U.S. Student Digital Data Privacy and Parental Rights Act of 2015 Introduced

On April 29, 2015, Representatives Luke Messer and Jared Polis introduced the bipartisan Student Digital Privacy and Parental Rights Act of 2015.  According to The New York Times, "the bill would prohibit operators of websites, apps and other online services for kindergartners through 12th graders from knowingly selling students’ personal information to third parties; from using or disclosing students’ personal information to tailor advertising to them; and from creating personal profiles of students unless it is for a school-related purpose."  

The legislation is modeled after California's SB 1177, (the "Student Online Personal Information Protection Act") which Education Week hailed as a "landmark" student data privacy law.  The federal Student Digital Privacy and Parental Act of 2015 is a positive piece of legislation that would help better protect the personal privacy and safety of students around the country.  The fact that some members of the ed-tech industry are wary of the bill demonstrates the potential effectiveness of the legislation.

This bill is sorely needed because as Education Week reported last year, some ed-tech vendors such as Google have been caught intentionally misleading parents about their data mining and privacy practices.  For example, exactly 1 year ago today, Google promised to stop scanning student emails and other digital content for advertising purposes.

Unfortunately, Google's promise to better protect personal student data has fallen woefully short since its troubling consumer privacy policy still covers its education offerings and this policy clearly allows it to data mine and profile students on its Google Apps For Education platform.  For example, Google's promise to stop data mining students does not extend to Google + or YouTube since neither platform is considered a  Google Apps "Core Service".   

A former IT policy director at Cornell recently authored an eye opening research paper about Google's troubling profiling and data mining practices which is a must read for school administrators, parents, and educators.  Unfortunately, Google is not the only ed-tech company with weak privacy policies and practices.  Politico and others have also called out Khan Academy for its data mining and profiling practices of students.

Earlier this year, I advocated for my home state of Maryland to enact a similar student privacy bill which was also modeled after California's SB 1177.  I was very troubled to witness Facebook and Google (here is a link to the hearing where you will see that the representatives of these companies were actively trying to thwart passage of robust student privacy protections) advocate for amendments to gut the bill's privacy protections for our children. 
  
My hope is that Facebook, Google, etc... realize that their continued refusal to accept appropriate limits on student data collection, processing, and usage will continue to make parents suspicious about their motives for providing educational technology tools.  These companies are two of the largest advertising entities in the world and their actions so far clearly demonstrate that they want access to personal student data for marketing purposes.

The following national education groups have already voiced support for the federal Student Digital Data Privacy and Parental Rights Act of 2015:

•  AASA, the School Superintendents Association
• International Society for Technology in Education
• National Association of Elementary School Principals
• National Association of Secondary School Principals
• National Education Association
• National PTA
• State Educational Technology Directors Association

along with Common Sense Media which has worked with state and federal lawmakers around the country to enact stronger student privacy laws.  On the ed-tech side, Education Week reported that Microsoft voiced its support by stating "that it [the bill] will help build public trust that vendors are adequately protecting and appropriately using student information".

Its time for the entire ed-tech industry to support the Student Digital Data Privacy and Parental Rights Act of 2015.  Embracing enhanced digital privacy protections for our students will signal to parents that the industry can be trusted to protect our children's personal information.

As a parent, I want my children to be able to utilize the latest and greatest digital education platforms; however, until stronger privacy laws are enacted I have little confidence that all school technology vendors will make my children's personal privacy and safety a priority.  Therefore, I challenge Facebook, Google, and every other ed-tech company and organization that advocated to weaken Maryland's Student Data Privacy Act of 2015 to do the right thing and support this bill as drafted.     

UPDATE May 1, 2015:  The White House has announced that it supports the new bill.  In a blog post, The White House stated: "[w]e are pleased to see Representatives Luke Messer (R-IN) and Jared Polis (D-CO) answer the President’s State of the Union call to enact new protections for K-12 students’ data to ensure that classrooms can embrace technology with confidence.

Introduced yesterday, The Student Digital Privacy and Parental Rights Act is an important bipartisan step, building upon existing momentum from industry leaders committed to ensuring educational data is not misused by providers or third parties, and carrying the strong endorsement of privacy advocates, the private sector, and associations representing parents and educators."  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Congressional Hearing: More Enforcement Needed To Protect Student Data Privacy

I recently attended a Joint Hearing with the Subcommittee on Early Childhood, Elementary, and Secondary Education titled, "How Data Mining Threatens Student Privacy"in Congress.  This hearing caught my attention because as a parent of two young children student privacy is very near and dear to my heart.  

Invited to testify were:  Prof. Joel Reidenberg, Founding Academic Director of Fordham Law School's Center on Law and Information Policy, Mr. Mark MacCarthy, Vice President of Public Policy for the Software & Information Industry Association (SIIA), Ms. Joyce Popp, Chief Information Officer of the Idaho State Department of Education, and Mr. Thomas Murray, State and District Digital Learning Director for the Alliance for Excellent Education.
  
