Long-awaited bipartisan legislation introduced in the U.S. House of Representatives Wednesday would significantly reshape the country’s most prominent student-data-privacy law, but stop short of the radical makeover that lawmakers had proposed earlier this spring.
The “Student Privacy Protection Act” aims to expand the scope of student information that is protected by law, place new obligations on both educational institutions and third parties who handle that information, and ban the use of such information for direct advertising to students. It would also allow for fines of up to $1.5 million on educational institutions that violate the law.
The bill, if enacted, would represent a meaningful update to the Family Educational Rights and Privacy Act. As currently written, FERPA, as the 41-year old law is commonly known, is widely viewed as inadequate for addressing the privacy challenges presented by the flood of digital devices, software, and apps into U.S. schools over the past decade.
“Unfortunately, legal safeguards over student privacy have not kept pace with the rapid technological changes taking place in America’s classrooms,” said Rep. Todd Rokita, R-Ind., in a statement issued by the education and workforce committee of the U.S. House. “The bipartisan reforms in this bill will strengthen privacy protections to ensure schools can provide a 21st century education, while keeping their students’ personal information safe and secure.”
A flurry of proposed student-data-privacy legislation
Rep. Marcia Fudge, D-Ohio, co-sponsored the bill, which comes amid a flurry of proposed federal legislation on the hot-button issue of student-data privacy.
Two other bills currently before Congress also seek to modernize FERPA. The Student Digital Privacy and Parental Rights Act of 2015, introduced in the House in April with White House backing, would create an entirely new law.
None of the bills have yet come up for a vote.
Reaction on the Rokita-Fudge FERPA revision was generally warm, although some expressed reservations about particular aspects of the bill.
“It provides some really important provisions that would create more transparency, which is essential for people to be able to trust how schools and outsiders handle student information,” said Elana Zeide, a privacy research fellow at New York University’s Information Law Institute.
“However, [the bill would] place a heavy burden on schools to oversee third-party practices in a way that I’m not sure is practical,” Zeide said.
The bill comes three months after Reps. John Kline, R-Minn. and Bobby Scott, D-Va., (the chair and ranking member of the education and workforce committee, respectively) released a “discussion draft” of a far-reaching proposal to radically remake FERPA from top to bottom.
Gone from that earlier version are provisions that would have allowed parents to opt-out of some uses of their children’s data, including many types of research studies that are commonly conducted today. Also eliminated is a provision that would have authorized the U.S. Department of Education to levy fines directly on educational service providers who violate FERPA.
Under the newly proposed Student Privacy Protection Act, such violators would be referred to the Federal Trade Commission or U.S. Attorney General for possible sanction.
“I think it reflects a desire for third-party actors to be accountable,” Zeide said. “But I think it may be more efficient to use more direct methods,” such as a separate law specifically targeting vendors, she added.
Updating FERPA for the digital age
Key for many on all sides of the student-data-privacy debate is that the new bill would redefine what constitutes a student’s “educational record” under federal law to include “those records, files, documents, and other materials” about a student that are “maintained, electronically, digitally, or physically.” The move to include digital records is widely seen as necessary in the modern age.
Generating more uncertainty are provisions that would place new obligations on schools.
The Rokita-Fudge bill, for example, would require schools and other educational agencies to keep a record of “each individual, agency, or organization...that have obtained access to a student’s educational record,” as well as the purpose for which such access was granted.
Schools and other educational agencies would also be mandated to establish new security practices for protecting students’ information; require that third parties with access to students’ education records also maintain such security practices; establish breach notification policies and procedures; and designate an official “responsible for maintaining the security of its education records.”
Educational agencies who break the law would be subject to fines ranging from $100 to $1,500,000 (and not to exceed 10 percent of their annual budget), depending on the severity of their violation.
“It’s important to recognize that all this would be new” for teachers and school administrators, said Paige Kowalski, the vice president for policy and advocacy at the nonprofit Data Quality Campaign, which advocates for effective use of educational data.
“We should expect privacy and security, but [these provisions] beg the question of how we are going to do this well, given schools’ current capacity,” she said.
Cautious reaction from the ed-tech industry
It’s not just schools that would be affected if FERPA if the Rokita-Fudge bill becomes law.
Outside providers would be prohibited from getting contracts with educational agencies if they have “a policy or practice of using, releasing, or otherwise providing access to personally identifiable information in the education record of a student” for advertising purposes or for the development of unapproved commercial products or services.
The proposed legislation also aims to directly prohibit all parties from using information gained via access to a student’s education record to “market or otherwise advertise directly to students.”
Not surprisingly, the Software & Information Industry Association, one of the leading trade associations representing the ed-tech industry, reacted cautiously.
“SIIA will work closely with the committee to ensure the Student Privacy Protection Act does not create a regulatory environment that prevents students and schools from having access to increasingly essential technologies,” said Mack MacCarthy, the vice president of policy for the group, in a statement.
A spokeswoman for the House Education & the Workforce Committee’s Republican majority said lawmakers had taken input on the discussion draft of the bill seriously.
“We received feedback on the discussion draft from various stakeholders—parents, educators, technology companies, and privacy advocates,” said committee press secretary Lauren Blair Aronson via email. "[We] believe the legislation introduced today reflects their feedback and strikes the right balance between protecting student privacy and supporting 21st century learning opportunities.”
Photo: U.S. Rep. Todd Rokita, pictured here at an Indiana Republican party rally in 2012, chaired a House subcommittee hearing on student data privacy Wednesday. --Darron Cummings/AP
A version of this news article first appeared in the Digital Education blog.