COPPA Compliance Policy

Introduction and Purpose

  1. The State Student Privacy Law Compliance Policy sets out the rules and guidance for all individuals within the Raspberry Pi Foundation Group, regarding the handling of children’s data in the USA.

  2.  It applies to the Raspberry Pi Foundation, Hello World Foundation (Ireland), Raspberry Pi Foundation North America, and Raspberry Pi Educational Services Private Limited (India) (the ‘RPF Group’ or ‘Foundation’) and any other entities added to the group. 

  3. In addition to federal laws like the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA), many individual U.S. states have enacted their own student privacy laws. These state laws often impose additional or more stringent requirements on K-12 schools and their third-party service providers (like the Foundation).

  4. The Foundation is committed to adhering to all applicable federal and state student privacy laws when providing educational services and platforms to K-12 schools and districts ("Schools") in the United States. This policy outlines the Foundation's approach to identifying, understanding, and complying with the diverse landscape of state-specific student privacy legislation.

  5. The purpose of this policy is to:

    • Affirm the Foundation's commitment to comply with all relevant state student privacy laws.

    • Establish a systematic process for monitoring and adapting to new and evolving state privacy requirements.

    • Define responsibilities for ensuring compliance across all relevant Foundation functions.

    • Provide assurance to Schools that their data is handled in accordance with their state-specific legal obligations.

  6. All individuals working for, or on behalf of, the RPF Group who are involved in the development, deployment, support, or data management of Services used by K-12 Schools in the USA must adhere to this policy.

Definitions

Applicable State Law(s): Any state statute or regulation in the United States that governs the privacy, security, or handling of student data, pupil records, or similar educational information, and applies to the Foundation's operations within that state.

Data Processing Agreement (DPA): A legally binding contract between the Foundation and a School that outlines the terms of data processing, including privacy and security obligations. DPAs are critical for incorporating state-specific requirements.

Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual's identity, as broadly defined by applicable state laws (which may extend beyond FERPA's definition).

Student Data: A broad term referring to any information related to a student, including PII, education records, and other data collected or generated in the educational context, as defined by relevant state laws.

Guiding Principles for State Law Compliance

7. The Foundation's approach to state student privacy law compliance is guided by the following principles:

  • Proactive Monitoring: We continuously monitor legislative developments at the state level to identify new or amended student privacy laws.

  • Most Stringent Standard: Where state laws impose requirements more stringent than federal law (FERPA/COPPA) or general best practices, the Foundation will endeavour to adopt these higher standards as our baseline for operations in that state, or more broadly where feasible and practical.

  • Contractual Alignment: Our Data Processing Agreements (DPAs) will be regularly reviewed and updated to reflect specific mandates from applicable state laws, particularly regarding data use limitations, security obligations, and breach notification.

  • Transparency: We will be transparent with Schools about how our Services and policies align with state privacy requirements.

  • Purpose-Driven Data Use: Student data will only be collected and used for legitimate educational purposes as defined by the school and permitted by state law.

  • No Commercial Exploitation: Student data will not be sold, rented, leased, or used for targeted advertising, or for creating commercial profiles of students, in accordance with prohibitions common in many state student privacy laws (e.g., California SOPIPA, Illinois SPPA, etc.).

Compliance Framework and Responsibilities

8. The Foundation implements a structured framework to ensure ongoing compliance with state student privacy laws:

  • a. Legal and Regulatory Monitoring:

    • The Legal and/or Compliance Department is responsible for identifying, tracking, and analysing new and amended state student privacy legislation and relevant regulatory guidance.

    • Subscription to legal updates, industry groups (e.g., SDPC), and legislative tracking services will be maintained.

  • b.  Impact Assessment and Implementation:

    • Upon identifying new or changed Applicable State Laws, the Legal Team will conduct an impact assessment to determine how the law affects the Foundation's data processing activities and contractual obligations.

    • Cross-functional teams (e.g., Digital Product, IT, Legal) will be convened to implement necessary changes to:

      • Service features or data collection practices.

