Skip to content

Constant Counsel

Quick Connect (15 Minute Call)
PNG Header Logo Constant Counsel
Home » Blog » Ohio’s New S.B. 29: A Must-Read Compliance Guide for EdTech Providers

Ohio’s New S.B. 29: A Must-Read Compliance Guide for EdTech Providers

Spread the love

Ohio’s updated legislation under Senate Bill 29 (S.B. 29) introduces stringent requirements for EdTech providers working with school districts. These laws emphasize student privacy, data security, and transparency.

Here’s what EdTech companies need to know to ensure compliance and maintain strong partnerships with schools.

Key Takeaways

  • Contracts: Clearly outline data use, security, and access; support districts in providing transparent, accessible agreements.
  • Device Monitoring: Audit and redesign tools to meet strict limitations and exceptions; integrate notification capabilities.
  • Monitoring Notices: Provide templates and tools to assist districts with required notifications and reporting.
  • Data Privacy: Strengthen security measures and align data-sharing practices with legal mandates.
  • Compliance: Train staff, implement robust controls, and update policies to prevent violations and penalties.

Contractual Transparency and Parental Access

RC 3319.326 mandates that school districts provide parents and students with access to complete copies of contracts with technology providers. For EdTech companies, this means:

  • Ensure all contracts clearly outline the scope of data usage, security measures, and employee access policies.
  • Prepare to support districts in making contract information accessible, whether through digital repositories or other means.
  • Develop parent-friendly summaries of contractual obligations to aid your school partners in providing transparency and fostering trust with families.

Restrictions on Device Monitoring

RC 3319.327 limits the monitoring capabilities of school-issued devices, restricting access to features such as location tracking, audio/visual monitoring, and student interactions. Monitoring is allowed only under specific circumstances, including:

  1. Educational purposes with prior notice.
  2. Judicial warrants.
  3. Responding to theft or safety threats.
  4. Compliance with federal or state laws or funding requirements.

For EdTech providers you should:

  • Audit device management and monitoring practices to ensure compliance with these restrictions.
  • Develop technology solutions that align with the six allowable exceptions and integrate notification mechanisms for districts.
  • Provide documentation and training for districts on using monitoring tools within the legal framework.

Notification Support for Monitoring Activities

The law requires districts to issue notices for device monitoring:

  • General Notices: At the start of the school year, if monitoring occurs for any of the six exceptions.
  • 72-Hour Notices: When a monitoring event is triggered, including details of the event and the accessed features.

EdTech providers should:

  • Create templates or automated tools to assist districts in generating required notices quickly and accurately.
  • Ensure monitoring systems can log activity and produce detailed reports to support districts in meeting notification requirements.
  • Collaborate with districts to identify and address potential risks in notice disclosures to avoid violating other privacy laws.

Data Privacy Protections

RC 3319.327 prohibits unauthorized access to educational support services data and restricts its use to authorized purposes. Additionally, this data is exempt from Ohio’s Public Records Act. For EdTech providers, you should:

  • Implement robust data protection measures to prevent unauthorized access and ensure compliance with state and federal privacy laws.
  • Review data-sharing practices to align with the Opportunities for Ohioans with Disabilities agency requirements and other authorized entities.
  • Provide clear, secure mechanisms for districts to manage and share data when necessary.

Licensure Penalties for Data Misuse

RC 3319.31 allows the State Board of Education to impose penalties for data misuse, including license suspension or revocation. For EdTech providers, you should:

  • Establish strict internal controls to prevent unauthorized data use or disclosure.
  • Train staff on the implications of data privacy laws and best practices for compliance.
  • Regularly review and update policies to mitigate the risk of violations.

Preparing for Compliance – What Steps Should you Take?

To stay ahead of these legal requirements, EdTech providers must take proactive steps:

  1. Review Contracts: Ensure alignment with RC 3319.326’s transparency and security mandates.
  2. Update Monitoring Practices: Redesign tools and policies to comply with RC 3319.327’s restrictions.
  3. Enhance Communication: Develop resources to help districts meet their notification and compliance obligations.
  4. Strengthen Data Protections: Safeguard educational support services data with robust systems and protocols.
  5. Educate Teams: Train employees on compliance standards and the consequences of violations.

Conclusion

The passage of S.B. 29 and its implementation of the changes reflected in RC 3319.326 and RC 3319.327 represents a significant shift for EdTech providers operating in Ohio. By addressing these requirements, companies can not only ensure compliance but also position themselves as trusted partners to schools and districts.

At Constant Counsel, we specialize in guiding EdTech companies through complex legal landscapes. Whether you’re crafting compliant contracts or reassessing your data security policies, our expertise ensures you stay ahead of the curve.  We stand ready to assist you in taking these recommended actions in response to S.B. 29.

Contact us today to learn how we can help your business thrive in this evolving regulatory environment.

 

Leave a Reply

Your email address will not be published. Required fields are marked *