California Takes Meaningful Step Toward Shoring Up Student Privacy
Written by Alex Bradshaw
New education technologies show promise in enhancing overall education, and are gaining increasing attention amid reports of American students’ education levels trailing behind those of their peers abroad. However, these tools collect, share, and store student data with commercial service providers and researchers, raising a range of privacy concerns.
As it stands, federal law provides K-12 students and parents with few protections from third parties’ collection and use of student data. Most state laws only address traditional student record-keeping in physical files, and are therefore inadequate given the various means by which education technology collects student data (including scanning children’s palms at the lunch counter). California’s recently passed student privacy bill is a welcomed exception. The Student Online Personal Information Protection Act (“SOPIPA”) (S.B. 1177), signed by Governor Jerry Brown yesterday, is a much-needed departure from current trends in student privacy legislation and, while not perfect, could serve as a framework for other state legislatures’ approach to this issue.
California’s New Student Privacy Law
SOPIPA prohibits K-12 education online services and mobile applications from:
- Engaging in targeted advertising to students or their families;
- Using information collected on students to create advertising profiles;
- Selling information on a student; or
- Disclosing students’ personal information except under limited circumstances.
Most importantly, SOPIPA directly regulates edtech providers. The majority of the 100+ state student privacy bills introduced in the past year focus solely on regulating activity of educational institutions. Oklahoma’s 2013 “Student DATA Act”, one of the first state laws to address schools’ use of edtech, requires the state Department of Education to establish a public facing inventory of the types of student data collected by the Department, develop policies regarding access to student data, comply with federal law security mandates, and limit transfer of student data to entities outside of Oklahoma.
The Oklahoma law, which has been imitated by numerous bills proposed in other states, was intended to comprehensively address mass collection of student data by edtech platforms. However by limiting its applicability to schools, the law ultimately allows companies to avoid liability for their own collection, use and sharing of student data.
Federal law is similarly restricted. The Department of Education can only enforce the Family Educational Rights and Privacy Act (“FERPA”) against schools and the Department’s remedy under FERPA is limited to pulling all funding from a school that violates the law. Other federal privacy laws, including HIPAA, give agencies power to enforce the law against any entity that collects information regulated through the act. This is a more promising model for protecting students’ privacy: direct regulation of edtech providers is critical to keeping the industry’s actions appropriately scoped when collecting, using and retaining student data. SOPIPA’s effort to encourage more industry accountability should therefore be applauded.
Thoughts on The Pre-amended Version of SOPIPA
It should be noted that the enacted version of SOPIPA differs from previous iterations in significant respects. Earlier versions would have required edtech services to secure data at rest and in motion using encryption processes that met or exceeded NIST standards. The version of SOPIPA that passed eliminated these provisions, instead requiring that providers use “reasonable security procedures and practices appropriate to the nature of the covered information.” We agree with this change; given the pace by which data collection evolves it is important that laws avoid technical security mandates that may not be applicable to future data mining practices. A “reasonable security” standard is imperfect, but best suited to provide this legal flexibility.
However, the omission of user control provisions in SOPIPA is cause for concern. The pre-amended SOPIPA gave students limited control over the retention and deletion of their data. Edtech providers were expected to remove student data if the student was no longer enrolled at the school or if the student requested removal, unless the school was using the information for a legitimate educational purpose. This provision was ultimately deleted from the final version of the bill.
Individual autonomy should trump company and school systems’ desires to monitor students for analytics purposes.
Legislators planning to design SOPIPA-type student privacy legislation for their state should consider the importance of including user-control provisions in their bill. There are benefits to retention of student data, such as the ability to longitudinally evaluate student performance. However, individual autonomy should trump company and school systems’ desires to monitor students for analytics purposes. The threat of unauthorized access into students’ personal information collected through edtech undoubtedly exists: this year alone tens of thousands of student records were exposed or stolen on college campuses around the country. Therefore, while we hope states follow California’s lead by enacting laws that encourage edtech industry accountability and reasonable security, we urge legislators to give students and parents a meaningful choice for how their data is collected, used, and retained.
More Action Needed on Federal Level to Protect Students’ Digital Footprint
States are leading the charge on student data privacy and understandably so; the subject matter is traditionally one delegated to regional school districts that are most familiar with their students’ needs. However, the ubiquity of edtech in schools and the reality that many of these platforms operate on a national scale, underscore why FERPA must be updated.
SOPIPA is a commendable step toward stronger protections for students’ data; however, the very fact that it aims to regulate all edtech website and application operators with knowledge of their site being used for K-12 education purposes complicates the analysis of which entities should be subject to this law. What happens if, for example, an edtech website or start-up in a particular state that is not aware of their service being used in California is found to have run afoul of the law? Furthermore, how exactly does SOPIPA define “K-12 school purposes”? The phrase could include services used in the classroom for instruction, as well as products used for administrative functions like storing student records, or even applications used without the school’s knowledge by students or parents. It is possible SOPIPA may reach entities that did not anticipate such regulation when the platform was designed. Moreover, SOPIPA is only one of numerous state student privacy laws and bills.The lack of a well-defined federal standard could complicate compliance efforts of edtech companies who often serve schools in multiple states.
We congratulate Governor Brown and California’s legislature on passing this progressive approach to student privacy. Now it’s time for federal legislators to update FERPA to better protect students’ digital footprint.