A proposed overhaul of the country’s primary law protecting student-data privacy is being circulated for feedback, offering yet another sign of the federal government’s interest in reshaping the legislative landscape around this hot-button issue.
The “discussion draft” of a bill that would rewrite the Family Educational Rights and Privacy Act, or FERPA, was released Monday by the bipartisan leadership of the Education & the Workforce Committee of the U.S. House. John Kline, a Republican from Minnesota, is the committee’s chair, and Robert “Bobby” Scott, a Democrat from Virginia, is its ranking member. The bill is intended as a potential complement to—not replacement for—the pending Student Digital Privacy and Parental Rights Act, championed by the White House.
The draft FERPA proposal, which has not been formally introduced, would include a number of potentially significant changes. Under the bill, the definition of what constitutes a student’s “educational record” would be expanded, and a ban would be placed on using such information for marketing or advertising. States and local education agencies would be subject to new requirements when contracting with vendors handling sensitive student information. The bill would allow fines of up to $500,000 to be levied on educational service providers that improperly share student information, and parents would be given new opportunities to access and amend their children’s data and opt out of the use of that information for research purposes.
“This is a wholesale revision of what FERPA is,” said Paige Kowalski, vice president of policy and advocacy for the Washington-based Data Quality Campaign, a nonprofit that supports effective use of student data. The group has not yet taken a position on the bill.
Privacy advocates, meanwhile, expressed enthusiasm for the direction taken by Reps. Kline and Scott.
“This is a strong, purposeful draft that would strengthen FERPA. It restores student privacy protections and envisions meaningful enforcement mechanisms,” said Khaliah Barnes, a lawyer with the Electronic Privacy Information Center, a Washington advocacy group.
Updating an outdated law
FERPA was enacted in 1974. As currently constituted, the law is widely regarded as insufficient for addressing the privacy challenges of the digital age.
It is silent, for example, on the question of whether much of the voluminous digital data now collected in schools counts as part of a student’s formal “education record.”
The new draft, however, would redefine that legal term to include information that is directly related to an individual student, is maintained “electronically or physically,” and is “accessible, collected, used, or maintained by an education service provider in the course of providing services to a school official.”
The new draft would also expand parents’ rights to access electronic information about their children held by both educational agencies and educational service providers. The required response time to parental requests would be shortened from 45 to 30 days.
Some worry that such mandates would place a undue burden on states and companies, which in many instances do not maintain such records in formats that would allow for easy access to individual students’ information (see, for example, this story from May 2014 about a Nevada parent who was told by his state’s education department that it would cost $10,000 to access his child’s information.)
But Joel Reidenberg, a Fordham law professor and privacy expert, called it “appropriate and important” to require that such access be made possible.
“If it means that some technologies have to be engineered to enable that to take place, that’s what fair-information practices is about,” he said.
Reidenberg, who authored a much-cited study of school districts’ poor contracting practices with cloud-service providers, also cheered the draft’s provision that would mandate that educational agencies enter into written agreements with outside parties handling student information. Those agreements would be required to have “clear provisions outlining how and what information shall be transferred” and include guarantees around security protocols.
And both Reidenberg and Barnes, the EPIC attorney, expressed support for the manner in which the draft bill would revamp the ways in which FERPA violators are penalized.
The current version of the law also allows only for educational agencies who violate its tenets to be sanctioned, and then only by the withholding of federal funds—a “nuclear option” that has not been enforced in the law’s 40-year history.
The new draft would empower the Secretary of Education to levy fines on educational service providers of $2,000 per student harmed, up to a maximum of $500,000.
“Right now, it’s all or nothing,” Reidenberg said. “This enables the Department of Education to [enforce] graduated penalties.”
New “opt-out” rights
The other big potential change to FERPA involves parents’ rights to opt their children out of some uses of their children’s data.
Under the discussion draft, “organizations conducting studies for, or on behalf of, educational agencies or institutions” would be required to ensure that “parents have been notified of the study and have had a reasonable amount of time to opt out.”
Some are likely to worry that such a provision could curtail appropriate educational research, such as the evaluation of a curricular intervention.
The release of a discussion draft of the FERPA rewrite is meant to give advocates, educators, parents, industry representatives, researchers, and others time to debate and offer feedback on such provisions. There is no timetable for introducing the bill in the House; whether it moves forward will likely depend on what kind of reaction the draft generates.
Last month, U.S. Reps. Luke Messer, a Republican from Indiana, and Jared Polis, a Democrat from Colorado, were poised to introduce a separate student-data-privacy bill in the House, but delayed the move following vocal criticism, which some said arose from the lawmakers’ perceived reliance on industry insiders, but not the privacy community, in crafting their bill.
Reidenberg applauded the different tack being taken by Reps. Kline and Scott.
“Given the complexity of getting privacy law right, it’s very wise that [they] are looking for input from more than one set of stakeholders,” he said.
A new federal bill focused on ed-tech providers and a revamp of FERPA, which focuses primarily on educational agencies, are generally seen as complementary, rather than mutually exclusive.
The proposed FERPA changes released Monday are separate from a related bill issued by U.S. Senators Edward Markey, a Democrat from Massachusetts, and Orrin Hatch, a Republican from Utah, last year.
Photo: Rep. John Kline, R-Minn. speaks during a news conference on Capitol Hill in Washington last year.--Evan Vucci/AP-File
A version of this news article first appeared in the Digital Education blog.