Education, From The Capitol To The Classroom

Messer Leading Effort For National Student Privacy Law

    A Carpe Diem student logs into a computer in the school's

    A Carpe Diem student logs into a computer in the school’s “learning center,” where each student has his or her own workstation. photo credit: Kyle Stokes / StateImpact Indiana

    As education moves into the digital age, so does data about the students using technology.

    From homework and lessons on the web, Google Classroom and standardized tests moving online, a lot of information about a K-12 student lives on the Internet. That fact has long worried parents and educators, and now U.S. Rep. Luke Messer, R-Ind., is attempting to rectify it at the federal level.

    Along with Rep. Jared Polis, D-Colo., Messer wrote a bill addressing the issue of student data privacy. Messer and Polis had planned to introduce the bill in the House Monday, but delayed following criticism that the bill doesn’t do enough to protect student data.

    Currently, student data is protected under the Family Educational Rights and Privacy Act, a law enacted in 1974. It applies to institutions like schools and universities and the records they oversee, but doesn’t apply to the current system of education where third party companies hired by schools own student data.

    When a school district hires online textbook companies or other ed-tech companies, those groups gain a lot of information about students. According to Fred Cate, Director of the Center for Applied Cybersecurity Research at Indiana University, there’s really only one reason a company would want access to student data.

    “Nine times out of 10 the reason someone wants data is for marketing,” Cate says. “It’s really for targeting who you’re marketing to or what you’re marketing to them. So if I run a testing service or an online publisher or whatever and I can identify students by what they’re interested in, I can identify them by their proficiency, how well they do, I then know what to market to them.”

    Benjamin Herold of Education Week writes about what the proposed bill would try to fix:

    If enacted, the proposed Student Digital Privacy and Parental Rights Act of 2015 would mostly prohibit ed-tech vendors from selling the information they collect on students and using that information to target students with advertisements. It would also impose new requirements on vendors when it comes to securing and deleting student data, sharing student information with third parties, and disclosing breaches. In a major new development, the Federal Trade Commission would also be given enforcement and regulatory authority over the burgeoning ed-tech industry.

    Herold goes on to write that with the delay of the introduction, the bill will likely lose language allowing schools to permit companies to disclose student information for non-education reasons, as well disclosing student data for research purposes.

    Clauses like those listed above prompted a lot of the opposition to the bill. NPR Ed blogger Anya Kamenetz spoke with Mike Goldstein and Elana Zeide, two experts on the issue of student data privacy, about the main concerns regarding the bill in current form – namely, what it will and won’t protect students from:

    1. Security. 
    My child’s information will be stolen and misused by hackers. She will be a victim of identity theft or her information will be exposed in an accidental data breach.

    Setting rules about how long data can be stored, and who can access the information, helps security. The draft House bill contains some broad security provisions, but security, says Zeide, is also determined by good training and protocols, not just regulation.

    2. Transparency. My child’s information is being collected, circulated, stored and shared, but I don’t know where or by whom or why. I won’t be informed if there’s a data breach.

    This bill includes some provisions on disclosure and parental notification.

    3. Commercialization. My child’s information will be used to target online advertising or otherwise exploited for commercial gain. My child will be marketed to while she’s doing her homework — or her homework will be used to sell things to other students.

    This is where the House bill focuses. It would prohibit the sale of student information and the targeting of advertising based on a profile of a student assembled over time. It contains an exception, though, meant for companies like The College Board, which sells information on students who take the SAT to colleges, which is then used to target scholarship offers.

    4. Reputation. My child’s information will be “out there,” discoverable in the ether somewhere. Her youthful mistakes and foibles, her low-income or English-language-learner status will follow her around. One day, her “permanent record” could limit her options.

    Cate says the biggest challenge for Congress when drafting this legislation is deciding how to enforce the law. Currently, if a school isn’t complying with FERPA, they can lose federal funding for their school. He says that isn’t used often because it punishes kids and not the school, and with large technology companies that will only be harder to enforce.

    Messer and Polis will likely introduce an updated version of their bill to the House of Representatives later this week.


    About StateImpact

    StateImpact seeks to inform and engage local communities with broadcast and online news focused on how state government decisions affect your lives.
    Learn More »