President Obama Announces Student Privacy Legislative Proposal
President Obama announced today proposals for enhanced consumer privacy legislation, including a new federal student privacy law. According to the White House, the Student Digital Privacy Act is “designed to provide teachers and parents the confidence they need to enhance teaching and learning with the best technology — by ensuring that data collected in the educational context is used only for educational purposes.” The Act would accomplish this goal by mandating strict limits on student data sharing with third parties for non-educational purposes and prohibiting targeted advertising to students based on this data. The bill is modeled after California’s Student Online Personal Information Protection Act (“SOPIPA”), which was signed into law in late September of last year.
In addition to the legislative proposal, the President encouraged companies to sign on to a “Student Privacy Pledge,” a voluntary code of conduct for the use of student data sponsored by the Future of Privacy Forum and the Software & Information Industry Association. The White House will also issue a model terms of service agreement for EdTech companies and schools and provide training assistance for teachers on student data privacy through the Department of Education’s Privacy Technical Assistance Center (“PTAC”).
The practice of collecting student data is not new – schools have been gathering and reporting test scores, attendance records and the like for years – however, the means by which student information is collected, the types of information collected and the entities that ultimately have access to this data have expanded dramatically. EdTech serves many functions for schools including (but not limited to): administrative purposes, or digital storage of student information traditionally held in school paper files; classroom instruction, such as open source learning sites, in-class quizzes, videos and presentations; student assessment, which can gather highly specific student data points such as time taken to answer a question or scrolling patterns on a website; common core and statewide longitudinal data systems (“SLDS”) implementation; and after-school instruction, where students supplement classroom instruction with additional tutorials, extra credit and the like at home. The President must balance the growing importance of technology in education while providing reasonable directives on the collection and use of consumer data.
We’re excited to see how the Administration achieves this balance in the actual text of the bill once it is released. If the bill reflects SOPIPA, it would be a step in the right direction; SOPIPA directly regulates companies that collect students’ data, while the majority of state student privacy laws only regulate schools. The Family Educational Rights and Privacy Act, (“FERPA”), the existing federal student privacy law, limits its regulatory authority to schools and is generally in need of an update: the law leaves much of the data collected through EdTech uncovered by its provisions. EdTech companies may be better equipped than schools to safeguard students’ privacy rights, by virtue of their expertise in collection of user data. Therefore any legislation aiming to provide comprehensive student privacy protection must cover industry practices and include mechanisms for enforcement.
SOPIPA is not perfect, however: it omits any provisions for data retention limits or front-end data minimization. While data collection may enhance American education, this goal should not lead to limitless mining of students’ information. Student data collection and retention must be purposeful. Companies should therefore put as much thought into limiting the scope of their collection to data that is needed for a specific purpose, as they do into designing innovative uses for this data. Including data retention limits and minimization requirements in the Student Digital Privacy Act would be an effective way to encourage this form of industry accountability.
EdTech has the potential to revolutionize the classroom but, like so many technological advances, it will only be realized if it’s coupled with robust data privacy protections. CDT is pleased the White House has recognized this need. Further, we are encouraged by the Administration modeling the Student Digital Privacy Act after California’s SOPIPA; SOPIPA represents a progressive approach to student privacy that would encourage both schools and industry to be zealous in their efforts to protect students’ digital rights. We look forward to learning more about the Student Digital Privacy Act and the Administration’s plans for safeguarding students’ data lifecycle.
