On February 13, 2024, the New York Attorney General Letitia James and New York State Education Department (NYSED) Commissioner Betty A. Rosa announced a settlement with College Board to resolve allegations that College Board violated New York Education Law § 2-d, the state’s student privacy law.
Unlike some student privacy laws that only directly apply to educational agencies, New York Education Law § 2-d includes provisions that apply to third-party contractors, including for-profit companies, nonprofit organizations, and individuals who receive student data pursuant to a written agreement. New York Education Law § 2-d prohibits third-party contractors from sharing student personally identifiable information received pursuant to a contract without written parental or eligible student consent.1The law and its implementing regulations also prohibit third-party contractors from using or selling student data for any commercial or marketing purposes, even with parental consent.2This includes advertising, as well as uses that “develop, improve or market products or services to students.3
To resolve allegations that College Board used student data in contravention of these restrictions, the settlement requires that College Board pay $750,000 in penalties and cease using or sharing student data received pursuant to its contracts for commercial or marketing purposes.
Alleged Conduct
College Board offers three exam formats: PSAT, SAT, and AP exams, which they offer to students in New York schools during the school day pursuant to agreements with those schools. Prior to June 2022, when students in New York schools signed up for a College Board account or were given the exams, they received the option to provide additional information, such as GPA, anticipated course of study, and parents’ level of income, for participation in College Board’s Student Search Service. College Board then licensed this data to its customers, including colleges and scholarship programs, to use for recruiting students. Students who consented to participating in this service had the ability to later opt-out via their online account, but not all students who opted in for the service had online accounts.
In addition to sharing student data with Student Search Service customers, College Board also allegedly used student data for its own marketing purposes. Until fall 2022, College Board used student data received during a school-day PSAT or SAT exam to send marketing communications, and until 2023, when registering for AP exams, students received the opportunity to opt in to receive marketing materials from College Board.
Violations of New York Education Law
Under New York law, organizations may not use or share student data obtained under a contract with a New York educational agency for commercial or marketing purposes, even with consent. Therefore, the NY AG alleged that College Board improperly used student data obtained in connection with administering exams when it licensed this data to Student Search Service clients and used the data to send its own marketing materials.
Settlement Terms
As part of the settlement, College Board is prohibited from selling or using contractually obtained student data for any commercial or marketing purposes, and cannot solicit students to participate in the Student Search Service when the exams are administered as part of an educational contract. College Board also cannot use the data in any other program where the data would be used for a commercial or marketing purpose.
The settlement clarifies that disclosures to scholarship institutions (e.g., National Merit Scholarship Corporation) are permitted, as those disclosures would not be considered for “commercial or marketing” purposes. College Board, with appropriate consent, can also disclose student data to colleges and other educational institutions when students are applying to those institutions. College Board may also use the data in order to evaluate the validity of its products and services.
The College Board also must pay $750,000 in penalties, disgorgement, and costs.
Key Takeaways
The College Board decision is a landmark settlement and is one of the first major orders to allege violations of New York Education Law § 2-d.4We expect that student privacy will be an increasingly important topic for regulators, especially given the state, federal, and international focus on children and teen privacy and online safety issues.5
Organizations that contract with schools and receive student data should pay careful attention to requirements under state privacy laws, especially New York Education Law § 2-d. In particular, organizations should evaluate their current uses of student data received pursuant to contracts with educational agencies to ensure that the data is only being used for authorized purposes and is only shared with proper consent. Organizations who have educational contracts in New York should also evaluate whether student data is currently being used for commercial or marketing purposes, both by the company itself and by any third parties with whom the organization discloses student data.
[1] N.Y. Educ. Law § 2-d(5)(f)(3)(i); 8 CRR-NY § 121.9(a)(5).
[2] N.Y. Educ. Law § 2-d(4)(f).
[3] 8 CRR-NY § 121.1(c).
[4] The New York Attorney General has previously announced an agreement with a vendor to enhance data security protocols but did not initiate a formal proceeding. Further, NYSED’s Chief Privacy Officer has previously issued determinations, though those have been directed at school districts rather than vendors. For a list of those decisions since 2021, see Determinations of the Chief Privacy Officer, N.Y. State Educ. Dept. (last visited Feb. 22, 2024), https://www.nysed.gov/data-privacy-security/determinations-chief-privacy-officer.
[5] The Wilson Sonsini Data Advisor regularly issues alerts on privacy and cybersecurity news, especially those pertaining to child and teen data. We have previously released alerts regarding the FTC’s ongoing COPPA rulemaking, the multi-state suit against Meta for alleged children and teen harms, and the UK Privacy Regulator’s continued focus on children’s privacy, among others.
