High-profile data breaches and cyber-attacks on well-known brands and businesses have dominated the news cycle for more than a year. Yet during the same time, less visible, but no less important efforts have been made to improve privacy safeguards for a much more vulnerable population: our school children. In communities across the country, parents have mobilized to push for better student privacy protections. Concerns include school records being used (or sold) for purposes unrelated to education, and shielding students from behavioral targeting of advertising. Perhaps in response to this growing groundswell from parents, the federal government and K-12 educational technology companies have recently pledged to take steps to better safeguard student privacy
Parental Efforts to Push For Enhanced Student Privacy Rules
Parental concerns have so effectively coalesced around keeping schools and local governments from selling student data to private companies for purposes unrelated to education that at least 110 student privacy bills were introduced in 36 states in 2014, including Colorado. In addition, less than a year ago the parent lobby effectively shut down the high-profile nonprofit, InBloom, which was organized to streamline student data collection sharing to help schools develop more responsive educational technology, before it made it off the ground. More recently, even the White House has jumped on the bandwagon, and proposed to take action to add further student data privacy protections at the federal level.
Federal Legislative Announcements
On January 12, 2015, President Obama proposed developing new legislation (currently referred to as the Student Digital Privacy Act) designed to balance the parents’ desire to protect the privacy of their children’s student records with the interest in developing effective classroom technology. The current proposal is to model the bill after the landmark California statute enacted on September 19, 2014, which prohibits companies from (1) selling student data to third parties for purposes unrelated to education and (2) engaging in targeted advertising to student based on data collected in school. The proposed bill is intended, however, to still allow for companies to use student data for research on improving student outcomes and improving educational technology.
Although President Obama made reference in both his recent budget proposal for 2016 and the State of the Union address to making cybersecurity a priority, few details regarding the Student Digital Privacy Act have been released.
The expected federal proposal presumably would seek to balance a number of competing interests. Many parents, on the one hand, don’t want their children’s school information used by marketers (who might offer big money for the opportunity) for advertising purposes, nor do they want overreaching governmental initiatives that smack of “Big Brother”, such as attempting to channel children into careers paths “best suited” to their current or predicted tendencies. On the other hand, parent, schools, governments and the private sector see tremendous growth opportunities for students and the economy in producing effective educational technology. Finding the right balance between these competing interests and values will not necessarily be easy.
Among the key concepts the Student Digital Privacy Act may incorporate from the new California law is that of the treatment of “covered information.” Covered information is the personally identifiable information provided by the parents, the child or the school, including names, addresses, phone numbers, email addresses, social security numbers, discipline records, testing results, grades, medical records, disabilities, etc. Under the new California law, private companies and websites may not knowingly use or sell covered information, and school districts are allowed to request that third parties delete the covered information, unless it relates to “legitimate research purposes” required or requested by state actors or for internal purposes.
An Industry “Privacy Pledge”
Parental concerns over the potential for educational-related businesses to violate student privacy and misuse educational data may have also triggered a response from companies who work with K – 12 student data. Over the last several months, nearly 110 education technology companies have signed a voluntary privacy pledge to safeguard student privacy in a number of different respects. This privacy pledge, which was posted in October 2014 through collaboration between The Future of Privacy Forum and the Software and Information Association, includes 12 laudable commitments to, among other things:
- Not sell student information
- Not behaviorally target advertising
- Use data for authorized education purposes only
- Not change privacy policies without notice and choice
- Enforce strict limits on data retention
- Support parental access to, and correction of errors in, their children’s information
- Provide comprehensive security standards
- Be transparent about collection and use of data
However, as noted in a recent New York Times blog article, the industry privacy pledge “does not require specific security measures, such as encryption of logins for sites that collect personal details about students. The pledge also does not require companies to protect teacher or parent information collected by educational sites or apps.” Because President Obama specifically endorsed this industry privacy pledge when he spoke in January at the Federal Trade Commission concerning potential federal action on enhancing student privacy, such potential security gaps in the pledge provisions have raised concerns.
The debate over how to best protect student privacy and how to limit or preclude data mining of student educational data is expected to intensify at the local, state and federal levels. Competing stakeholders – parents, industry and government – continue to attempt to find a workable balance between progressive educational technology applications and student privacy concerns in the Age of Big Data.