States Race to Protect Student Data

Computers©The Associated Press

In recent years states have rushed to regulate how student data can be used by school systems and education technology companies. Now some are considering whether parents should be able to decide how their children’s data is used.

What if a child’s performance in a fifth-grade gym class could be used to set the rate for a life insurance policy when they’re 50? What if a computer program advertised interactive tutoring when your child struggled with long division?

Privacy advocates worry these scenarios could become reality as schools increasingly rely on outside companies to collect, manage and analyze the massive amount of data gleaned from standardized tests, transcripts, individual education programs and even cafeteria purchases.

This subcontracting is not new or uncommon, but it has often left school districts without explicit control over students’ personal information. And it has left some parents, administrators and privacy advocates worried that those companies might one day sell or mine the data for a profit.

With few protections on the privacy of student data beyond a decades-old federal law, states have been scrambling to regulate how student data is collected and stored. More recently they’ve begun governing how third-party companies can use student information.

In 2014, 21 states passed 26 student data laws mostly targeted at states and school districts. Many echoed a 2013 Oklahoma law that requires state approval to release student data and mandates that only aggregated data — no data tied to individual students — can be released.

By last year, lawmakers had shifted their focus to third-party companies. They passed 28 student privacy laws, in many cases mirroring a California statute that prohibits service providers from using data to target ads to students, selling student information, and creating student profiles for commercial purposes.

This year nine states — Arizona, Connecticut, Hawaii, Kansas, New Hampshire, Tennessee, Utah, Virginia and West Virginia — have added 11 new student data laws, mostly based on the California standard. A similar proposal is awaiting the signature of Colorado’s governor.

It’s impossible to know how companies could or would use the information they collect, said Joel Reidenberg, a privacy expert and law professor at Fordham University.

“What are they going to do with it? Are they going to use it for experimentation? Data analytics?” he said. “Will it wind up 10 years down the road being used in an insurance underwriting decision?”

School districts and their vendors are required to keep educational records confidential, under the 1974 federal Family Educational Rights and Privacy Act. But the law, written at a time when protecting student data simply meant locking a filing cabinet, is ambiguous about some of the non-academic data now collected in schools.

“It’s not at all clear that what a child eats in the lunchroom would be considered an educational record,” Reidenberg said.

Regulating Third Parties

Fewer than 7 percent of school systems’ contracts for cloud computing services restrict vendors’ sale or marketing of student data, a 2013 study by Reidenberg and Fordham’s Center on Law and Information Policy found. A quarter of districts using those services tell parents about their relationships with vendors. One in five don’t have policies governing the use of online services.

School systems should be restricting the way their vendors use student data, Reidenberg said, and the 2013 study proves they are just not exerting that control. He worries what could happen if companies continue unrestricted.

“I don’t think it’s appropriate for commercial vendors to be able to data mine what a child is doing in a classroom and develop a commercial product to sell back to other school districts,” Reidenberg said.

But Brendan Desetti, director of education policy for the Software and Information Industry Association, said vendors are not interested in advertising.

He said the California model governing third-party data management makes sense, and he hopes states won’t deviate too far from it because similar laws help companies conform across state lines. “At the end of the day, we want to comply.”

Desetti also points to the Student Privacy Pledge, a promise made by education technology companies to not sell student information, keep the data longer than it is needed by a school system, or disclose student information for advertising.

The pledge, which was started in 2014 and has 275 signatories, including Apple and Google, can be enforced by the Federal Trade Commissions if a company is found to violate its promise.

But despite the pledge and states’ efforts to replicate the California law, Reidenberg said many states are too focused on making sure the data isn’t used for marketing and advertising. States also need to worry about whether the data that’s collected is being used for secondary purposes, such as using a student’s performance to develop and sell a curriculum, how long the information is kept, whether parents have a right to know who is using their children’s data, and if there is a means to correct inaccurate data.

“It’s just a whole host of good data practices, fair data practices that are not covered by a statute focused only on marketing,” he said.

Opting Out?

States and school districts have long used electronic databases to keep grades and attendance, but more recently, schools are using online services and apps as part of classroom instruction.

As more teachers turn to these programs and social media as a regular part of their curriculum, states need to safeguard children’s data, said Rachel Anderson with the Data Quality Campaign, a nonprofit focused on how data is used in education. Not because education technology companies are breaking the law, she said, but because regulations need to reflect changes in education.

States are looking for ways to be more transparent about the programs they use and how children’s data is being collected. Some have explored laws that would allow parents to opt out of data collection or the submission of personal data to education technology companies.

Between 2014 and 2015, state legislators introduced 98 bills that included opt-in or opt-out provisions, and this year Arizona passed a law requiring schools to obtain parents’ permission before collecting certain data.

But the Data Quality Campaign suggests these proposals shouldn’t be treated as privacy protection because they force parents to assess the risk of data-sharing without giving them adequate context to decide how their children’s information should be used. Instead, some advocacy groups say, school districts need to be more transparent about the collection and use of student information. 

“The conversation is looking different in every state and district at this point,” Anderson said. “Some states are really taking the approach of parents can decide if they want to opt in or out of these additional recommendations.” 

Explore