During the hearing, Prof. Reidenberg discussed his groundbreaking Privacy and Cloud Computing in Public Schools study that found, "fewer than 7% of contracts [between schools and ed-tech vendors] restrict the sale or marketing of student information by vendors, and many [cloud] computing agreements allow vendors to change the terms without notice."  He also stated that 25% of services offered to schools use "freemium" models that have to monetize student data in a manner that most likely does not benefit student learning.  These troubling findings were of great interest to the members of Congress and those who attended the hearing.

The SIIA appeared not to be interested in acknowledging Prof. Reidenberg's findings and the organization may have even provided intentionally misleading testimony.  For example, on pages 4-5 of its written testimony the SIIA stated, "The federal government recently updated regulations and guidance for FERPA [Family Educational Rights and Privacy Act] and COPPA [Children’s Online Privacy Protection] specific to online educational services."  This statement is factually incorrect. 

FERPA's regulations were not recently updated.  Earlier this year, the Department of Education issued updated guidelines which do not provide the same protections as updated regulations.  During the hearing, Prof. Reidenberg made the committee aware of this distinction.  When the SIIA stated that Prof. Reidenberg's study did not have concrete proof that some ed-tech vendors were utilizing personal student data for non-educational purposes, Prof. Reidenberg mentioned Google's recent admission in federal court that it scans student emails for potential advertising.  

The SIIA's members include ed-tech vendors that sell their services to schools.  Some of these companies offer their digital services for free to schools and in return may data mine student emails and build student user profiles for advertising purposes.  For example, in an ongoing federal lawsuit in California that Prof. Reidenberg mentioned in his testimony, Google admitted under oath, that it “scans and indexes the emails of all Apps for Education users for a variety of purposes, including potential advertising,....that cannot be turned off—even for Apps for Education customers who elect not to receive ads."

While intense outrage from parents and schools along with international media scrutiny recently led to Google announcing it will allegedly stop these practices, Google's behavior demonstrates the need for stronger enforcement of student privacy laws, greater transparency in the industry, and where needed a strengthening of the current legal and regulatory framework. 

One of the most memorable instances of the hearing occurred when Rep. Pat Meehan of Pennsylvania asked the SIIA whether current law would protect his son from receiving targeted Coca-Cola ads based on data provided by his school.  The SIIA claimed it would be illegal due to existing government regulations and that FERPA applies to vendors; however, Prof. Reidenberg strongly disagreed with these assertions and proved that the SIIA was misleading the committee about these issues.

Prof. Reidenberg recommended modernizing FERPA so it applies to all student information and mandates a notice to parents for public disclosure of the educational uses of student data.  He also stated that schools need written contracts with specific prohibitions against the use of student data for non-educational purposes, chief privacy officers,  and a private right of action against vendors who misuse student data because currently parents and families do not have legal remedies to hold ed-tech companies legally accountable.

Its unfortunate that the SIIA appears to be more interested in protecting its members who are either monetizing student data for profit or who may want the ability to do so in the future.  During the hearing, it sounded as though the SIIA would not support a private right of action for students and/or their families to hold ed-tech vendors legally accountable for mishandling their personal information.  This apparent admission is very troubling and appears to demonstrate that the SIIA is out of touch with the needs of students, parents, and schools.  If the ed-tech industry wants to ensure the continued growth of the sector it must be willing to support robust enforcement actions and stronger privacy protections for students.

Presidents Bill Clinton, George W. Bush, and Barack Obama each were able to achieve our country's highest elective office because their personal thoughts and the activities they participated in while they were growing up and "exploring their youth" were not held against them for the rest of their lives. The only way current and future generations of students will have the same opportunities to make their hopes and dreams come true is if they are afforded stronger privacy protections regarding their personal digital information.

Copyright 2014 by Shear Law, LLC.  All rights reserved.

New Laws Are Needed To Protect Student Privacy In The Digital Age

Students and schools around the country are utilizing new digital technologies in ways many people did not imagine at the turn of the century and those technologies offer great promise.  Just ten years ago, terms like "big data", "the cloud", "data mining", and "social media" were not well known by students, parents, and school officials.  To lower costs and to help our students learn more effectively, thousands of schools across the country have adopted new digital technologies. Unfortunately, the current legal framework designed to protect student privacy and safety has not kept up with the rapid advancements that have been created by the Digital Age. 

The federal Family Educational Rights and Privacy Act (FERPA) is the main federal law that protects student educational records.  This law was initially enacted in 1974 and has been amended multiple times by Congress; the last time being in 2001 before the widespread adoption of cloud computing and other digital platforms in schools.  While the statute hasn't been amended in more than 10 years, the rules that the U.S. Department of Education uses to implement FERPA have been more recently updated.  Despite these revisions, some public interest groups such as the Electronic Privacy Information Center allege that FERPA's rule changes undermine privacy safeguards set out in the statute and unnecessarily exposes students to new privacy risks.

