use Prohibitions

In accordance with SOPIPA and other relevant California laws, the 美国电影 strictly adheres to the following prohibitions regarding student data from K-12 schools:

  • No Targeted Advertising: The 美国农夫导航 shall not use student Personally Identifiable Information (PII) to target advertisements to students, or their families/guardians based on their online activities (including web Browse history, search queries, or specific content viewed).

  • No Commercial Profiling: The 美国农夫导航 shall not build a profile of a student for a non-educational commercial purpose.

  • No Sale of Student PII: The 美国农夫导航 shall not sell, rent, or lease student PII.

  • Limited Use of De-identified Data: While de-identified (anonymised) student data may be used for purposes such as product improvement, 美国经典三级, or development, the 美国农夫导航 shall not re-identify this data or transfer it to third parties for commercial purposes. Any such transfers of de-identified data for 美国经典三级 or educational purposes will be subject to written agreements prohibiting re-identification.

4. Contractual Requirements (AB 1584 & SOPIPA)

  • The 美国电影 ensures that its Data Processing Agreements (DPAs) with California K-12 schools explicitly incorporate and comply with the specific requirements of AB 1584 and SOPIPA:

    • Ownership and Control: The DPA will clearly state that the school owns and controls all student education records and student-generated content provided to or accessed by the 美国农夫导航.

    • Student Content Portability: Where applicable to the service, the DPA will describe how student-generated content (e.g., projects, code within 美国农夫导航 platforms) can be transferred, upon school request, to a personal student account or returned to the student/school.

    • Limited Data Use: The DPA will explicitly prohibit the 美国农夫导航 from using student PII for any purpose other than those explicitly specified in the contract and within the scope of providing educational services.

    • Parental/Student Rights: The DPA will outline the 美国农夫导航's procedures for assisting the School in fulfilling parental or eligible student requests to inspect, review, or correct student PII.

    • Data Security: The DPA will stipulate that the 美国农夫导航 maintains reasonable security procedures and practices appropriate to the nature of the PII to protect student data from unauthorised access, destruction, use, modification, or disclosure.

    • Breach Notification: The DPA will include clear provisions for the 美国农夫导航 to notify the School of any data breach involving student PII in a timely manner.

    • Data Deletion: The DPA will specify procedures for the secure deletion of student PII when it is no longer needed for the educational purpose or upon the termination of the contract, as instructed by the school.

    • Internal Review: All DPAs executed with California schools are subject to review by the 美国农夫导航's Legal and/or Compliance Department to ensure ongoing alignment with the latest AB 1584 and SOPIPA requirements.

    5. Data Subject Rights & School Cooperation

    The 美国农夫导航 recognises and supports the rights afforded to parents and eligible students under California law. As a service provider, the 美国电影 will:

    • Direct all direct requests from parents or eligible students regarding their data rights (inspection, review, correction, deletion) to the relevant California School.

    • Fully cooperate with and assist California Schools in fulfilling these requests by providing necessary data or access as requested by the school.

    • Acknowledge that rights conferred by AB 1584 on parents/students directly apply to data held by third-party contractors like the 美国农夫导航.

    6. Other California Privacy Law Considerations (e.g., CCPA/CPRA):

    • Understanding Applicability: The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are broad consumer privacy laws. However, Personally Identifiable Information (PII) of K-12 students, when collected, used, and maintained by the 美国电影 as a "service provider" on behalf of an educational institution (like a school or district) and subject to FERPA, is generally exempt from certain core provisions of the CCPA/CPRA. This exemption is typically referred to as the "FERPA exemption" within the CCPA/CPRA framework.

    • 美国电影's Position: The 美国电影's primary data processing activities concerning K-12 student data in California are governed by FERPA, COPPA, and specific state laws like SOPIPA and AB 1584. Our Data Processing Agreements (DPAs) with California schools explicitly define our role as a "service provider" processing student data under the school's direction for educational purposes, thus reinforcing the applicability of FERPA and its associated exemptions under CCPA/CPRA.

    • Adherence to Broader Principles: While largely exempt from certain CCPA/CPRA consumer rights provisions for student data handled under FERPA, the 美国农夫导航 maintains a commitment to robust data privacy and security principles that often align with the spirit of CCPA/CPRA. These include:

      • Transparency: Our general Privacy Policy and the Direct Notices provided to schools are designed to be clear about data collection and usage.

      • Data Security: Our comprehensive Information Security Policy (referenced in our DPAs) implements strong safeguards for all data, including student PII, meeting or exceeding general security expectations of CCPA/CPRA.

      • Prohibition on Sale: Consistent with SOPIPA and the spirit of CCPA/CPRA, the 美国农夫导航 explicitly prohibits the sale of student PII.

    • Continuous Monitoring: The Legal and/or Compliance Department continuously monitors legislative and regulatory developments related to CCPA/CPRA (and other California privacy laws) to assess any potential new applicability or interpretation concerning K-12 student data, and will update policies and practices as necessary.

Annex B:  Illinois Student Online Personal Protection Act (SOPPA) Guidelines

This Annex outlines the 美国电影's specific operational guidelines for complying with the Illinois Student Online Personal Protection Act (SOPPA), 105 ILCS 85. SOPPA is a critical student data privacy law that places significant obligations on K-12 schools and educational technology "operators" like the 美国电影 in Illinois.

