Updated Guidance for Edtech Providers

The UK Privacy Regulator (ICO) recently updated its guidance on privacy compliance for providers of education technologies (Edtech). This should be seen as a call to action for Edtech providers to ensure their privacy compliance program is fully up to date. This blog post sets out key elements of the ICO’s updated guidance and provides practical takeaways for Edtech providers.

ICO’s Focus on Children’s Privacy

Since the ICO issued the Children’s code in August 2020, online services with underage users have been on the ICO’s radar. The ICO’s three-year action plan, launched in July 2022, further identified children’s privacy as a priority area for both its investigatory and project work. As a result, organizations have been receiving queries from the ICO regarding their compliance with the Children’s code, some of which have led to formal investigations. Wilson Sonsini’s European Data Protection and Privacy practice routinely advises clients in this sphere, and recently obtained the closure of a formal ICO investigation without any enforcement action taken against its client. 

Expanded Focus on Edtech

The ICO is now expanding its focus on Edtech providers. In May 2023, the regulator updated its Guidance on the Children’s code and education technologies (Guidance). The Guidance clarifies that the Children’s code will apply to Edtech providers in two key situations:

  1. Direct to consumer. Edtech providers will be within scope of the Children’s code where they offer services that are likely to be accessed by children on a direct-to-consumer basis, e.g., where an app is made available through an app store. In these situations, the provider will likely be acting as a controller for the purposes of the UK General Data Protection Regulation.
  1. Providing services through schools. Edtech providers will also be required to comply with the Children’s code where they provide their services through schools and they “influence” the nature and purposes of processing children’s data. Examples listed by the ICO include where the provider sets parameters on how information can be processed, or processes data for commercial purposes which, according to the ICO, include product development. In the latest version of the Guidance, the ICO indicates that it is willing to look beyond the terms of any contract put in place between a provider and a school in order to determine whether the Children’s code should apply.

Practical Takeaways for Edtech Providers

The updated Guidance, billed by the regulator as a clarification, should be seen as a call to action for Edtech providers that had previously considered themselves outside the scope of the Children’s code. Priority items for providers should be to:

  1. Review and stress test their position as to whether they act as a controller or a processor in relation to children’s data.
  2. Ensure that internal records of data processing are up to date and identify a lawful basis for processing (where the provider acts as a controller).
  3. Consider whether steps taken to age-gate services are functioning as intended, or whether additional steps should be taken to ensure that underage users are not granted access to the services.  
  4. Review the 15 standards of the Children’s code to assess whether providers need to make any changes to ensure compliance. These standards state, for example, that services should be developed in the best interests of children that are likely to access them, and that data protection impact assessments should be carried out to assess and mitigate any risks to children that arise from the handling of their data.