Online Student Portals – Is Your School Protecting Student Privacy?

A school's online footprint today extends significantly beyond the publicized athletic victories and parent-teacher conference dates found on a typical website from ten years ago. Many private schools now maintain online student portals that are interactive, house private student information, have messaging capabilities, collect homework, and possess myriad additional features. Schools should be aware of the legal requirements, pitfalls, and best practices associated with maintaining online systems of this kind. For good reason, student privacy is the area of greatest concern when a school develops an online student portal. We addressed key legal issues for independent and private schools to consider in this area.

Constitutional and Common Law Privacy Protections: Private schools must follow the California Constitution to protect student privacy rights. A student could bring an action for invasion of privacy under the California Constitution. In order to succeed, the student would have to establish a legally protected privacy interest, a reasonable expectation of privacy, and a serious invasion of that privacy interest. A student could also bring an action for certain common law torts relating to invasion of privacy. Because an online student portal may contain highly sensitive information, schools should carefully review their policies and practices regarding user access within the portal to avoid unwarranted disclosures. Schools should also ensure that parents, students, and employees understand the school's policies and practices, including who is authorized to view private student information.

COPPA: The federal Children's Online Privacy Protection Act (COPPA) imposes parental notice and consent requirements on operators of commercial websites and online services that collect information from children under the age of 13 for commercial purposes. While nonprofit entities are exempt from COPPA, private schools whose student portals utilize third party services that collect student information may be subject to certain intermediary duties.

CalOPPA: The California Online Privacy Protection Act of 2003 requires an operator of a commercial website or online service that collects personally identifiable information from California residents to provide conspicuous online notice of its privacy policies and comply with the provisions of such policies. Unlike the COPPA, CalOPPA does not contain a nonprofit exemption, and therefore may apply directly to private schools. Schools that collect personally identifiable information should ensure their compliance with these notice and policy requirements.

Medical Privacy Laws: Medical information is particularly sensitive, and schools should carefully consider how to handle such information online, if at all. Certain school employees, such as a school nurse, may qualify as health care providers subject to the requirements of the federal Health Insurance Portability and Accountability Act (HIPAA) and California's Confidentiality in Medical Information Act (CMIA). In addition, school employees have an obligation to maintain confidentiality regarding a student's disability. If student medical information passes through the online portal, the school may need to tighten access restrictions and revise parent and/or student authorization forms.

Right to Removal of Information: The Privacy Rights for California Minors in the Digital World Act requires an operator of an Internet website, online service, online application, or mobile application directed to minors to, among other things, permit a minor who is a registered user to remove – or if the operator prefers, request and obtain removal of – content or information posted on the operator's site, service, or application. The Act includes additional requirements relating to providing notice and instructions to registered users. It also provides certain exceptions, including where a provision of federal or state law requires the operator or third party to maintain the content or information. Schools who register students as users should ensure they comply with these various requirements.

The above is intended as a brief overview of legal considerations relating to privacy for private schools maintaining an online student portal. It should not be considered exhaustive. We recommend that schools consult with legal counsel to develop and maintain required website terms and conditions, notices, and policies, and to obtain advice on other appropriate measures to handle private student information online.