Colleges and universities, like many other organizations, have incorporated automated data collection and predictive analytics into their business models and decision-making processes. Over the past decade, consulting companies developed predictive analytics tools for higher education institutions to refine their recruiting efforts and aid in their admissions decisions. These tools are particularly attractive as tuition costs rise, sources of funding decline, and competition for top prospects increases. While the use of data in recruiting and admissions efforts is far from new, the quantity and level of detail of the data has transformed higher ed’s marketing strategies. Where colleges and universities used to target certain geographic regions and specific high schools with predictive analytics tools, institutions are now able to customize recruiting to individual prospective students. But institutions can stumble into privacy law compliance issues if these practices are not accurately disclosed in their privacy policies and if the data is not protected when it is shared with consultants. This alert describes these data collection and use practices, summarizes the privacy compliance issues that can arise, and provides practical tools colleges and universities can implement to avoid any compliance pitfalls.
Colleges and Universities’ Data Collection and Use Practices in Recruiting Efforts and Admissions Decisions
For years, institutions have collected large amounts of data on prospective students, but predictive analytics tools now enable institutions to glean insights into prospective students far beyond their basic biographic information and their self-selected program of interest. With the assistance of consulting companies, institutions use tracking technology to capture data about the activity of their website visitors, including, among other things, each visitor’s IP address, unique device identification number, the pages the visitor views at, how many times the visitor visits the website, and how long the visitor looks at certain pages. This behavioral data can be linked to prospective students through an institution’s recruiting and marketing emails. When an email recipient clicks a link in an email from the institution to visit the institution’s website, the tracking technology records the email address associated with that IP address, which then connects the email address with the previously collected behavioral data.
By combining this behavioral data with other datasets for the institution, consulting companies can develop detailed profiles on prospective students. These datasets may be publicly available, such as U.S. Census Bureau household income data by zip code, or purchased from third-party data brokers, which amass consumer data from a multitude of sources. Institutions’ admissions offices have used these profiles and predictive analytic tools to assess a prospective student’s likelihood of applying, accepting an offer of admission, enrolling, and financial aid needs, and then, in turn, focus their recruiting efforts on prospective students who best fit the admissions offices’ desired profile for the incoming class.
Privacy Law Compliance Issues
Recently, The Washington Post published an investigative report highlighting the above-described practices and finding that the majority of the institutions included in its investigation failed to fully disclose the extent and purpose of these behavioral tracking practices in their website privacy policies. With the increasingly turbulent privacy law landscape and the public’s heightened awareness of privacy issues, institutions need to understand their own data collection and use practices, including how they are collecting data; who they are collecting data about; how this data is used, stored, accessed and secured; and who they share the data with, so that the institutions are well-positioned to evaluate whether their practices are compliant with the existing and new privacy laws. Otherwise, institutions may not adequately (or accurately) disclose their data collection and use, and may not take appropriate steps to protect data when sharing it with third-party consultants and service providers.
This may seem like a daunting undertaking when many departments throughout an institution use and collect personal information, however, there are ways to incorporate data privacy management into their operations, as discussed in the following section.
Recommendations
Institutions should verify that their privacy policies accurately describe their data collection and use practices, consider incorporating a privacy impact assessment into their procurement and vendor contract review process, and in particular ensure their privacy policies are compliant with FERPA and GDPR, where applicable.
Privacy Policies
For institutions that post privacy policies on their websites, these policies may be outdated or may not adequately describe the data collection methods, purpose for the collection, and with whom the information is shared. To the extent data collection practices are addressed in the privacy policy, the institution should take care to accurately describe the data collection, the use of the information, the purpose for the collection and use, and disclosure of that data to service providers and third parties.
Privacy Impact Assessments
Institutions should consider incorporating privacy impact assessments (PIAs) into their procurement and vendor contract review process. A PIA is a used to identify what personal information the institution is collecting and/or sharing with a third party, why the personal information is collected and/or shared, and how the personal information will be used, safeguarded, and stored. This tool enables the institution to assess the risk associated with a vendor contract, evaluate whether the institution’s privacy policy accurately reflects the collection and use of personal information required in the vendor contract, and negotiate the inclusion of provisions in the vendor contract that control the vendor’s use and protection of personal data provided by the institution. PIAs also serve as collaborative tools among procurement teams and the institution’s recruiting, marketing, and admissions departments as they engage third-party consultants to provide data analytics or behavioral analytics services so the institution’s lawyers and procurement team are fully informed of the institution’s data collection and use practices.
FERPA Compliance
Under the Family Educational Rights and Privacy Act (FERPA), institutions can only disclose to third parties the education records of current students if the institutions obtain the students’ consent or if one of FERPA’s exceptions to the consent requirement applies. To the extent institutions are collecting personal information about students through the behavioral tracking methods described above, institutions may share this information with consulting companies without the consent of the students under FERPA’s “school official” exception. This exception permits an institution to disclose education records to “school officials”—including consultants who are providing services to the institution—who have been determined by the university to have “legitimate educational interests” in using the records. For this exception to the consent requirement to apply, the institution should ensure that its annual FERPA notification to students properly defines “school officials” and “legitimate educational interests” and that its contract with the service provider contains certain provisions to protect the records.
GDPR Compliance
To the extent the European Union’s General Data Protection Regulation (GDPR) applies here, the regulation prescribes specific information that institutions must include in their privacy policies regarding the use and disclosure of personal data. By way of example, although this is not an exhaustive list, the privacy policy must include the identity and contact information of the data controller, the purposes for processing the personal data, the legal basis for processing the personal data, the legitimate interests of the controller or third party processing the personal data, recipients of the personal data, the period for which the personal data will be stored, and the data subject’s privacy rights. The information required by GDPR is more extensive than the privacy policies that institutions have typically posted on their websites in the past. The GDPR also requires institutions to include extensive provisions in their contracts with service providers that are given access to GDPR-protected data.
