U.S. Protecting Student Privacy Act Needs More Teeth

The bipartisan "Protecting Student Privacy Act" was introduced earlier today by Senators Edward J. Markey (D-Mass.) and Orrin Hatch (R-Utah) and according to the bill's press release, it "would help safeguard the educational records of students" because, "[r]ecent changes to the Family Educational Rights and Privacy Act (FERPA) have allowed for increased sharing and use of student data in the private sector."  As part of the rationale behind the need for the legislation it is mentioned that, "one survey found only 25 percent of districts inform parents of their use of cloud services and 20 percent of districts fail to have policies governing the use of online services."

FERPA needs to be updated to account for the technological advancements that have occurred in the Digital Age.  The law was enacted in 1974 when student educational records were mostly created by pen and paper and/or typewriter and stored in a school administration filing cabinet or in a teacher's notebook or classroom closet.  At that time, in general, only teachers and school administrators had access to a student's educational records. 

Since the 1970's, advancements in technology have changed the way teachers interact with students, parents, and legal guardians. When I was attending elementary, middle, and high school throughout the 1980's, the primary form of communication between teachers and students/parents was via in-person meetings, paper letters, and/or phone calls.  In contrast, the primary form of communication between my children's teachers and my wife and I occurs via digital platforms. 

As a parent, I watch my children play and learn with electronic devices on a regular basis.  Even though my children watch television as I did at their age, they are becoming more interested in utilizing educational websites and digital device apps.  Some of these platforms have helped them learn language skills, math, geography, history, etc....With more school districts beginning to provide students digital devices, the privacy and cyber safety issues inherent with the usage of these electronic platforms are becoming more apparent. 

According to Politico, "[m]any of the latest digital tools (i.e. email, apps, cloud services, online textbooks, etc...) collect vast amounts of “metadata” as students work online; the sites track academic progress and log information about the child’s location, computer equipment and browsing habits. Most of that data never finds its way into official school files and thus is unlikely to be considered an “educational record.” That means private companies are free to do what they want with it."  This is very alarming considering that when Kathleen Styles, the Chief Privacy Officer of the Department of Education was questioned about these issues she stated that "[a]lot of metadata won't fit as an educational record."    

Due to all of the personally identifiable student information included in emails, apps, online textbooks, web browsing history and other digital activities (i.e. metadata) students may create while utilizing school provided digital services and learning tools, it is imperative that FERPA is updated to ensure that our children and future generations receive the same privacy protections we enjoyed while we attended school.  Should colleges, potential employers, insurance companies, etc... be allowed to access student scholastic digital communications and make hiring, firing, and policy decisions based on this information?  Should advertisers be allowed to prey upon (via behavioral advertising) students based upon their student-teacher and/or student-student digital communications?

It is very troubling that the Software & Information Industry Association (SIIA) continues to refuse to acknowledge the dire need for stronger digital privacy laws to protect our students despite clear and convincing evidence that FERPA does not properly protect our children's privacy in the Digital Age.  During a June 25, 2014 hearing on Capitol Hill Professor Joel Reidenberg presented Fordham Law School's Center on Law and Information Policy's seminal cloud computing study findings that demonstrated some cloud computing vendors are negotiating agreements with schools that put our students personal privacy at risk.

In addition to Prof. Reidenberg's study, Education Week and Politico performed recent in-depth investigative reports regarding the need for FERPA to be updated to better protect student privacy. These investigations found that when provided the opportunity some educational technology vendors will abuse their access to student data for profit.  For example, Education Week exposed Google's practice of scanning student emails for behavioral advertising purposes and Politico found multiple other educational technology companies that had similar troubling privacy practices and/or policies (or none at all) that enabled similar abuses of personal student data.  

Since Congress has not addressed these issues until now, states across the country have introduced and enacted more robust student data protection laws to address the privacy concerns that FERPA was not designed to protect.  For example, Kentucky and Rhode Island are some of the states that have acted to better protect our children from entities that may abuse their access to student educational digital data.     

While it is a very positive development that states are acting to better protect student privacy, it may be most efficient if robust federal legislation is enacted.  I commend Senators Markey and Hatch for introducing the Protecting Student Privacy Act and making student privacy an important bipartisan issue during these very partisan times on Capitol Hill.

The introduction of the Protecting Student Privacy Act is a good first step; however, it needs to be amended to have the intended effect of updating FERPA to account for the Digital Age.  For example, the bill needs to expand the definition of educational records to include student emails and digital metadata created on school provided services, platforms, and equipment.  Under FERPA, there is no private right of action against companies that utilize student data for non-educational purposes. To be truly effective, the legislation must hold vendors legally accountable and allow for a private right of action against those entities that violate the law. 