      • Internal policies and procedures.

      • Data Processing Agreement (DPA) templates.

      • Security measures.

  • c. Data Processing Agreements (DPAs):

    • The Foundation's DPA template is designed to incorporate a broad range of common state student privacy requirements.

    • Where a specific state law mandates unique contractual clauses (e.g., explicit prohibitions on data mining, specific breach notification timelines, requirements for specific data deletion instructions), the DPA will be tailored, or an addendum will be used to ensure compliance for Schools in that state.

    • Schools will be required to execute a DPA that adequately covers relevant state privacy obligations before processing any student data for them.

  • d. Employee Training:

    • All staff involved in handling US student data will receive regular training on the importance of student privacy, including a general overview of state privacy law trends and specific instructions on how to adhere to the Foundation's policies.

    • Specific training will be provided to relevant teams on state-specific contractual requirements.

  • e. Data Practices:

    • Data Minimisation: Collection of student data will be limited to what is strictly necessary to perform the educational services for the school, aligning with state requirements to avoid over-collection.

    • Data Retention & Disposal: Student data will be retained only as long as necessary for the educational purpose and in accordance with the DPA and the Foundation's Data Retention Policy, which will respect specific state-mandated retention limits if applicable. Secure deletion methods will always be used.

    • No Targeted Advertising/Commercial Use: The Foundation explicitly commits to not using student data for targeted advertising or building profiles for non-educational purposes, consistent with prohibitions in many state laws.

  • f. Security Measures:

    • The Foundation's policies and practices are designed to meet or exceed security requirements found in various state student privacy laws, including measures for data encryption, access controls, vulnerability management, and incident response.

Specific State Law Considerations (Illustrative Examples - Not Exhaustive)

9. While specific legal requirements may vary by state, the Foundation's policies and practices are designed to address common themes found in many state student privacy laws, including:

  • Prohibitions on Commercial Use: Many states (e.g., CA SOPIPA, IL SPPA, CT PA 16-189, MD Online Data Privacy Act) prohibit operators from using student data for targeted advertising, creating profiles for non-educational purposes, or selling/renting student data. The Foundation's policies explicitly align with these prohibitions.

  • Data Deletion Requirements: Some states mandate the deletion of student data upon request from the school or at the end of a contract, often with specific timelines. Our Data Retention Policy and DPA facilitate these requirements.

  • Breach Notification: State laws often have specific timelines and content requirements for data breach notifications, in addition to FERPA's general guidance. Our Data Breach Response plan incorporates these state-specific notification obligations to Schools.

  • Contractual Mandates: Many states require specific clauses in contracts between schools and third-party vendors, such as limitations on data use, security obligations, and parental rights. Our DPA template is regularly updated to include these.

  • Transparency Requirements: Some state laws (e.g., VA Student Data Privacy Act) emphasise transparency in data practices, requiring vendors to provide clear privacy policies. The Foundation's public-facing Privacy Policy and Direct Notices support this.

Note: This section provides illustrative examples and is not an exhaustive list of all state laws or their specific provisions. The Foundation's LegalTeam maintains detailed internal documentation of current state-specific obligations.

Cooperation with Schools

10. The Foundation recognises that Schools are ultimately responsible for compliance with FERPA, COPPA, and state student privacy laws. The Foundation commits to:

  • Assisting Schools with Parental/Student Rights: Cooperating with Schools to fulfil parental or eligible student requests for data access, amendment, or deletion, as required by FERPA and supplemented by state laws.

  • Providing Documentation: Supplying Schools with necessary documentation (e.g., security information, audit reports, DPA details) to assist them in demonstrating their own compliance.

  • Responding to Inquiries: Promptly responding to legitimate inquiries from Schools regarding the Foundation's data handling practices and compliance with state laws.

Policy Review and Maintenance

11. This State Student Privacy Law Compliance Policy will be reviewed at least annually. Reviews will also be triggered by:

  • Significant changes in state privacy legislation.