This Annex supplements the 美国农夫导航's overarching "State Student Privacy Law Compliance Policy" and our federal FERPA and COPPA compliance policies. It details the specific actions and contractual commitments the 美国农夫导航 undertakes to ensure the privacy and security of student data when providing services to Illinois schools, reflecting SOPPA's robust requirements, particularly concerning Data Privacy Agreements (DPAs) and data use limitations.

The purpose of this Annex is to:

  • Ensure all 美国农夫导航 staff understand and adhere to the unique requirements of SOPPA.

  • Reinforce our commitment to protecting Illinois student data from unauthorised access, use, or disclosure.

  • Provide clear guidance on DPA content, data use prohibitions, and breach notification specific to Illinois.

A. DPA Requirements (Central to SOPPA):

  • Mandatory DPA Content: Provide a detailed checklist of all clauses that must be included in the DPA for Illinois schools, as mandated by SOPPA. This includes, but is not limited to:

    • A statement that the operator (the 美国农夫导航) is subject to SOPPA.

    • Specific limitations on data use (no targeted advertising, no sale, no profiling for commercial purposes).

    • Requirements for data security measures.

    • Breach notification timelines (within 30 days for operator, 60 days for school to parents).

    • Obligation to disclose subcontractors who will access covered information.

    • Requirement to delete covered information upon request of the school.

    • Term of the agreement and effective date.

  • School Transparency Requirements: Acknowledge that Illinois schools are required to post lists of operators they contract with and copies of their DPAs. This reinforces the need for accurate and compliant DPAs from the 美国农夫导航.

B. Data Use & Security:

  • Stricter Prohibitions: Reiterate SOPPA's strong prohibitions on targeted advertising, selling, or profiling student data for commercial purposes.

  • Security Standards: Emphasise that the 美国农夫导航’s security practices meet or exceed industry standards to protect student data from unauthorised access, destruction, use, modification, or disclosure, as required by SOPPA.

C. Breach Notification:

  • Specific Timelines: Outline the clear 30-day (for operator) and 60-day (for school) breach notification timelines under SOPPA, and the 美国农夫导航’s internal process for ensuring schools receive prompt notification within these windows.

D. Parental Rights:

  • Parental Access/Deletion via School: Confirm that the 美国农夫导航 supports schools in responding to parental requests for inspection, review, correction, and deletion of "covered information" maintained by the operator.

Annex C: New York Education Law 2-d & Parents' Bill of Rights Guidelines

1. Introduction and Purpose

This Annex outlines the 美国电影's specific operational guidelines for complying with New York State Education Law 2-d (NY Ed Law 2-d) and the associated Parents' Bill of Rights for Data Privacy and Security. This legislation sets stringent requirements for the protection of Personally Identifiable Information (PII) of students, teachers, and principals within New York's educational agencies and their third-party contractors, such as the 美国电影.

This Annex supplements the 美国农夫导航's overarching "State Student Privacy Law Compliance Policy" and our federal FERPA and COPPA compliance policies. It details the 美国农夫导航's commitment to upholding the principles and specific mandates of NY Ed Law 2-d, including comprehensive contractual provisions, robust data security, and clear responsibilities in the event of a data breach, all while respecting the rights outlined in the Parents' Bill of Rights.

The purpose of this Annex is to:

  • Ensure all 美国农夫导航 staff understand and adhere to the specific requirements of NY Ed Law 2-d.

  • Detail how the 美国农夫导航 supports New York schools in meeting their obligations, particularly concerning the Parents' Bill of Rights and the NYSED Chief Privacy Officer.

  • Provide clear guidance on DPA content, data security standards, and breach notification protocols unique to New York State.

A. Parents' Bill of Rights for Data Privacy and Security:

  • Adherence to Principles: State that the 美国农夫导航’s practices are aligned with the principles outlined in New York's Parents' Bill of Rights, particularly:

    • PII cannot be sold or released for marketing/commercial purposes.

    • Parents have the right to inspect and review PII (via the school).

    • Parents have the right to request amendment/correction of PII (via the school).

    • Parents have the right to be notified of a data breach.

    • PII must be collected and disclosed only as necessary for educational purposes.

    • Safeguards must meet industry standards and best practices.

    • Schools are required to enter into written agreements with third parties (DPAs).

    • Third parties should not maintain copies of PII once no longer needed.

  • Communication Support: Outline how the 美国农夫导航 will support schools in fulfilling their obligation to publish and adhere to this Parents' Bill of Rights.

B. Contractual Requirements (Ed Law 2-d):

  • Mandatory DPA Clauses: Provide a checklist of specific clauses required by NY Ed Law 2-d for DPAs, including:

    • Statement that the school is the owner of the data.

    • Restrictions on data use (educational purposes only, no commercial use).

    • Specific security measures required (encryption, access controls, employee training).

    • Data retention and secure deletion requirements (data must be permanently and securely deleted no later than contract end, unless legally mandated retention).

    • Requirement to notify the school of any breach without undue delay, and to cooperate with the school's notification to parents and the NYSED Chief Privacy Officer.

    • Obligation to provide data to the school upon request to fulfil parental rights.

  • Chief Privacy Officer: Acknowledge the role of the NYSED Chief Privacy Officer and the 美国农夫导航's commitment to cooperate with any investigations or directives.

C. Data Security and Breach Notification:

  • Industry Standards: Emphasise the 美国农夫导航's commitment to meeting industry standard safeguards for PII (encryption, firewalls, etc.) as required by Ed Law 2-d.

  • Breach Notification: Detail the 美国农夫导航's immediate notification process to NY schools following a breach, ensuring they can meet their obligations to notify parents and the NYSED Chief Privacy Officer.