A Syllabus for Regulating Student Data Privacy?

The start of the new school year is approaching and a number of education vendors have already received their homework assignments. U.S. Senators Richard Durbin (D-Ill.), Edward Markey (D-Mass.), and Richard Blumenthal (D-Conn.) recently sent two letters—one to education technology companies (EdTech) and another to data brokers—expressing "concern about the vast amount of data being collected about our nation's students" and posing a list of questions to which responses were requested by this past Tuesday (September 3).

The letters reflect increased legislative concern over the amount of students' sensitive personal data being retained and sold to third parties without the knowledge of either the students or their parents, particularly where such data is later used for targeted advertising.

The assignment for EdTech companies and data brokers? Provide information about their data collection practices, including:

• What personal data is collected;
• How long data is retained;
• Whether (and how) personal data is sold; and
• Any existing options for access, correction, deletion or opt-outs.

EdTech companies were also asked to provide information on:

• The courses, software, and devices in production or use by educational institutions; practices around labeling or grouping students;
• Login requirements that might require collection of personal information; and
• Their understanding of the Family Education Rights and Privacy Act (FERPA) and Children's Online Privacy Protection Act (COPPA).

The letter further inquires about data breaches or unauthorized acquisition of students' personal data.

Why EdTech and Data Brokers?

Lawmakers sent the two letters to approximately 50 entities total, ranging from large technology companies to education publishers to learning management system (LMS) developers.

How does this fit into the existing educational privacy landscape?

At the federal level, FERPA regulates educational institutions or agencies receiving federal funds and providing services or instruction to students. EdTech companies also may be regulated under COPPA to the extent they operate websites or online services targeting children (students) under 13 years old, but are not directly subject to FERPA (though institutions may seek to impose certain obligations on such entities by contract).

At the state level, many legislatures have passed their own student privacy laws, whether in the form of supplementing FERPA, creating student online personal information protection acts (SOPIPA), or student data privacy protection acts—but gaps remain around the regulation of vendors.

FERPA|Sherpa (the Future of Privacy Forum's Education Privacy Resource Center) reports in its State Student Privacy Laws chart that 41 states have passed 126 student privacy-centric laws since 2013. Only approximately 55 of those laws regulate vendors, while 73 regulate state education agencies (SEAs), and 86 regulate local education agencies (LEAs) (some laws regulate multiple types of entities).

The development of student-focused privacy laws shows no sign of breaking for recess. Illinois recently amended its student privacy law, the Student Online Personal Protection Act (SOPPA) through (HB3606), which (among other things) adds new data security requirements to the existing prohibitions on operators of websites, applications, and other online services, against engaging in targeted advertising based on information (including persistent unique identifiers) acquired through "the use of the operator's site, service, or application for K through 12 school purposes."

Montana just passed HB0745, enacting the Montana Pupil Online Personal Information Protection Act, which similarly prohibits marketing to students based on personal information gathered in relation to online educational opportunities.

Other bills introduced or passed this year address specific privacy-related student issues such as audiovisual recording in the classroom, surveillance technologies, coordinating educational tracking for children in the foster care system, and the exchange of data between government and educational agencies and institutions.

For instance, the Montana legislature passed two bills allowing the Superintendent of Public Instruction to release student-level information to certain state authorities to ensure that Montana's education system meets the expectations of the state university system and, with students' consent, to accredited postsecondary institutions, certain testing agencies, and scholarship organizations.

Increasing Threats to Student Privacy

The challenges of educational privacy and responsible student data collection are not new, but there is growing awareness of potential threats to students. Last year, the FBI published a public service announcement about the risk of data collection and unsecured systems in the EdTech space, noting "malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children."

The senators quoted from this public service announcement in their August 12 letters.

In the Big Data era, data collection in schools goes well beyond name, birthday, address, and grades. It could include eligibility for subsidized programs, biometric information, geolocation, special needs and medical information, behavioral and disciplinary information, ethnicity and religion, and career counseling surveys and interests.

Use of software and programs could trace web-browsing history and classroom activities, track student movements, and collect information provided by students using chat or collaborative tools. The senators' letter to data brokers references research from the Fordham University Law School Center on Law and Information Policy, which concluded that data brokers created and sold lists of students based on information such as Grade Point Average, ethnicity, religion, and level of affluence.

Although this personal data can be sensitive, there are legitimate uses benefiting students. For example, data may inform administrators, educators, and parents about student needs so they can respond and be more effective. Do any students need nutritional assistance? Are students advancing quickly and in need of more educational stimulation? Are more resources needed?

However, this data is also a target for hackers: the FBI's public service announcement referenced a 2017 incident when the hack of school district servers led to access of student contact information, followed by threats and attempted extortion of parents and local law enforcement, along with posting of children's information online.

As we discussed last month, there are indications that when legislators return from recess, one of the top technology priorities will be educational privacy. Vendors should do their homework and be prepared for legislators to call on them.