I recently attended a Joint Hearing with the Subcommittee on Early Childhood, Elementary, and Secondary Education titled, "How Data Mining Threatens Student Privacy"in Congress. This hearing caught my attention because as a parent of two young children student privacy is very near and dear to my heart.
Invited to testify were: Prof. Joel Reidenberg, Founding Academic Director of Fordham Law School's Center on Law and Information Policy, Mr. Mark MacCarthy, Vice President of Public Policy for the Software & Information Industry Association (SIIA), Ms. Joyce Popp, Chief Information Officer of the Idaho State Department of Education, and Mr. Thomas Murray, State and District Digital Learning Director for the Alliance for Excellent Education.
During the hearing, Prof. Reidenberg discussed his groundbreaking Privacy and Cloud Computing in Public Schools study that found, "fewer than 7% of contracts [between schools and ed-tech vendors] restrict the sale or marketing of student information by vendors, and many [cloud] computing agreements allow vendors to change the terms without notice." He also stated that 25% of services offered to schools use "freemium" models that have to monetize student data in a manner that most likely does not benefit student learning. These troubling findings were of great interest to the members of Congress and those who attended the hearing.
The SIIA appeared not to be interested in acknowledging Prof. Reidenberg's findings and the organization may have even provided intentionally misleading testimony. For example, on pages 4-5 of its written testimony the SIIA stated, "The federal government recently updated regulations and guidance for FERPA [Family Educational Rights and Privacy Act] and COPPA [Children’s Online Privacy Protection] specific to online educational services." This statement is factually incorrect.
FERPA's regulations were not recently updated. Earlier this year, the Department of Education issued updated guidelines which do not provide the same protections as updated regulations. During the hearing, Prof. Reidenberg made the committee aware of this distinction. When the SIIA stated that Prof. Reidenberg's study did not have concrete proof that some ed-tech vendors were utilizing personal student data for non-educational purposes, Prof. Reidenberg mentioned Google's recent admission in federal court that it scans student emails for potential advertising.
The SIIA's members include ed-tech vendors that sell their services to schools. Some of these companies offer their digital services for free to schools and in return may data mine student emails and build student user profiles for advertising purposes. For example, in an ongoing federal lawsuit in California that Prof. Reidenberg mentioned in his testimony, Google admitted under oath, that it “scans and indexes the emails of all Apps for Education users for a
variety of purposes, including potential advertising,....that cannot be turned off—even for Apps for Education
customers who elect not to receive ads."
While intense outrage from parents and schools along with international media scrutiny recently led to Google announcing it will allegedly stop these practices, Google's behavior demonstrates the need for stronger enforcement of student privacy laws, greater transparency in the industry, and where needed a strengthening of the current legal and regulatory framework.
One of the most memorable instances of the hearing occurred when Rep. Pat Meehan of Pennsylvania asked the SIIA whether current law would protect his son from receiving targeted
Coca-Cola ads based on data provided by his school. The SIIA claimed it would be illegal due to existing government regulations and that FERPA applies to vendors; however, Prof. Reidenberg strongly disagreed with these assertions and proved that the SIIA was misleading the committee about these issues.
Prof. Reidenberg recommended modernizing FERPA so it applies to all student information and mandates a notice to parents for public disclosure of the educational uses of student data. He also stated that schools need written contracts with specific prohibitions against the use of student data for non-educational purposes, chief privacy officers, and a private right of action against vendors who misuse student data because currently parents and families do not have legal remedies to hold ed-tech companies legally accountable.
Its unfortunate that the SIIA appears to be more interested in protecting its members who are either monetizing student data for profit or who may want the ability to do so in the future. During the hearing, it sounded as though the SIIA would not support a private right of action for students and/or their families to hold ed-tech vendors legally accountable for mishandling their personal information. This apparent admission is very troubling and appears to demonstrate that the SIIA is out of touch with the needs of students, parents, and schools. If the ed-tech industry wants to ensure the continued growth of the sector it must be willing to support robust enforcement actions and stronger privacy protections for students.
Presidents Bill Clinton, George W. Bush, and Barack Obama each were able
to achieve our country's highest elective office because their personal
thoughts and the activities they participated in while they were growing up
and "exploring their youth" were not held against them for the rest of
their lives. The only way current and future generations of students will have the same opportunities
to make their hopes and dreams come true is if they are afforded stronger privacy protections regarding their personal digital information.
Copyright 2014 by Shear Law, LLC. All rights reserved.