To paraphrase Hilary Clinton, it takes a village to protect our students' personal privacy.  Absent more robust federal student privacy laws, parents may soon come out in force against utilizing innovative digital learning tools and services.  It is imperative that Congress pass stronger student privacy laws that have strong enforcement mechanisms so students, parents, and teachers feel safe utilizing new learning tools that will help our students compete in the global economy.    

Copyright 2014 by Shear Law, LLC All rights reserved.

In The Digital Age It Takes A Village To Protect Student Privacy

Some privacy advocates have breathed a sigh of relief since hearing of the demise of non-profit inBloom, an organization that was created in 2011 to store and aggregate a wide range of student information to be used by classroom educators. The merits of inBloom's mission can be debated until its advocates and detractors are blue or red in the face.  Regardless of whether one is for or against inBloom, or its future progeny, the real win here is that student privacy is now part and parcel of the education technology (ed-tech) conversation.

Protecting the personal privacy of students has gained national attention due to the issues surrounding inBloom combined with several high profile data breaches. Compounding the privacy challenges facing students is that the Family Educational Rights and Privacy Act (FERPA), which aims to protect the privacy of students and their families, has not been updated to account for the issues inherent in the Digital Age. The Electronic Privacy Information Center, along with other privacy advocates, has alleged that the Department of Education actually weakened FERPA in 2011.

In fact, weakening student privacy protections at the dawn of the age of Big Data, the cloud, mobile apps and social media appears to have lead to a situation where some companies offer student digital learning tools for free or a reduced price to schools and in return student information may be data mined for profit.  According to a recent Politico "examination of hundreds of pages of privacy policies, terms of service and district contracts there are gaping holes in the protection of children’s privacy."

Earlier this year, Education Week reviewed the ongoing Gmail wiretapping litigation, a case that began in 2010 seeking damages on behalf of Gmail and Google Apps for Education users and those whose messages were sent to Gmail based services and made some very startling discoveries. The most troubling was that Google "scans and indexes the e-mails of all Apps for Education users for a variety of purposes, including potential advertising, via automated processes that cannot be turned off—even for Apps for Education customers who elect not to receive ads."

Google's admission in federal court and its confirmation to the media about its practices created such a huge media firestorm that within weeks after this information became public, Google announced that it would no longer scan the e-mails of students who utilize Google Apps For Education for advertising purposes.  While this announcement was a step in the right direction, why did it take an international media feeding frenzy for a change to a policy that should have never been implemented in the first place?  

In response to Google's about face regarding its student email scanning policy, Prof. Joel Reidenberg of Fordham stated, "Google can change this policy at any time, and, the scanning disclaimer is associated with advertising purposes only....There may be other commercial uses that they are exploiting student data for,....such as selling information to textbook publishers, or test-preparation services."

New technology sometimes creates situations that were never imagined when FERPA was enacted 40 years ago.  For example, when students utilize new digital learning tools offered through their schools is the metadata (the information associated with a student's use of the digital learning service) that may be created by student usage considered an "education record" and thus protected from being data mined for advertising purposes?   According to Kathleen Styles, the U.S. Department of Education's Chief Privacy Officer, “I don’t think it’s necessarily an easy decision, what is and what is not the ‘educational record,.... “It’s very contextual.  A lot of metadata won’t fit as an educational record.”  This uncertainty demonstrates the need for stronger privacy laws that better protects the personal privacy and digital emissions of students.

Possible Solutions

States have began to take action to enhance digital privacy protections for students.  For example, Kentucky's recently enacted HB 232 bans ed-tech service providers from processing student data for any purpose other than providing, improving, developing or maintaining the integrity of the service.  This type of prohibition is imperative in order for parents and students to feel comfortable using new digital learning tools.  According to Politico, "in the past five months, 14 states have enacted stricter student privacy protections, often with overwhelming bipartisan support, and more are likely on the way."

Sens. Edward Markey (D-MA) and Orrin Hatch (R-UT) recently introduced a discussion draft legislation titled, "Protecting Student Privacy Act." According to the press release, "The draft legislation would ensure that students are better protected when data is shared with and held by third parties."  While new federal legislation is a step in the right direction since uniformity across the country is preferred by most stakeholders, I believe an update to the terms "education records" and "personally identifiable information" to account for the increased capturing of student data in a digital format is needed to ensure that children are better protected from companies that put profits ahead of student privacy.

InBloom's demise and Google's recently exposed student data mining practices have brought greater attention to student privacy and the need for stronger regulations and laws that prohibit ed-tech providers from utilizing student data for commercial purposes which may include behavioral advertising, digital profiling, and other exploitation.  Ed-tech vendors must incorporate Privacy by Design into their platforms and commit to making student privacy a priority and not an afterthought. 

The bottom line is that students, parents, teachers, school administrators, lawmakers, state attorney generals, the FTC, and the ed-tech industry must work together to ensure that student  privacy is protected in the Digital Age.

Copyright 2014 by Shear Law, LLC.  All rights reserved.