Congress Proposes Changes to Student Data Usage and Privacy Regulations

Originally published on August 20, 2015 in WCET Frontiers

We live in a society awash in a sea of data. The collection and use of millions upon millions of data points allows for an unprecedented level of personalization when we log into service providers like Amazon, Netflix or iTunes.  Our data, the record of the most personal and private parts of our lives, fuel the algorithms that order our lives.

But, there is a darker side to the ubiquitous presence of our personal data.

We decry the ability of the National Security Agency to access phone records. Librarians staunchly advocate the right of patrons to keep borrowing histories private.  We monitor our credit after massive data breaches stretching from national consumer outlets to the federal government. But we reserve our most critical and contentious conversations around data and privacy for discussions of student data usage and privacy.

Congress seeks the keys to securing student data.

Given the antiquated nature of federal privacy legislation, the highly charged contemporary conversations about data privacy, and the more than 180 pieces of legislation filed in 47 state legislatures, it should come as no surprise that there are no less than eleven bills and amendments to the Elementary and Secondary Education Act (ESEA) before Congress that would reimagine student data and privacy for the 21st century.

 

FERPA  

Congress has been debating student privacy since President Ford signed the Family Educational Rights and Privacy Act (FERPA) into law in 1974. Focused primarily on regulating schools and local and state educational agencies, the goal of FERPA is to provide parents with access to their child’s educational records, provide them with the ability to amend those records, and ensure that they control the disclosure of those records. There are, however, some consideration made for researchers—personally identifiable information (PII) can be disclosed to third parties for the purpose of educational research without explicit parental consent.

The greatest challenge that FERPA has faced is that despite the numerous amendments by Congress and changes in regulations by the Department of Education, the fact still remains that FERPA was written at a time when student records were more likely to be paper files kept in a locked file cabinet or vault than digital records that can be disseminated at the press of a button or illegally accessed by some nefarious hacker.

What’s Being Proposed to Update FERPA?

There are three proposed bills pending that would either amend or completely re-write FERPA:

  • HR 3157, The Student Privacy Protection Act; Todd Rokita (R), Marcia Fudge (D), John Kline (R), and Robert C. Scott (D)
  • S 1322, Protecting Student Privacy Act; Edward Markey (D), Orrin Hatch (R), and Mark Steven Kirk (R)
  • S 1341, Student Privacy Protection Act; David Vitter (R)

All of these pieces of proposed legislation share a common desire to bring FERPA into the 21st century and update it for new and emerging technologies while bolstering parental rights, but two pieces of legislation have garnered the most attention—HR 3157 and S 1341.

HR 3157
HR 3157, the most heralded of the proposed bills, represents a bipartisan attempt at completely re-writing FERPA and has garnered the most cautious support from the educational and technology communities. Meant as a total rewrite of FERPA that would clarify and codify existing regulations, HR 3157 would also improve data transparency, increase parental rights, and close loopholes regarding the use of data for direct marketing towards students.

For example, under HR 3157 third party companies would be required to enter into written agreements with educational agencies that explicitly outline how and what information would be transferred, what personally identifiable information would be created, descriptions of any subcontractors with access to the data, and the assurance of data security policies built on industry standards. Additionally, this proposed legislation includes robust transparency requirements that would require any institution or educational agency to provide parents with copies of written agreements with those third parties accessing student data.

The bill does attempt to balance the need for research and innovation against privacy concerns by allowing researchers to continue to access data without parental consent as long as it “improve[es] the instruction or testing of students.” Moreover, it recognizes the potential importance of personalized learning and would not negatively impact the ability of service providers to use data to provide personalized learning.

S 1341
Senator Vitter’s proposal, S 1341 Student Privacy Protection Act, has little in common with HR 3157 and has drawn the largest amount of criticism and concern from educators and service providers. Although Vitter’s bill also seeks to update FERPA and strengthen parental consent, the similarities end there.

Under S 1341 any data used by third parties would be required to be de-identified and destroyed as soon as the student is no longer serviced by the agency or institution. Additionally, parents would be given 30 days notice prior to third party access of the data and, unlike allowances for research under existing legislation and HR 3157, parental permission would be required if any non-aggregated, non-anonymized, or identified data is used. Finally, the bill expressly prohibits collection of “psychological data” for any purposes.

