By Ben Herold. Crossposted from Digital Education.
New federal student-data-privacy legislation being crafted by the White House would prohibit education technology vendors from selling student information and directing targeted advertisements at students, but the legislation remains silent on other controversial industry practices, according to documents obtained by Education Week.
Since President Barack Obama announced earlier this month that he would seek a new federal “Student Digital Privacy Act,” educators, advocates, and industry leaders have awaited crucial details that could reshape the responsibilities of both companies and schools when it comes to protecting students’ privacy.
The White House has yet to release those details publicly.
But a draft of the proposed bill that has been circulated privately by Obama Administration officials offers key insights. It is unclear if the documents obtained by Education Week represent the most recent draft of the proposed legislation, or an early version that has since undergone revision.
The White House did not immediately return a request for comment.
The apparently rechristened “Student Digital Privacy and Innovation Act” seemingly aims to create a uniform national playing field by pre-empting the patchwork of state laws currently in place--a key concern of industry groups.
The draft bill would also assign responsibility for enforcing violations of students’ privacy under the act to the Federal Trade Commission.
And while the draft federal proposal is broadly similar to recently enacted state legislation in California, which the president hailed as a model during a speech earlier this month, it also contains key differences.
Some of those differences are likely to be looked upon favorably by privacy advocates, but two significant differences between the draft bill and the Student Online Personal Information Protection Act, or SOPIPA, signed into law by California Gov. Jerry Brown in September, are likely to be viewed as industry-friendly.
Unlike the California law, the draft version of the proposed federal bill obtained by Education Week does not contain an explicit prohibition on vendors amassing profiles of K-12 students for non-educational uses.
Nor does the draft federal bill follow California’s approach of prohibiting vendors from collecting student information via an educational site, service, or application, then using that information to target advertising to students elsewhere.
“That sounds like a concession to [companies] who are broader than education,” such as Amazon, Apple, Google, and Microsoft, said Douglas Levin, the executive director of the State Educational Technology Directors Association, based in Glen Burnie, Md., when apprised of the language contained in the documents obtained by Education Week.
“There very well could be sausage-making going on, in terms of compromises in crafting the [bill’s] language, before it is made public,” Levin said.
No timetable has yet been announced for when an official version of the proposed federal legislation will be made public.
There are currently three federal student-data-privacy laws on the books, including the Family Educational Rights and Privacy Act, or FERPA. Many educators, advocates, and ed-tech industry officials say those laws are too antiquated to effectively deal with the privacy and security challenges associated with the digital devices, software, cloud-based services, and “big data” that are now ubiquitous in K-12 schools.
The new federal legislation, if enacted, would seek to complement, rather than replace or update, the existing laws, said Joel Reidenberg, a law professor at Fordham University, when apprised of the draft bill’s language by Education Week.
Unlike FERPA, for example, the draft Student Digital Privacy and Innovation Act contains provisions that would require companies to “maintain reasonable security procedures and protocols” for student data, and to delete such information at the request of a school or district.
Both are “positive and appropriate” features of the proposed legislation, Reidenberg said.
The draft federal legislation also offers a more expansive definition of “covered information” than even SOPIPA. Under the bill, “statistical inferences” that are made by companies and identifiable to individual students would be protected by the new privacy provisions, a potential change that Reidenberg applauded.
But some questionable industry practices that are either already in use or likely to become prevalent in the not-too-distant future would likely not be covered by the draft bill, which focuses primarily on prohibiting targeted and behavioral advertising.
Such an approach would likely not prevent companies from using information gleaned from educational apps and websites to target students with search engine results, content, or recommendations on commercial sites elsewhere, Reidenberg maintained.
“It’s addressing the situation currently, but not looking ahead a year or two,” he said. “I think there are some weaknesses [in the draft language] that I hope Congress will address.”
As the apparent addition of the word “innovation” to its name suggests, the draft bill also seeks to ensure that ed-tech companies are not unduly hindered from creating products and services that can benefit students, teachers, and schools.
The draft of the proposed legislation, for example, specifies that operators may use student information “for maintaining, developing, supporting, improving, or diagnosing the operator’s site, service or application.”
It also specifically states that the act would “not limit the ability of an operator to use student data, including covered information, for adaptive or personalized student learning purposes.”
And like California’s SOPIPA law, the draft Student Digital Privacy and Innovation Act includes an exemption for the sale of student data in the event of a “purchase, merger, or other type of acquisition of an operator by another entity,” so long as the information remains subject to the same legal protections in place when it was originally collected.
In addition to pushing the new federal legislation, the Obama administration has also worked hard to help get more than 90 companies to sign a voluntary privacy-protection pledge developed by two Washington-based organizations: the Software & Information Industry Association, an industry trade group, and the Future of Privacy Forum, a think tank.
Those groups say any company that publicly commits to the pledge, then violates its tenets, could be subject to penalties by the Federal Trade Commission for unfair and deceptive business practices.
According to the draft document obtained by Education Week, the FTC would also be responsible for enforcing violations of the new federal student-data-privacy law, under the commission’s same regulations.
That’s “probably not a bad thing,” said Levin of SETDA, especially if the alternative is enforcement by the U.S. Department of Education.
“Given that this [draft] bill seems to be about regulating company practices, the FTC is probably the right place,” he said. “It’s a body that has acted to protect consumers and has in the past issued fines that have been pretty substantial.”