Lawmakers Urged to Reform Student Data Privacy Law

Though 32 states have introduced or passed their own student data privacy bills, the “patchwork approach” is not considered sufficient -- strong federal legislation is recommended to ensure cohesive student data protections.

by Justine Brown / February 12, 2015 0
At Moss Hill Elementary in Kinston, N.C., second grader Jaylin Solomon reacts to the photograph he took of himself on his iPad. On Feb. 12, panelists urged lawmakers to update a severely outdated law to ensure that it strengthens student privacy protections in the digital age. Flickr/Zach Frailey

The Family Educational Rights and Privacy Act (FERPA) is a law intended to ensure parents’ rights and safeguard student records -- but it hasn't been significantly updated in 40 years, and a panel of technology and privacy experts speaking at the White House on Feb. 12 say it's time to make some serious changes.

During its first hearing to explore the use of new technology in the classroom and examine the need to modernize FERPA, the Subcommittee on Early Childhood, Elementary, and Secondary Education brought to Congress' attention the fact that this outdated law is leaving parents and students vulnerable to the inappropriate use of student data, often without their knowledge or consent.

“Technology organizations and policymakers have taken steps to strengthen student privacy protections. However, these efforts have not addressed rules under which schools must operate as the guardians of student data,” said Rep. Todd Rokita, R-Ind., chairman of the subcommittee, in his opening statement. “Unless Congress updates FERPA and clarifies what information can be collected, how that information can be used, and if that information can be shared, student privacy will not be properly protected.”

The hearing included a panel of technology industry representatives, educators and privacy experts who discussed the role technology is playing in classrooms and school accountability, its impact on student privacy, and the need to advance reforms that will strengthen student privacy protections. 

“Student data should not be used as a commodity,” said Shannon Sevier, vice president for Advocacy for the National Parent Teacher Association. “[FERPA] was written in 1974 with the intent to protect the privacy of student educational records and includes a parental consent provision."

Over the past 40 years, however, the concept of privacy, she said, has evolved from the right of direct control, to an individual’s right to control the information they have entrusted to others.

"This wrinkle in control," she added, "requires subsequent change to student data privacy policy.”

The use of technology and the collection of data about students presents tremendous opportunities to help evaluate student progress in real time, said Allyson Knox, director of Education Policy and Programs for Microsoft, adding that it also helps teachers to provide instruction that is tailored to a particular student’s unique strengths, weaknesses and learning style.

“However, it also raises serious privacy concerns," she noted, "and it is important that appropriate safeguards are in place to protect the privacy of this information, and similarly, that some uses of that information, such as to target advertising to students, are appropriately limited.”

The panelists agreed that FERPA needs to be updated to extend protection of student data to third parties and not just schools themselves, to explicitly prevent the sale of student data, to include penalties for infractions, and to ensure parents and students clearly understand when they are “opting out” of privacy.

“Information is power in this new economy, and if we know this data has the potential to be misused, then it’s our responsibility to [protect it],” said Dr. Sheryl R. Abshire, chief technology officer for Calcasieu Parish Public Schools in Lake Charles, La. “It’s a complex issue, but ... it’s our duty to look at ways we can support the use of data to inform instruction and to advance and enrich student learning in ways that weren’t possible 40 years ago.”

The panelists also agreed that the “K-12 School Service Provider Pledge to Safeguard Student Privacy,” which was developed by the Future of Privacy Forum, is a step in the right direction, but it doesn’t go far enough. The pledge, which to date has been signed by over 100 companies, asks that, among other things, companies promise not to sell student information, do not use behaviorally targeted advertising, use data for authorized educational purposes only, and exercise transparency about collection and use of data.

“I’m concerned about the voluntary aspect of the pledge and its lack of enforceability,” said subcommittee member Rep. Suzanne Bonamici, D-Ore.

Joel R. Reidenberg, founding academic director for the Center on Law and Information Policy, noted that the pledge is not an adequate substitute for meaningful legal protection applicable to all industry participants. “If FERPA is to cover adequately the ecosystem of student information," he said, "the statue must apply to all participants.”

Reidenberg went on to say that the importance of this direct applicability is illustrated by a new trend among some ed tech companies to market products such as online gradebooks directly to teachers.

“These marketing efforts are designed to bypass school administrators,” he said. “As a result, these vendors are, in effect, soliciting teachers to violate FERPA because the teachers will generally not have the legal authority to enter into contracts for the transfer of the district’s student data. While the Federal Trade Commission might be able to bring a deceptive practice claim, as a policy matter, FERPA should address vendors directly.”

While 32 states thus far have introduced or passed their own student data privacy bills, the panelists agreed that this “patchwork approach” is not sufficient to addressing the issue, and that strong federal legislation is needed to ensure cohesive student data protections. 

"It is extremely encouraging to see our nation’s leaders addressing the fact that current federal laws are insufficient to protect the privacy and security of students' personal information in today's connected classrooms,” said James P. Steyer, CEO of Common Sense Media, in response to today’s hearing. “That must change and it must happen quickly as their sensitive data is at risk. We look forward to working with Congress to help create a trusted online learning environment, where industry can innovate, schools can provide state-of-the-art digital learning tools, and our schoolchildren can use engaging educational websites, apps, and other technology to enrich their learning, without fear that their sensitive personal information will be exploited for commercial purposes or fall into the wrong hands."