EDTECH INDUSTRY AND DATA PRIVACY

Introduction

The EdTech industry has witnessed remarkable growth in recent years, offering innovative ways for students to access education. However, this expansion raises concerns about data privacy, especially regarding minors. In this article, we explore the challenges and implications of data privacy in the EdTech industry, with a specific focus on minors’ data.

Data Collection in EdTech

Data plays a central role in the EdTech industry. Platforms gather extensive data, including student performance, engagement metrics, and personal information such as names, ages, and email addresses. This data helps tailor educational content and enhance learning experiences, but it also sparks concerns about its usage, storage, and protection.

Challenges in Data Privacy

1. Data Security Risks

Data breaches and cybersecurity threats are ever-present risks in the EdTech industry. When minors’ data is involved, the potential consequences are more severe, necessitating robust measures to protect sensitive information from malicious actors.

2. Misuse of Data

The misuse of student data, such as profiling for marketing purposes, poses a significant concern. This could lead to privacy violations and unwanted intrusions into students’ lives.

EdTech companies may also be tempted to monetize the data they collect, which could result in conflicts of interest between profit motives and student well-being.

Implications for Minors’ Data

1. Vulnerability

Minors are a particularly vulnerable group in terms of data privacy. Their limited understanding of the implications of sharing personal information online exposes them to potential exploitation and misuse.

2. Long-term Consequences

Data collected during a minor’s education can have long-term implications. Mishandled data, whether inaccurate or sensitive, could affect a student’s future educational and professional opportunities.

3. Psychological Harm

The misuse of minors’ data, especially in cases where it is used for targeted advertising or behavioral profiling, can lead to psychological harm. This includes feelings of intrusion, anxiety, and a

Protecting Minors’ Data

1. Clear Policies and Consent

Educational institutions and EdTech companies must establish clear data privacy policies and obtain proper consent. In the case of children, it is often argued that consent should be taken from parents or guardians when collecting minors’ data. These policies should specify what data is collected, its purpose, and the security measures in place.

2. Secure Data Storage

Robust cybersecurity measures are essential to protect minors’ data from breaches. Encryption, regular security audits, and employee training are crucial for data security.

3. Compliance with Regulations:

Companies should comply with relevant data protection regulations, such as the Children’s Online Privacy Protection Act (COPPA) in the United States or the General Data Protection Regulation (GDPR) in the European Union.

They should also keep themselves updated about changes in data privacy laws and ensure ongoing compliance.

The DPDP Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) has also taken progressive measures to protect minors’ data. Section 9 provides certain special measures for children’s data.

It lays down a requirement to obtain verifiable consent from the parent or the lawful guardian before processing a child’s data. It also places restrictions on processing activities that are likely to cause detriment to a child. Moreover, it prohibits tracking, behavioural monitoring, and targeted advertising to children.

It is important to note that the DPDP Act envisages penalties up to Rs. 250 crores for non-compliance.

Conclusion

The EdTech industry holds enormous promise for the future of education but must navigate the complex landscape of data privacy, particularly for minors. Without adequate safeguards, data misuse, discrimination, and long-term consequences pose risks to young learners. By implementing clear policies, secure data storage, and regulatory frameworks, the EdTech industry can balance innovation with the protection of minors’ data privacy. As the industry continues to evolve, prioritizing the well-being of its youngest users is essential.

Major Privacy Updates of the Week

Meta Using Features to Lure Children to Instagram and Facebook: Claims Nearly 3 dozen U.S. States

Meta was sued by more than three dozen states on Tuesday for knowingly using features on Instagram and Facebook to hook children to its platforms, even as the company said its social media sites were safe for young people.

Colorado and Tennessee led a joint lawsuit filed by 33 states in the U.S. District Court for the Northern District Court of California, saying Meta — which owns Facebook, Instagram, WhatsApp and Messenger — violated consumer protection laws by unfairly ensnaring children and deceiving users about the safety of its platforms. The District of Columbia and eight other states filed separate lawsuits on Tuesday against Meta with most of the same claims.

https://www.nytimes.com/2023/10/24/technology/states-lawsuit-children-instagram-facebook.html?_ga=2.82174879.842518493.1698401871-131083301.1698401871

New York Can Resume Family DNA Searches for Crime Suspects: Court Rules

The New York Court of Appeals ruled that the state can resume using familial DNA searches in criminal cases. The ruling reversed a lower court decision from last year that blocked the practice.

Familial DNA searches allow law enforcement to search DNA databases to find relatives of people who left genetic material at a crime scene. The technique has helped solve crimes but has also raised privacy concerns.

The majority opinion, written by Chief Judge Rowan D. Wilson, said that the state’s rulemaking process for the searches was legal. Wilson also said that regulations intended to protect privacy have resulted in very few search results provided to law enforcement.

https://www.washingtonpost.com/business/2023/10/24/dna-searches-police-court-ruling-new-york/e7e08192-72b6-11ee-936d-7a16ee667359_story.html

Identity Management Platform Okta Experiences Data Breach

On October 20, 2023, Okta, an identity management platform, experienced a data breach. The breach involved an attacker using a stolen credential to access Okta’s support case management system. The attacker was able to view files uploaded by Okta customers using valid session tokens from recent support cases.

Okta confirmed that “certain Okta customers” were affected. The breach also marked the second breach for Okta in as many years. In March 2022, Okta confirmed that Lapsus$ threat actors compromised the account of a customer support engineer who worked for a third-party provider and then used that account to steal customer data.

Okta warns that hackers broke into its support case management system and stole sensitive data that can be used to impersonate valid users.

https://en.softonic.com/articles/almost-200-people-were-impacted-by-the-latest-okta-breach

Data Breach at Flagstar Bank Affects Data of 800,000 People

Flagstar Bank, a Michigan-based financial services provider, announced a data breach that affected over 800,000 US customers. The breach was caused by a third-party service provider, Fiserv, which suffered a MOVEit data breach. The Cl0p ransomware operation was responsible for the widespread MOVEit hack.

The breach exposed the personal information of 837,390 customers. The breach of Social Security numbers puts all affected customers at risk of identity theft.

This was the third data breach at Flagstar Bank since March 2021. Flagstar was once one of the largest banks in the United States, with total assets of over $31 billion. New York Community Bank has owned Flagstar since 2022.

https://www.infosecurity-magazine.com/news/flagstar-bank-moveit-breach/

Amazon Rolls Out Independent Cloud for Europe to Address Stricter Privacy Standards

Amazon is rolling out an independent cloud for Europe as it looks to address strict regulations that companies and those in the public sector face in the European Union.

Amazon Web Services said Wednesday that its AWS European Sovereign Cloud, which will be located in and operate out of Europe, will have the same security, availability, and performance as existing AWS regions but will be separate from them. The cloud will let customers keep all metadata they create in the European Union and will have its own billing and usage metering systems.

https://finance.yahoo.com/news/amazon-rolls-independent-cloud-europe-104852829.html?guccounter=1

Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay

WEEKLY PRIVACY NEWSLETTER

Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!

*By clicking on subscribe, I agree to receive communications from Tsaaro

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.

Cookie	Duration	Description
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.