Privacy & Information Security Law Blog

On February 13, 2024, New York Attorney General (“NY AG”) Letitia James and New York State Education Department Commissioner (“NYSED”) Betty A. Rosa announced that College Board has agreed to settle charges in connection with allegations that it violated New York Education Law § 2-d, New York’s student privacy law. 

College Board is a New York-based nonprofit that administers standardized tests to high school students as part of the college admissions process, develops college readiness programs, and has a contract with NYSED to subsize exam fees for low-income students. College Board also operates Student Search Service (“Search”), a program that allows colleges, universities and other educational institutions to request names and contact information for high school students based on certain characteristics such as race, zip code and GPA.

The NY AG alleged that College Board collected students’ personal data while administering PSAT, SAT and AP exams and while students signed up for an account through its online portal. Though the sign-up process was optional, many students were encouraged to sign up for the Search program in the “high-pressure context of an important exam.” The data included sensitive information such as interest in religious activities and parents’ income level. College Board then allegedly licensed this data to colleges, scholarship programs and other Search customers, who used such data to solicit students to participate in their programs. College Board also allegedly used students’ personal data that it received pursuant to its contracts with New York schools and school districts to disseminate its own marketing materials, in violation of both New York law and College Board’s contracts with the agencies, including the NYC Department of Education. The NY AG and NYSED noted that the data of more than 237,000 students was improperly disclosed in 2019 alone.

In addition to a $750,000 penalty, the settlement prohibits College Board from (1) using or sharing student data that it receives pursuant to its contracts with a New York educational agency, including student data received in the course of administering and scoring PSAT, SAT or AP exams, for commercial or marketing purposes; and (2) sending students marketing materials regarding participating in Search or any other College Board programs through which College Board uses student data for a commercial or marketing purpose. The settlement also requires College Board to negotiate a data protection agreement with NYSED to include in all contracts with New York educational agencies for certain covered services.