  • Updates to regulatory guidance from state education agencies or attorneys general.

  • Changes in the Foundation's Services or data processing activities.

  • Lessons learned from internal audits or external assessments.

Any updates to this policy will be communicated to relevant Foundation staff.

Annex A: California Student Privacy Guidelines

1. Introduction and Purpose

This Annex outlines the Raspberry Pi Foundation's specific operational guidelines for complying with key California student privacy laws, primarily the Student Online Personal Information Protection Act (SOPIPA) and Assembly Bill 1584 (AB 1584). It supplements the Foundation's overarching "State Student Privacy Law Compliance Policy" and reinforces our commitment to safeguarding student data for K-12 schools in California.

2. Guiding Principles for California Compliance

The Foundation's compliance with California student privacy laws is founded on the following principles:

  • Prohibition on Commercial Use: Strict adherence to California's prohibitions on using student data for targeted advertising, commercial profiling, or sale.

  • Contractual Specificity: Ensuring Data Processing Agreements (DPAs) with California schools include all legally mandated provisions.

  • School as Controller: Recognising and supporting the school's primary role and responsibilities for student data under California law.

3. Data Use Prohibitions

In accordance with SOPIPA and other relevant California laws, the Raspberry Pi Foundation strictly adheres to the following prohibitions regarding student data from K-12 schools:

  • No Targeted Advertising: The Foundation shall not use student Personally Identifiable Information (PII) to target advertisements to students, or their families/guardians based on their online activities (including web Browse history, search queries, or specific content viewed).

  • No Commercial Profiling: The Foundation shall not build a profile of a student for a non-educational commercial purpose.

  • No Sale of Student PII: The Foundation shall not sell, rent, or lease student PII.

  • Limited Use of De-identified Data: While de-identified (anonymised) student data may be used for purposes such as product improvement, research, or development, the Foundation shall not re-identify this data or transfer it to third parties for commercial purposes. Any such transfers of de-identified data for research or educational purposes will be subject to written agreements prohibiting re-identification.

4. Contractual Requirements (AB 1584 & SOPIPA)

  • The Raspberry Pi Foundation ensures that its Data Processing Agreements (DPAs) with California K-12 schools explicitly incorporate and comply with the specific requirements of AB 1584 and SOPIPA:

    • Ownership and Control: The DPA will clearly state that the school owns and controls all student education records and student-generated content provided to or accessed by the Foundation.

    • Student Content Portability: Where applicable to the service, the DPA will describe how student-generated content (e.g., projects, code within Foundation platforms) can be transferred, upon school request, to a personal student account or returned to the student/school.

    • Limited Data Use: The DPA will explicitly prohibit the Foundation from using student PII for any purpose other than those explicitly specified in the contract and within the scope of providing educational services.

    • Parental/Student Rights: The DPA will outline the Foundation's procedures for assisting the School in fulfilling parental or eligible student requests to inspect, review, or correct student PII.

    • Data Security: The DPA will stipulate that the Foundation maintains reasonable security procedures and practices appropriate to the nature of the PII to protect student data from unauthorised access, destruction, use, modification, or disclosure.

    • Breach Notification: The DPA will include clear provisions for the Foundation to notify the School of any data breach involving student PII in a timely manner.

    • Data Deletion: The DPA will specify procedures for the secure deletion of student PII when it is no longer needed for the educational purpose or upon the termination of the contract, as instructed by the school.

    • Internal Review: All DPAs executed with California schools are subject to review by the Foundation's Legal and/or Compliance Department to ensure ongoing alignment with the latest AB 1584 and SOPIPA requirements.

    5. Data Subject Rights & School Cooperation

    The Foundation recognises and supports the rights afforded to parents and eligible students under California law. As a service provider, the Raspberry Pi Foundation will:

    • Direct all direct requests from parents or eligible students regarding their data rights (inspection, review, correction, deletion) to the relevant California School.

    • Fully cooperate with and assist California Schools in fulfilling these requests by providing necessary data or access as requested by the school.

