New law implemented to protect online student privacy
LEAs need to know the parameters to ensure compliance with school-associated websites and apps
children's hands typing on a laptop

Local educational agencies are increasingly using online programs for student learning. With any use of such websites and applications, there is a concern about the safety of students who are utilizing them, including in the collection and use of personal information. In its most recent session, the state Legislature added more safety requirements with which businesses that provide online products, services and features for children’s use must comply.

While the Legislature did not place any specific requirements on schools, local educational agencies need to know about the new requirements since they often utilize the online products and services involved for educational purposes. The requirements can provide some measure of reassurance that school-provided online services that are likely to be accessed by children will be safe for students.

The California Age-Appropriate Design Code Act

Effective July 1, 2024, Assembly Bill 2273, the California Age-Appropriate Design Code Act, requires that businesses that provide online services, products or features “likely to be accessed by children” comply with certain requirements aimed at ensuring the safety of children. The act applies to children and young adults under 18 years of age, a departure from the Children’s Online Privacy Protection Act (COPPA), the federal law that applies only to children under age 13.

The act applies to online services that are directed to children, routinely accessed by a significant number of children, has advertisements marketed to children, has design elements known to be of interest to children or a significant amount of the audience is children (as determined by internal company research). This would likely include applications that have an educational feature.

The act imposes a number of requirements on businesses that provide these services. Before offering any new online service to the public, such businesses must complete a Data Protection Impact Assessment of the service, to be reviewed biennially, which includes, but is not limited to, determining whether the service could harm children, lead to children being exposed to harmful contacts, or permit children to witness or participate in harmful conduct. The act also sets limits on the use, collection, or sharing of children’s personal information, including their geolocation information, and prohibits using “dark patterns to lead or encourage children to provide personal information” beyond what is necessary for the use of the service. Businesses that fail to meet these requirements are subject to civil penalties (fines). The act also creates the California Children’s Data Protection Working Group, tasked with delivering a report to the Legislature regarding best practices for implementing the act.

Practical implications of the act

The new law will likely affect some of the online learning software that schools provide to students, such as Duolingo. The free language learning application has a feature called “Duolingo for Schools,” which uses the existing Duolingo application that is available to the public at large, and allows it to be managed by teachers and other school personnel. The act would likely apply to such a program.

Duolingo currently has terms in its privacy policy that apply to children and, thus, students. The terms include requiring parental email addresses to set up an account, preventing use of the child’s name, preventing children from uploading their photo to their profile, keeping children’s profile’s hidden from other users, and having advertisements set to family safe content. Duolingo uses third-party services such as analytics and behavior tracking with adult users for various reasons related to its services but disables use of these third-party services for student users. Duolingo also allows students to use its school application anonymously and omit certain personal information (e.g., birthdate, email address). Teachers can also create accounts for students.

Duolingo defines children as “children under the age of digital consent” (13, under federal law, though certain Duolingo protections apply to children under age 16). However, under the act, Duolingo will be required to provide the additional protections of the act to children and young adults through age 17. (The act also arguably makes the digital age of consent 18 years of age in California, though the term “digital age of consent” is not contained in the bill.) It will also be required to conduct the Data Protection Impact Assessment and conform to the other requirements regarding children’s data. This will be true of other, similar businesses offering online services, all of which will be incentivized to avoid the penalties that would come with failing to adhere to the act.

The California Age-Appropriate Design Code Act is broader than its application to educational uses, but it may offer schools more options for technology use to enhance students’ educational opportunities with reduced concerns about student safety and privacy. One concern that has arisen is that LEAs typically enter into contracts for use of technology-related services. In such contracts, they could require the technology service provider to agree to terms regarding safeguarding student records/privacy and safety controls. A provider like Duolingo that provides free services is unlikely to agree to such a contract, since they would be receiving no payment in return for providing additional privacy and measures required in the contract, giving LEAs no leverage to require those measures. LEAs should, however, continue to ensure that they follow their policies and regulations to protect student records as required by law and monitor student use of any online service to protect against any use that could be harmful to students.