Technology and Student Data Privacy in Delaware
Delaware’s SB 79 (2015), also known as the Student Online Personal Information Protection Act or SOPIPA, is a student data protection law that was passed in the U.S. state of Delaware in 2015. As K-12 students within the U.S. are increasingly reliant on online access to complete their academic studies, Delaware’s SB 79 was enacted to protect the personal information and privacy of students within the state. With this being said, the law establishes various provisions that online operators within Delaware must adhere to as it concerns protecting the personal data of students from unauthorized use, access, modification, disclosure, and destruction.
How is an online operator defined under Delaware’s SB 79?
Under Delaware’s SB 79, an online operator is defined as “any person other than the Department (Delaware Department of Education), school districts, or schools, to the extent that the person does any of the following: a. Operates an Internet website, online or cloud computing service, online application, or mobile application with actual knowledge that the Internet website, online or cloud computing service, online application, or mobile application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes. b. Collects, maintains, or uses student data in a digital or electronic format for K-12 school purposes.”
What are the duties of online operators under the law?
Under the provisions of Delaware’s SB 79, online operators that serve students within the state have the following duties as it pertains to the protection of student information and privacy:
- Online operators are responsible for implementing and maintaining security practices and procedures that will protect the personal information of students from use, access, modification, disclosure, and destruction.
- Furthermore, these security measures must also comply with the Delaware Department of Technology and Information’s Cloud and Offsite Hosting Policy.
- Online operators are prohibited from selling the personal information of students, unless such sale of information is in relation to a corporate merger or another form of acquisition of an online operator by another business or entity.
- Online operators are prohibited from using the personal information of students to engage in targeted advertising.
- Online operators are prohibited from using the personal information of students to create an online profile for a particular student, unless this profile is to be used strictly for the furtherance of educational purposes.
- Online operators are prohibited from disclosing the personal data of students, subject to certain exceptions. Such exceptions include instances where a student’s personal data is disclosed to maintain compliance with another state or federal law, or when the disclosure is being made to a state agency, school district, or school in relation to specific K-12 purposes, among others.
What forms of personal data are protected under Delaware’s SB 79?
Under Delaware’s SB 79, the data elements that are protected from unauthorized access, use, and disclosure include but are not limited to:
- The names of students.
- Drivers license and state identification card numbers.
- Discipline records.
- Telephone numbers.
- Biometric information.
- Socioeconomic information.
- Passport numbers.
- Social security numbers.
- Online contact information.
- Text and instant messages.
- Geolocation data.
- Test and assessment results.
- Email addresses.
- Residential addresses, as well as any other address that would allow for physical contact.
- Medical and health records.
What are the penalties for violating Delaware’s SB 79?
In terms of the penalties that can be imposed against online operators that are found to be in violation of the law, the provisions of Delaware’s SB 79 are enforced by the Delaware Consumer Protection Unit of the Department of Justice. To this point, the Delaware Consumer Protection Unit of the Department of Justice has the authority to both investigate and prosecute violators of the law, at their sole discretion. Moreover, certain violations of Delaware’s SB 79 may also constitute violations of the Family Educational Rights and Privacy Act or FERPA, which can result in further penalties and punishments against online operators that fail to comply with the provisions set forth in the law.
Delaware’s SB 79 was passed to ensure that students within the state can use online technology to further their education without the need to infringe on the personal privacy of said students. What’s more, as many parents have concerns about the online usage of their children as it relates to educational pursuits, the law also provides said parents with a level of protection and transparency. As such, the various provisions set forth in the law, in addition to the regulation and oversight provided by the Delaware Consumer Protection Unit of the Department of Justice, provide parents and guardians with a legal means to protect the personal data and privacy of their children.