    • Acknowledge that rights conferred by AB 1584 on parents/students directly apply to data held by third-party contractors like the Foundation.

    6. Other California Privacy Law Considerations (e.g., CCPA/CPRA):

    • Understanding Applicability: The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are broad consumer privacy laws. However, Personally Identifiable Information (PII) of K-12 students, when collected, used, and maintained by the Raspberry Pi Foundation as a "service provider" on behalf of an educational institution (like a school or district) and subject to FERPA, is generally exempt from certain core provisions of the CCPA/CPRA. This exemption is typically referred to as the "FERPA exemption" within the CCPA/CPRA framework.

    • Raspberry Pi Foundation's Position: The Raspberry Pi Foundation's primary data processing activities concerning K-12 student data in California are governed by FERPA, COPPA, and specific state laws like SOPIPA and AB 1584. Our Data Processing Agreements (DPAs) with California schools explicitly define our role as a "service provider" processing student data under the school's direction for educational purposes, thus reinforcing the applicability of FERPA and its associated exemptions under CCPA/CPRA.

    • Adherence to Broader Principles: While largely exempt from certain CCPA/CPRA consumer rights provisions for student data handled under FERPA, the Foundation maintains a commitment to robust data privacy and security principles that often align with the spirit of CCPA/CPRA. These include:

      • Transparency: Our general Privacy Policy and the Direct Notices provided to schools are designed to be clear about data collection and usage.

      • Data Security: Our comprehensive Information Security Policy (referenced in our DPAs) implements strong safeguards for all data, including student PII, meeting or exceeding general security expectations of CCPA/CPRA.

      • Prohibition on Sale: Consistent with SOPIPA and the spirit of CCPA/CPRA, the Foundation explicitly prohibits the sale of student PII.

    • Continuous Monitoring: The Legal and/or Compliance Department continuously monitors legislative and regulatory developments related to CCPA/CPRA (and other California privacy laws) to assess any potential new applicability or interpretation concerning K-12 student data, and will update policies and practices as necessary.

Annex B:  Illinois Student Online Personal Protection Act (SOPPA) Guidelines

This Annex outlines the Raspberry Pi Foundation's specific operational guidelines for complying with the Illinois Student Online Personal Protection Act (SOPPA), 105 ILCS 85. SOPPA is a critical student data privacy law that places significant obligations on K-12 schools and educational technology "operators" like the Raspberry Pi Foundation in Illinois.

This Annex supplements the Foundation's overarching "State Student Privacy Law Compliance Policy" and our federal FERPA and COPPA compliance policies. It details the specific actions and contractual commitments the Foundation undertakes to ensure the privacy and security of student data when providing services to Illinois schools, reflecting SOPPA's robust requirements, particularly concerning Data Privacy Agreements (DPAs) and data use limitations.

The purpose of this Annex is to:

  • Ensure all Foundation staff understand and adhere to the unique requirements of SOPPA.

  • Reinforce our commitment to protecting Illinois student data from unauthorised access, use, or disclosure.

  • Provide clear guidance on DPA content, data use prohibitions, and breach notification specific to Illinois.

A. DPA Requirements (Central to SOPPA):

  • Mandatory DPA Content: Provide a detailed checklist of all clauses that must be included in the DPA for Illinois schools, as mandated by SOPPA. This includes, but is not limited to:

    • A statement that the operator (the Foundation) is subject to SOPPA.

    • Specific limitations on data use (no targeted advertising, no sale, no profiling for commercial purposes).

    • Requirements for data security measures.

    • Breach notification timelines (within 30 days for operator, 60 days for school to parents).

    • Obligation to disclose subcontractors who will access covered information.

    • Requirement to delete covered information upon request of the school.

    • Term of the agreement and effective date.

  • School Transparency Requirements: Acknowledge that Illinois schools are required to post lists of operators they contract with and copies of their DPAs. This reinforces the need for accurate and compliant DPAs from the Foundation.

