U.S. Protecting Student Privacy Act Needs More Teeth

The bipartisan "Protecting Student Privacy Act" was introduced earlier today by Senators Edward J. Markey (D-Mass.) and Orrin Hatch (R-Utah) and according to the bill's press release, it "would help safeguard the educational records of students" because, "[r]ecent changes to the Family Educational Rights and Privacy Act (FERPA) have allowed for increased sharing and use of student data in the private sector."  As part of the rationale behind the need for the legislation it is mentioned that, "one survey found only 25 percent of districts inform parents of their use of cloud services and 20 percent of districts fail to have policies governing the use of online services."

FERPA needs to be updated to account for the technological advancements that have occurred in the Digital Age.  The law was enacted in 1974 when student educational records were mostly created by pen and paper and/or typewriter and stored in a school administration filing cabinet or in a teacher's notebook or classroom closet.  At that time, in general, only teachers and school administrators had access to a student's educational records. 

Since the 1970's, advancements in technology have changed the way teachers interact with students, parents, and legal guardians. When I was attending elementary, middle, and high school throughout the 1980's, the primary form of communication between teachers and students/parents was via in-person meetings, paper letters, and/or phone calls.  In contrast, the primary form of communication between my children's teachers and my wife and I occurs via digital platforms. 

As a parent, I watch my children play and learn with electronic devices on a regular basis.  Even though my children watch television as I did at their age, they are becoming more interested in utilizing educational websites and digital device apps.  Some of these platforms have helped them learn language skills, math, geography, history, etc....With more school districts beginning to provide students digital devices, the privacy and cyber safety issues inherent with the usage of these electronic platforms are becoming more apparent. 

According to Politico, "[m]any of the latest digital tools (i.e. email, apps, cloud services, online textbooks, etc...) collect vast amounts of “metadata” as students work online; the sites track academic progress and log information about the child’s location, computer equipment and browsing habits. Most of that data never finds its way into official school files and thus is unlikely to be considered an “educational record.” That means private companies are free to do what they want with it."  This is very alarming considering that when Kathleen Styles, the Chief Privacy Officer of the Department of Education was questioned about these issues she stated that "[a]lot of metadata won't fit as an educational record."    

Due to all of the personally identifiable student information included in emails, apps, online textbooks, web browsing history and other digital activities (i.e. metadata) students may create while utilizing school provided digital services and learning tools, it is imperative that FERPA is updated to ensure that our children and future generations receive the same privacy protections we enjoyed while we attended school.  Should colleges, potential employers, insurance companies, etc... be allowed to access student scholastic digital communications and make hiring, firing, and policy decisions based on this information?  Should advertisers be allowed to prey upon (via behavioral advertising) students based upon their student-teacher and/or student-student digital communications?

It is very troubling that the Software & Information Industry Association (SIIA) continues to refuse to acknowledge the dire need for stronger digital privacy laws to protect our students despite clear and convincing evidence that FERPA does not properly protect our children's privacy in the Digital Age.  During a June 25, 2014 hearing on Capitol Hill Professor Joel Reidenberg presented Fordham Law School's Center on Law and Information Policy's seminal cloud computing study findings that demonstrated some cloud computing vendors are negotiating agreements with schools that put our students personal privacy at risk.

In addition to Prof. Reidenberg's study, Education Week and Politico performed recent in-depth investigative reports regarding the need for FERPA to be updated to better protect student privacy. These investigations found that when provided the opportunity some educational technology vendors will abuse their access to student data for profit.  For example, Education Week exposed Google's practice of scanning student emails for behavioral advertising purposes and Politico found multiple other educational technology companies that had similar troubling privacy practices and/or policies (or none at all) that enabled similar abuses of personal student data.  

Since Congress has not addressed these issues until now, states across the country have introduced and enacted more robust student data protection laws to address the privacy concerns that FERPA was not designed to protect.  For example, Kentucky and Rhode Island are some of the states that have acted to better protect our children from entities that may abuse their access to student educational digital data.     

While it is a very positive development that states are acting to better protect student privacy, it may be most efficient if robust federal legislation is enacted.  I commend Senators Markey and Hatch for introducing the Protecting Student Privacy Act and making student privacy an important bipartisan issue during these very partisan times on Capitol Hill.

The introduction of the Protecting Student Privacy Act is a good first step; however, it needs to be amended to have the intended effect of updating FERPA to account for the Digital Age.  For example, the bill needs to expand the definition of educational records to include student emails and digital metadata created on school provided services, platforms, and equipment.  Under FERPA, there is no private right of action against companies that utilize student data for non-educational purposes. To be truly effective, the legislation must hold vendors legally accountable and allow for a private right of action against those entities that violate the law. 

To paraphrase Hilary Clinton, it takes a village to protect our students' personal privacy.  Absent more robust federal student privacy laws, parents may soon come out in force against utilizing innovative digital learning tools and services.  It is imperative that Congress pass stronger student privacy laws that have strong enforcement mechanisms so students, parents, and teachers feel safe utilizing new learning tools that will help our students compete in the global economy.    

Copyright 2014 by Shear Law, LLC All rights reserved.