The European Union’s General Data Protection Regulation and the California Consumer Protection Act seem like ideal legislation to address privacy concerns that have arisen as a result of the increased use of education technology during the global coronavirus pandemic. Those laws’ application to edtech, however, requires untangling. This paper examines how both laws’ geographic reach, substantive scope, and treatment of principals and agents in the data lifecycle apply to edtech vendors. Because the two laws have similar approaches that differ in critical respects, edtech vendors must be cognizant of how the laws address their status as contractors with non-profit or public schools and when they are processing data on behalf of their school partners – and when they are processing it for their own purposes.

By Cody Venzke1



With the onset of the global coronavirus pandemic, the use of technology in education has seen a rapid transformation. Schools implemented remote learning in response to the pandemic and, instead of learning in classrooms, children began learning online, a trend that has extended well into the new school year. With the movement of children’s learning and data online, privacy concerns began to multiply. Advocates called attention to data use and security vulnerabilities in education technology (“edtech”) platforms. That concern was shared by the California Attorney General’s Office, which was responsible for the


Please sign in or join us
to access premium content!