Privacy & Security

Federal Student-Data-Privacy Bill Delayed Following Criticism

By Benjamin Herold — March 23, 2015 6 min read
  • Save to favorites
  • Print

Introduction of a bill intended to establish a new level of federal involvement in the protection of K-12 students’ privacy has been delayed following criticism that lawmakers fell well short of creating the strong national law for which advocates hoped.

On Monday, U.S. Reps. Jared Polis, D-Colo., and Luke Messer, R-Ind., were poised to introduce the “Student Digital Privacy and Parental Rights Act,” developed in close consultation with the White House.

But after critical press reports and concern from privacy advocates about the scope and rigor of a near-final draft of the bill, the lawmakers decided to hold off. A revised version of the proposed legislation is now expected to be made public later this week.

In an interview, Polis said opposition was coming largely from groups that are opposed to the use of any technology in schools, but that “mainstream privacy groups” are supportive of the bill’s approach, imperfect though it may be.

“We have chosen to craft a piece of legislation that can actually become law,” Polis said. “Many believe, and I personally feel, that we should go further. But...this [bill] preserves the vibrant discussion that is taking place at the state level while establishing a new federal baseline that doesn’t exist today.”

New prohibitions and requirements

The primary federal student-data-privacy law currently in place, the Family Educational Rights and Privacy Act, or FERPA, was enacted in 1974. It is widely regarded as inadequate for addressing the challenges of the digital age, and largely silent on many of the practices employed in the rapidly expanding, $8 billion-per-year ed-tech industry.

If enacted, the proposed Student Digital Privacy and Parental Rights Act of 2015 would mostly prohibit ed-tech vendors from selling the information they collect on students and using that information to target students with advertisements. It would also impose new requirements on vendors when it comes to securing and deleting student data, sharing student information with third parties, and disclosing breaches. In a major new development, the Federal Trade Commission would also be given enforcement and regulatory authority over the burgeoning ed-tech industry.

“If this becomes law, it will crack down on existing practices by bad actors in the ed-tech industry and give parents the information they need,” Polis said.

Some parent activists and privacy advocates aren’t so sure, however.

It is not clear the act would cover a wide range of digital data students generate via the devices, software, and apps that are now ubiquitous in schools, they say. Vendors may still be able to make heavy use of children’s information for commercial purposes other than advertising. And the bill’s handling of parental-consent issues would raise as many questions as it answers.

“These are concerns we should definitely be worried about,” said Joel Reidenberg, a privacy expert and law professor at Fordham University. “The bill is a good start, but I think it has some serious weaknesses in its details.”

Competing perspectives

A handful of groups, including the Alliance for Excellent Education, which promotes digital learning, and the Future of Privacy Forum, a think tank that has pushed a voluntary industry pledge now signed by 124 ed-tech companies, issued statements in support of the bill.

“Today’s reaction shows more about the polarization of the issue than the merits of the bill,” said Jules Polonetsky, the executive director of the Future of Privacy Forum.

Polonetsky’s group issued a document suggesting that the Student Digital Privacy and Parental Rights Act actually goes further than recently enacted legislation in California, widely regarded as the strongest law to date when it comes to protecting student information.

But James Steyer, the founder and CEO of Common Sense Media, a San Francisco-based nonprofit that helped craft California’s Student Online and Personal Information Protection Act, said his group was disappointed the federal bill as proposed would not establish a rigorous, nationwide standard for regulating the ed-tech industry.

“It’s come a long way, but it needs to go further,” he said.

Given the bill’s limitations, however, Steyer said he was pleased that Reps. Polis and Messer specified that it would not pre-empt stronger efforts by states.

“If Washington doesn’t do it, we’ll win at the state level,” he said.

Common Sense Media has not endorsed the federal bill.

Polis said industry representatives have pushed hard for “federal pre-emption,” but that he and Rep. Messer, along with the White House, wanted to ensure that there are no roadblocks to states crafting stronger laws.

Polis’s staff said the lawmakers’ intent is that a new federal law would create a minimum national standard.

Legislative details

Under the new bill, ed-tech vendors would for the first time be required under federal law to “establish, implement, and maintain reasonable security procedures” for student information.

They would also be required to delete students’ covered information within 45 days of receiving a request from the student’s school. Parents would have the right to request deletion of information obtained through optional features they elected to use.

And vendors would also be required to provide “sufficient notice” before making major changes to their privacy policy, or a contract with a school.

Perhaps most significantly, the FTC—which has levied significant fines against technology companies for violations of consumer privacy—would be given jurisdiction to penalize ed-tech vendors found to have violated the law via unfair or deceptive acts or practices. The FTC would also be granted authority to issue new rules and regulations in support of the act.

Among the concerns advocates expressed with the act as currently crafted is a provision that would allow teachers and “school officials"—a technical term that, in the wake of recent changes made by the U.S. Department of Education to FERPA, now routinely includes ed-tech companies—to determine for themselves what constitutes a legitimate educational purpose for using student information.

The proposed legislation would also include what some consider a broad and troublesome exemption that would allow sensitive student information to be used for purposes related to “preparing for postsecondary education or employment opportunities.”

Those provisions are likely to stay in the revised bill to be introduced later this week.

But likely to be eliminated is language that would have allowed schools to authorize ed-tech vendors to disclose student data for non-educational purposes.

Also likely to be eliminated is a provision allowing disclosure of student information for research, statistical, or evaluation purposes.

The mere fact that such issues are being debated reflects significant policy progress, as well as the “white-hot” nature of student-data-privacy as a political issue, said Steyer of Common Sense Media.

And the willingness of Reps. Polis and Messer to delay introduction of the bill pending further consideration is an encouraging sign, said Reidenberg of Fordham.

“I think it’s a very positive development that the sponsors are reaching out more broadly to more fully understand the ramifications of the provisions they want in the bill,” he said.

Photo: U.S. Rep. Jared Polis, D-Colo., looks on during the Colorado Democratic Party’s State Assembly in Denver last April.--David Zalubowski/AP-File

See also:

A version of this news article first appeared in the Digital Education blog.