Two federal agencies are grappling with how to guide schools on protecting students’ personal information while using educational technology. That increasingly delicate balancing act was front and center during a discussion Friday convened by the U.S. Department of Education and the Federal Trade Commission.
At issue were such fundamental questions as:
• What counts as students’ personal information?
• How should schools and companies protect parents’ legal right to access and delete information collected online from young children?
• Should ed-tech vendors be allowed to use information collected in schools to improve their products and services, or does such activity constitute impermissible commercial use of student data?
• How can the nation’s school districts maintain “direct control” of the increasingly vast troves of student information they now regularly hand over to third-party companies they designate as “school officials” under federal law?
On those issues and others, the legal landscape is marked by considerable gray areas, said Thomas B. Pahl, the acting director of the FTC’s bureau of consumer protection, during opening remarks at the event.
As a result, Pahl said, “both the FTC and the Department of Education think further discussion, and perhaps additional guidance, is warranted.” The discussion should “provide a roadmap for potential next steps at the agencies,” he said.
Modernize FERPA and COPPA?
Looming over the rapid expansion of educational technology in K-12 are two federal laws: the Family Educational Rights and Privacy Act, or FERPA, which enumerates parents’ rights with respect to their children’s educational records; and the Children’s Online Privacy Protection Act, commonly known as COPPA, which regulates third-party operators of websites, apps, and digital services that collect information from online users who are younger than 13.
Those statutes are supposed to provide strong guardrails that protect students’ information, enshrine parents’ rights, and establish the rules of the road for schools and vendors.
But in an age when digital devices, online instructional resources, and a dizzying array of software, apps, and platforms can be found in most classrooms, many in the K-12 sector view FERPA and COPPA as antiquated, inadequate, or both.
“We need more concrete guidance to stand on,” said Chris Paschke, the executive director of data security for the Jefferson County, Colo., schools, which has been at the epicenter of the student-data-privacy fight for several years following its role in the high-profile fight over inBloom, a controversial data-sharing initiative that has since gone under.
One big source of uncertainty is the issue of parental consent. COPPA, for example, stipulates that operators of online services seeking to collect online information from children under 13 must obtain their parents’ approval. The Federal Trade Commission has previously indicated that the law does not preclude schools from acting as parents’ agents in providing that consent, so long as the companies they contract with provide notice to the school and to parents, and so long as the information collected is not being used for commercial or non-educational purposes.
Companies’ Use of Data
That stance has opened several cans of worms.
For one, COPPA generally takes a broad view of what counts as “personal information,” including some kinds of indirect “metadata,” such as persistent identifiers that can be attached to students in lieu of their names or ID numbers, and geolocation information that children generate when using some devices and services. FERPA, however, generally does not consider such information part of students’ legal educational record. The discrepancy can create conflicting obligations for schools.
Speakers at the FTC and Department of Education event were also sharply divided over whether companies should be able to use the information they collect about children (such as log records showing how a student interacts with a digital instructional tool) to improve their products.
David LeDuc, the senior policy director for the Software & Information Industry Association, described such uses as an educational win-win-win for companies, schools, and students. But George Mason University professor Priscilla M. Regan described those same practices as a “secondary commercial use,” saying they should be forbidden under the law.
Such disputes may seem technical, but they point to a larger problem with the way current federal laws are being enacted inside schools, said Jim Siegl, who serves as technology architect for the Fairfax County, Va., schools, but emphasized he was not speaking on behalf of his district at the event.)
When schools were given authority to grant COPPA consent for the use of educational-technology products, Siegl said, the idea was that they would serve as agents on behalf of parents. Instead, he said, they have too often become agents for outside companies.
Faced with such a tumultuous national landscape, 40 states have responded by taking matters into their own hands, passing a total of 124 student-data-privacy related laws since 2013, said Amelia Vance, who leads the student privacy project at the Future of Privacy Forum, a Washington think tank.
The ed-tech industry has also pushed a number of self-regulation efforts, most notably the Student Privacy Pledge, a voluntary set of privacy and security commitments now agreed to by more than 300 companies.
And districts, schools, and individual teachers have, by and large, accelerated their adoption of new technologies, making it difficult to keep track of everything that students are using—let alone what information is being collected, or how it is being used. In some districts, technology officials who seek to avoid using products and services with inadequate privacy and security policies find themselves being pressured by teachers or overruled by higher-ups, panelists at the discussion said. The challenges appear to be particularly acute in smaller and poorer districts.
The net result is that many parents are overwhelmed, said Rachael Stickland, the co-founder of the Parent Coalition for Student Privacy. She described her own experience of having a classroom volunteer sign her child up without parental notification or consent for an online platform known as Edmodo, which later suffered a massive data breach that resulted in the personal information of millions of students being put up for sale on an unregulated part of the internet.
“It seems completely inappropriate that the ed-tech industry gets a pass on using sensitive, personal student information [gathered] in a compulsory environment” in order to refine their products and market them back to schools and children, Stickland said.
Signs of Progress
There have been signs of progress.
Melissa Tebbenkamp, the director of instructional technology for Missouri’s Raytown Quality Schools, said her district and some others have grown more assertive in their privacy and security demands of companies, refusing to work with vendors that don’t meet certain minimum standards.
“We’re the customers,” Tebbenkamp said. “They’re not making money without us.”
Still, the road ahead won’t be easy.
For all the growing pressure on the FTC and the Education Department to provide clarity, there are also risks associated with taking action now.
Does it really make sense, for example, to issue guidance on how existing laws might be harmonized before FERPA undergoes its long-rumored legislative update?
In addition, “one-size-fits-all” solutions might bring greater clarity, but they could also have unintended consequences and place new burdens on schools, said Francisco M. Negrón, Jr., the chief legal officer for the National School Boards Association.
And still other experts warned that a host of emerging issues—from the growing ease with which supposedly anonymous data can be used to re-identify users, to the possibility that predictive algorithms might shut some students out of certain courses, career-placement services, or other opportunities, to the new ways in which data might exacerbate bias and discrimination—could soon swamp current concerns.
No timetable is currently in place for the two agencies to announce if and when they’ll proceed with issuing further guidance.
A version of this article appeared in the December 13, 2017 edition of Education Week as U.S. Agencies Grapple With Student-Data-Privacy Guidance