At first glance, FERPA appears to be a robust law that protects the personal privacy and safety of students.  However, upon closer examination FERPA does not provide the protections that our students need in the Digital Age.  In the almost 40 years since FERPA's initial enactment, no school has been denied access to federal funds due to a violation that has put the personal privacy and/or safety of students at risk.  As more third parties have been contracted to handle student data through the spread of cloud and mobile technologies, FERPA has done little to constrain the behavior of these third parties because the statute does not contain a sanction that applies them. 

Does this mean that FERPA has been successful and that a school's actions have never put the personal privacy and/or safety of students at risk?  Or, does this validate the notion that FERPA lacks strong enforcement provisions and the U.S. Department of Education has not been provided the resources necessary to properly protect our children?

In 2002, the Supreme Court held that FERPA's nondisclosure provisions do not provide students a personal right to sue entities that fail to properly safeguard their educational records.  While this ruling appears to shield schools from student lawsuits based upon FERPA violations, it has also had a very troubling unintended side effect that may be leading some schools to put their guard down when engaging third party vendors to capture, process, and transmit student data. 

History has proved that some commercial enterprises will abuse their access to student data and that FERPA is unable to provide the privacy and/or safety protections our children need and deserve.  In 2003, multiple student survey companies were caught intentionally misleading schools, students, and parents about their data collection and utilization practices.  The FTC alleged that these entities sold personally identifiable information about millions of students to marketers for financial gain.  In addition to entering into a consent agreement with the FTC that ended these practices, the New York Attorney General's office fined these entities $75,000 for their actions.

In 2012, Time Magazine discovered that a company called UDiligence that had been hired by universities across the country to scan and archive the password protected personal digital content of student-athletes was abusing its access to student data by utilizing personal student content in advertisements for the company's services.  Only after Time Magazine questioned this practice did UDiligence stop monetizing students' personal digital content for pecuniary gain.

Several months ago, a judge in a lawsuit that accuses Google of violating multiple federal and state laws regarding its email data mining practices ruled that the case may move forward.  During a recent court filing in this lawsuit, Google admitted that its University of Alaska school branded Gmail system utilizes the information obtained from student emails for advertising purposes (Link to this document; See page 42, #88).  As part of an effort to dismiss the case, Google argued that two student plaintiffs from universities who were Google Apps for Education users consented to Google scanning their emails for advertising purposes when they signed onto the service the first time (Link to this document; See page 14).

Since Google provides this same exact service for free to thousands of schools across the country it raises a serious question of whether Google is data mining the school emails of millions of students across the country for financial gain.  Do the same arguments that Google has made in its motion to dismiss, that students have consented to this data mining, apply to students at other schools where Google Apps for Education is in use?  It does not appear that students, parents, and/or teachers have been informed and provided consent that would enable their digital interactions and the content sent and received on school contracted Gmail services to be utilized for advertising purposes. 

The personal safety of students are at risk when commercial entities obtain access to student data and act upon the information.  According to Education Week, some low-income children in Arizona were subjected to unnecessary dental work by corporate-affiliated "mobile dentists" who found their patients through easy access to school records.  In response to this troubling practice, Arizona enacted a new state law last year that tightened access to this information.

Several months ago, The New York Times discussed the privacy and safety challenges inherent when schools hire third parties to collect and store student data on the web.  A recent Fordham University Law School study found "weaknesses in the protection of student information in the contracts that school districts sign when outsourcing web-based tasks to service companies".  Fordham's findings were validated by the Maryland Attorney General's 2013 report on children's privacy that recommended a new state law that would prohibit cloud service providers from using data collected from students for commercial purposes.

Parents are extremely worried about their children's personal privacy and safety.  A new Common Sense Media Survey found broad support for stronger safeguards to protect our students in the Digital Age.  According to the survey, 91 percent of respondents support stronger parental-consent requirements related to the sharing of sensitive student data, and 89 percent supported tighter security standards for cloud storage.

Since FERPA has not been updated to reflect the tremendous change the Digital Age has brought to the education system, it is time for states to enact laws that better protect the personal privacy and safety of our students.  States should enact strict prohibitions on the use of student data (i.e.  emails, documents, or other content), ensuring that vendors do not have rights to use that data for advertising or marketing purposes or to otherwise build personal profiles of students that may be utilized to discriminate against students and/or their families.  Parents and students need to know that when they utilize school provided digital communication platforms their data is safe and secure and will not be used to prey upon their economic and/or personal situation.

Copyright 2014 by the Law Office of Bradley S. Shear, LLC All rights reserved.