Earlier this year, we told you about the Student Privacy Pledge which Google, Microsoft, and other major infotech companies signed in a gesture of goodwill toward keeping students’ data safe. The pledge was put forward as part of President Obama’s broader agenda on education technology, an agenda in which data privacy is increasingly prioritized. In January, the President called for new legislation addressing student privacy. Now, a draft of such legislation, the Student Digital Privacy and Parental Rights Act of 2015, is circulating in the House.
While the Student Privacy Pledge deals primarily with commercial uses of data, the proposed legislation has a somewhat broader focus, also touching upon data security and parents’ right to know what is being done with their children’s information. (NPR put forth an excellent breakdown of student privacy issues and how the proposed bill addresses them; you can read their coverage here.)
Generally, the proposed bill tackles privacy problems with detailed regulations on how long and with what safeguards data should be stored, and with restrictions on how students’ data and metadata may be used by private companies. Almost all commercial uses of individual students’ information would be forbidden by the bill; the one exception, an “educational purpose” clause, is intended for companies like the College Board which match students with scholarships.
However, some parents, experts, and organizations feel the proposed bill does not go far enough. Some have expressed concern that the data security measures in the bill do not sufficiently address human factors; others have voiced fears about potential exploitation of the “educational purpose” loophole built into the restrictions on commercial use. Most notably, the Parent Coalition for Student Privacy has condemned the proposed bill as legislation which seems “written to suit the purposes of for-profit vendors, and not in the interests of children.” Their press release cites the exploitability of the “educational purpose” loophole and another regulatory loophole which Coalition members say would allow companies to act in ways contrary to their privacy policies with the approval of the school and without the knowledge of parents. The Coalition also takes issue with the absence of a clause allowing parents to request the deletion of their children’s stored data and the absence of restrictions on the use of aggregate, as opposed to individual, data.
Regardless of whether these criticisms are justified, the drafting of a student data privacy bill is an important step towards modernizing student privacy laws. While legal protections for student privacy obviously do exist, the primary law which lays them out is the Family Education Rights and Privacy Act of 1974. FERPA pre-dates the creation and proliferation of the Internet, and as such, it does not deal with such twenty-first-century privacy hazards as data mining, targeted marketing, and the potential compromise of children’s personal data in the event of a security breach. Updated legislation is sorely needed, and it is heartening to see that the government is moving in that direction.