Privacy & Security

What Schools Need to Know About These Federal Data-Privacy Bills

By Lauraine Langreo — April 18, 2024 5 min read
Photo illustration of a key on a digital background of zeros and ones.
  • Save to favorites
  • Print

More federal and state policymakers are focusing on addressing data privacy, especially for children, because of increasing concerns about how companies collect and sell user information and how that affects users’ mental health.

Congressional lawmakers have introduced several data-privacy bills, some of which deal directly with children’s online privacy. At least 15 states have enacted comprehensive data-privacy laws since 2020, while other states either have narrower laws or have at least introduced data-privacy laws during the current legislative session, according to Bloomberg Law.

The problem with some of those policies, according to school data-privacy experts, is they don’t always consider how day-to-day school operations would be affected. Schools use student data to support decisionmaking, to personalize learning, and for better reporting as required under federal and state laws.

In an April 15 webinar hosted by the Software & Information Industry Association, data-privacy experts discussed three bills Congress is considering and their implications for K-12 schools. The experts were: Amelia Vance, the founder and president of nonprofit advocacy organization Public Interest Privacy Center; Kristin Woelfel, a policy counsel for the Center for Democracy and Technology, a nonprofit that advocates online civil liberties; and Sara Kloek, the vice president of education and children’s policy at SIIA, a trade association for technology companies.

The Kids Online Safety Act

The Kids Online Safety Act, or KOSA, was first introduced in the Senate by Sens. Richard Blumenthal, D-Conn., and Marsha Blackburn, R-Tenn., in February 2022. It failed to pass during that session, so the lawmakers reintroduced the bill in May 2023. As of April 2024, the bill has 67 co-sponsors in the Senate.

KOSA would require certain online platforms to provide children with options to protect their information, disable addictive features, and opt out of personalized recommendations. Those platforms would also be required to design and operate their products in ways that prevent or mitigate negative effects on children, such as mental health disorders, bullying, and sexual exploitation. The bill would apply to any “online platform, online video game, messaging application, or video streaming service that connects to the internet and that is used, or is reasonably likely to be used, by a minor.” It exempts internet service providers, email services, educational institutions, and other specified entities from the requirements.

“This bill seems to be in response to a lot of attention around social media and impacts that it has been suggested to have on kids,” Woelfel said. “I don’t think KOSA was intended to interfere with any K-12 education services.”

See Also

Jun Kim, Director of Technology for Moore Public Schools, center, leads a data privacy review meeting on Dec. 13, 2023 in Moore, Okla.
Jun Kim, director of technology for the Moore public schools in Moore, Okla., leads a data privacy review for staff.
Brett Deering for Education Week

However, because the definition of which platforms are covered under the bill is “very broad, it essentially would almost certainly cover a lot of ed-tech platforms,” she said.

Given that the bill would give children and caregivers the right to opt out and modify personalized recommendation systems, it could affect personalized learning software schools use to provide curated lessons and facilitate individualized learning, Woelfel said.

It would “frustrate the purpose of that technology and undermine a core function of the school,” she added.

Children and caregivers would also be able to delete accounts, which under the current language could be applied to ed-tech platforms hosting student data, such as assessments, grades, and attendance. In turn, that could “threaten the integrity of academic records,” Woelfel said.

Children and Teens’ Online Privacy Protection Act

The Children and Teens’ Online Privacy Protection Act, or COPPA 2.0, would amend the original Children’s Online Privacy Protection Act of 1998. Sen. Ed Markey, D-Mass., first introduced the revised measure in May 2021 and reintroduced it in May 2023. As of April 2024, it has 17 co-sponsors in the Senate.

The bill would build on the 1998 law. It would prohibit online platforms from collecting personal information from users who are 13 to 16 years old without their consent (the current law only applies to children under 13), ban targeted advertising to children, and require companies to allow parents and children to erase their personal information from the platforms.

Under the proposed updates to COPPA, schools would no longer need to get parental permission to use ed tech in classrooms. COPPA 2.0 would enable schools to consent on behalf of their students to provide access to ed-tech platforms schools have thoroughly vetted and with which they have entered into contracts.

See Also

Close up ChatGPT official app icon on screen with blur effect applied
Robert Way/iStock

This update is a step in the right direction for superintendents, said Vance, who also heads the Student and Child Privacy Center for AASA, the School Superintendents Association.

At least 11 education organizations—including the superintendents group; American Federation of Teachers; National Education Association; and the Council of the Great City Schools—have endorsed the legislation.

Woelfel, however, notes that the definition in the bill is limited to public schools and argues that policymakers should make it broader to include private schools as well.

American Privacy Rights Act

The American Privacy Rights Act, or APRA, was introduced earlier this month by Rep. Cathy McMorris Rodgers, R-Wash., and Sen. Maria Cantwell, D-Wash. It would establish a framework for uniform national data-privacy rights for Americans and would hold companies accountable by mandating strong data-security standards.

Similar to KOSA and COPPA 2.0, APRA would have special protections for children younger than 17 years old, so it could have implications for schools.

The bill says that schools wouldn’t be required to delete data that would interfere with education services, but it doesn’t provide protections for contractors that schools might hire to provide an educational service, the panelists said.

The measure would also require any organization that uses algorithms for “consequential decisions related to housing, employment, education, health care, insurance, credit, or access to places of public accommodation” to offer consumers a right to opt out.

Woelfel said she’s concerned about what that would mean for schools if students and families could opt out of ed tech that schools use for day-to-day operations. For instance, if a district uses an adaptive learning software, and students and parents could opt out, then it could undermine teachers’ ability to facilitate personalized assignments for students.


This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Budget & Finance Webinar
Innovative Funding Models: A Deep Dive into Public-Private Partnerships
Discover how innovative funding models drive educational projects forward. Join us for insights into effective PPP implementation.
Content provided by Follett Learning
Budget & Finance Webinar Staffing Schools After ESSER: What School and District Leaders Need to Know
Join our newsroom for insights on investing in critical student support positions as pandemic funds expire.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Student Achievement Webinar
How can districts build sustainable tutoring models before the money runs out?
District leaders, low on funds, must decide: broad support for all or deep interventions for few? Let's discuss maximizing tutoring resources.
Content provided by Varsity Tutors for Schools

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Privacy & Security Quiz
Quiz Yourself: How Much Do You Know About Cybersecurity For Schools And Districts?
Answer 6 questions about actionable cybersecurity solutions.
Content provided by FlexPoint Education Cloud
Privacy & Security A New Federal Taskforce Targets Cybersecurity in Schools
The “government coordinating council" aims to provide training, policies, and best practices.
3 min read
Illustration of computer and lock.
iStock / Getty Images Plus
Privacy & Security Q&A Why One Tech Leader Prioritizes Explaining Student Data Privacy to Teachers
Jun Kim, the director of technology for an Oklahoma school district, helped build a statewide database of vetted learning platforms.
3 min read
Jun Kim, Director of Technology for Moore Public Schools, poses for a portrait outside the Center for Technology on Dec. 13, 2023 in Moore, Okla.
Jun Kim, is the director of technology for the Moore school district in Moore, Okla., He has made securing student data a priority for the district and the state.
Brett Deering for Education Week
Privacy & Security A Massive Data Leak Exposed School Lockdown Plans. What Districts Need to Know
More than 4 million records held by school safety software company Raptor Technologies were left inadvertently exposed online.
5 min read
Concept image of security breach, system hacked alert with red broken padlock icon showing vulnerable access.
Nicolas Herrbach/iStock/Getty