B. Data Use & Security:

  • Stricter Prohibitions: Reiterate SOPPA's strong prohibitions on targeted advertising, selling, or profiling student data for commercial purposes.

  • Security Standards: Emphasise that the Foundation’s security practices meet or exceed industry standards to protect student data from unauthorised access, destruction, use, modification, or disclosure, as required by SOPPA.

C. Breach Notification:

  • Specific Timelines: Outline the clear 30-day (for operator) and 60-day (for school) breach notification timelines under SOPPA, and the Foundation’s internal process for ensuring schools receive prompt notification within these windows.

D. Parental Rights:

  • Parental Access/Deletion via School: Confirm that the Foundation supports schools in responding to parental requests for inspection, review, correction, and deletion of "covered information" maintained by the operator.

Annex C: New York Education Law 2-d & Parents' Bill of Rights Guidelines

1. Introduction and Purpose

This Annex outlines the Raspberry Pi Foundation's specific operational guidelines for complying with New York State Education Law 2-d (NY Ed Law 2-d) and the associated Parents' Bill of Rights for Data Privacy and Security. This legislation sets stringent requirements for the protection of Personally Identifiable Information (PII) of students, teachers, and principals within New York's educational agencies and their third-party contractors, such as the Raspberry Pi Foundation.

This Annex supplements the Foundation's overarching "State Student Privacy Law Compliance Policy" and our federal FERPA and COPPA compliance policies. It details the Foundation's commitment to upholding the principles and specific mandates of NY Ed Law 2-d, including comprehensive contractual provisions, robust data security, and clear responsibilities in the event of a data breach, all while respecting the rights outlined in the Parents' Bill of Rights.

The purpose of this Annex is to:

  • Ensure all Foundation staff understand and adhere to the specific requirements of NY Ed Law 2-d.

  • Detail how the Foundation supports New York schools in meeting their obligations, particularly concerning the Parents' Bill of Rights and the NYSED Chief Privacy Officer.

  • Provide clear guidance on DPA content, data security standards, and breach notification protocols unique to New York State.

A. Parents' Bill of Rights for Data Privacy and Security:

  • Adherence to Principles: State that the Foundation’s practices are aligned with the principles outlined in New York's Parents' Bill of Rights, particularly:

    • PII cannot be sold or released for marketing/commercial purposes.

    • Parents have the right to inspect and review PII (via the school).

    • Parents have the right to request amendment/correction of PII (via the school).

    • Parents have the right to be notified of a data breach.

    • PII must be collected and disclosed only as necessary for educational purposes.

    • Safeguards must meet industry standards and best practices.

    • Schools are required to enter into written agreements with third parties (DPAs).

    • Third parties should not maintain copies of PII once no longer needed.

  • Communication Support: Outline how the Foundation will support schools in fulfilling their obligation to publish and adhere to this Parents' Bill of Rights.

B. Contractual Requirements (Ed Law 2-d):

  • Mandatory DPA Clauses: Provide a checklist of specific clauses required by NY Ed Law 2-d for DPAs, including:

    • Statement that the school is the owner of the data.

    • Restrictions on data use (educational purposes only, no commercial use).

    • Specific security measures required (encryption, access controls, employee training).

    • Data retention and secure deletion requirements (data must be permanently and securely deleted no later than contract end, unless legally mandated retention).

    • Requirement to notify the school of any breach without undue delay, and to cooperate with the school's notification to parents and the NYSED Chief Privacy Officer.

    • Obligation to provide data to the school upon request to fulfil parental rights.

  • Chief Privacy Officer: Acknowledge the role of the NYSED Chief Privacy Officer and the Foundation's commitment to cooperate with any investigations or directives.

C. Data Security and Breach Notification:

  • Industry Standards: Emphasise the Foundation's commitment to meeting industry standard safeguards for PII (encryption, firewalls, etc.) as required by Ed Law 2-d.

  • Breach Notification: Detail the Foundation's immediate notification process to NY schools following a breach, ensuring they can meet their obligations to notify parents and the NYSED Chief Privacy Officer.