Is Student Data at Risk Due to Out-of-Date Privacy Laws

Members of Congress warn that an aging privacy statute hasn't kept pace with technology in the classroom and urge that restrictions be placed on third-party use of student data.

student data protection ts
Credit: Thinkstock

As tech companies look to tap into the burgeoning education market with new applications and services for the classroom, lawmakers are worried that current privacy laws offer insufficient protections for student data.

[ Related: Higher-Education CIOs Weigh In on 2015 Priorities ]

At a recent House hearing, members of a subcommittee on education generally agreed that the 41-year-old Family Education Rights and Privacy Act (FERPA) needs is due for an update that would restrict the collection and usage of education data, while at the same time leaving room for new technologies to flourish.

"As we examine FERPA, we need to balance privacy and innovation," says Rep. Marcia Fudge (D-Ohio), the ranking member on the Subcommittee on Early Childhood, Elementary and Secondary Education. "Congress must ensure student data is being used only for defined educational purposes and cannot be sold or used for private companies' financial gain."

Witnesses at Thursday's hearing, including an executive from Microsoft, outlined the ways that FERPA has failed to keep pace with the privacy concerns that have arisen in the fast-moving ed-tech space, in particular the absence of restrictions on third-party vendors' collection and use of sensitive student data under the law.

"Students data belongs to students and their parents, and students are not commodities to monetize through advertising," says Allyson Knox, Microsoft's director of education policy and programs. "FERPA was written to apply only to educational institutions. It should be updated to prohibit third parties from using data for targeted advertising or for building profiles to advertise to students after they leave school."

The push for new student privacy legislation has the backing of the White House, where presidential counselor John Podesta has expressed the administration's aim of working with lawmakers on a bill to "ensure that our kids' educational data is used only for educational and legitimate research purposes."

[ Related: Obama aims to tighten laws on data hacking and student privacy ]

There is bipartisan support for that effort on Capitol Hill, with Reps. Luke Messer (R-Ind.) and Jared Polis (D-Colo.) having announced their intention to bring forward a student privacy bill to set checks on how companies can use education data.

Will Privacy Concerns Impede New Technologies in Ed-Tech?

In broad strokes, it may be hard to argue with the goal of protecting student privacy, but some in the field worry that an overly restrictive law could have the adverse effect of choking off promising new digital learning technologies.

[ Related: CIO Helps Kaplan Keep Pace With Students ]

"While federal ... privacy policy is critically important, there is no doubt in my mind that school districts and schools must lead these efforts to protect student data privacy, and any effort by Congress to update laws to protect students -- FERPA and COPPA [the Children's Online Privacy Protection Act] -- should support, not burden, school district and state data use to improve instruction and decision making," says Sheryl Abshire, CTO at Calcasieu Parish Public Schools in Louisiana.

"Appropriate data sharing must be preserved to strengthen the potential of technology to transform and improve education," she told lawmakers. "I urge Congress: Please do not overreach as you address this important issue, but instead take a thoughtful, balanced approach focused on supporting schools and district leaders."

Joel Reidenberg, a law professor at Fordham University who studies education technology, argues for an expansion of the terms of FERPA, which he says ''desperately needs to be updated for the 21st century."

The rewrite that Reidenberg envisions would introduce new restrictions on data usage to technology providers, including an expressed prohibition on using student information for marketing or other non-educational purposes, as defined in the expanded statute, and provisions allowing for fines for violators.

Responsible tech companies should welcome an overhaul of student privacy legislation, he argues, suggesting that clearer rules of the road in a more expansive law would help win the support of parents who today worry about how their children's information is being used.

"Much of the data that comes from learning tools is outside of the scope of FERPA," Reidenberg says. "In the absence of effective privacy protections for their children's information, parents will oppose the technology."

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO Nov/Dec 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.