Not only would research abilities be severely hampered by Vitter’s bill, but personalized learning would be severely limited, if not completely impossible. In fact, S 1341 would create so many limitations to the use of data that over 1,000 organizations, institutions, and scholars signed a letter of concern written by the American Educational Research Association (AERA). In it, the signatories wrote that the bill would have a “devastating impact on education research.” After explaining that the proposed legislation would undermine the scientific validity of student data, prevent researchers from accessing the data necessary for their research, prevent the use of district and state administrative data for longitudinal research, and “drastically curtail the ability to collect information on student learning and teacher performance,” the letter closes with the warning that the bill would have a “calamitous effect on research and evaluation if it were to become law.”

 

What about Websites and Online Service Providers?

What’s in Place?:  COPPA
The 1998 passage of the Children’s Online Privacy Protection Act (COPPA) was an attempt to bring privacy protection into the 21st century. Aimed at websites and online service providers, COPPA requires that “verifiable parental consent” must be present before a site or service provider can collect personally identifiable information from anyone under 13 years old.  Mirroring COPPA’s focus on the internet and online services, enforcement authority lies with the Federal Trade Commission, largely under its consumer protection and fraudulent services authority.

But even this bill, written at the turn of the century and the eve of the age of ubiquitous internet, is sadly outdated. Data collection and the targeted advertising that it supports are inadequately addressed in the legislation leaving children open to targeted advertising campaigns built on the backs of their personally identifiable information.

What’s Being Proposed?
Another set of proposed legislation would directly address internet service providers and websites in an effort to improve student privacy. There are currently six bills that would either amend COPPA or otherwise address data privacy from the consumer protection vantage point:

  • HR 2092, The Student Digital Privacy and Parental Rights Act of 2015; Jared Polis (D) and Luke Messer (R)
  • S 1788, Safeguarding American Families from Exposure by Keeping Information and Data Secure (SAFE KIDS) Act; Richard Blumenthal (D) and Steve Daines (R)
  • HR 2734, Do Not Track Kids Act; Joe Barton (R) and 14 other representatives including 12 Democrats and two Republicans [closely related legislation includes HR 1053S 547, and S 1563]

All of these pieces of proposed legislation share a common desire to reimagine consumer protection and student data privacy for new and emerging technologies, but the two that have garnered the most attention are HR 2092 and HR 2734.

HR 2092
Representatives Polis and Messer’s The Student Digital Privacy and Parental Rights Act of 2015 was the first of the student privacy bills filed this session. Although technically not an amendment of COPPA, it does focus on third party vendors, specifically the online service providers who work with state and local education agencies rather than the agencies and institutions themselves.

Much like HR 3157, HR 2092 attempts to balance the needs for data privacy and protection against innovation and explicitly includes provisions that would support the usage of data for developing personalized learning. Also, much like HR 3157, the bill would require providers to be transparent regarding the data collected from children and its usage as well as clearly prohibit the use of that data for direct marketing purposes.

Unlike HR 3157, the bill includes deletion requirements that would require providers to delete personally identifiable information within 45 days of a parental request or one year after service has ended. And rather than rely on the Department of Education for enforcement, HR 2092 would make enforcement the responsibility of the FTC.

HR 2734
The Do Not Track Kids Act of 2015 (HR 2734) specifically sets out to amend COPPA in order to update its privacy protections for the 21st century. Unlike HR 2092 which focuses on service providers working with education agencies, HR 2734 focuses on any company that is providing services directly to children. Under HR 2734 these providers would be required to obtain consent before collecting or using any data as well as allow minors or their parents the right to inspect any data collected on them, challenge its accuracy, and respond to any requests to erase, correct, or amend that data.

The bill would also simplify parental notifications by requiring that those notifications be made in “clear and plain language.” And although the bill does not directly address innovations such as personalized learning, it does recognize the role that data plays in innovation and balances that against privacy concerns. Finally, like HR 2092, the bill would make enforcement the responsibility of the FTC.

What Can We Expect?

What should we expect when Congress returns from its summer recess? There has been a spotlight on the limitations of FERPA and COPPA as currently written ever since President Obama called on Congress to better protect student data in his 2015 State of the Union address. All but one of the bills has been assigned to committee (Vitter’s bill is the lone hold out) but none have made it out of committee. Of the FERPA overhaul bills, HR 3157 is best positioned for passage with its bipartisan support and broad appeal among both educational agencies and industry. And the bill enjoys presidential support as evidenced by a recent blog post by Jeff Zients, Director of the National Economic Council, who calls the bill an “important bipartisan step.”

Additionally, both the House and Senate versions of ESEA had privacy related amendments attached. In the Senate, Orrin Hatch (R) and Edward Markey (D) offered Amendment 2080 that would establish the Student Privacy Policy Committee, a 20 member group that would study data privacy and make recommendations on changes to the existing regulatory framework as well as how to improve coordination between federal law and the growing body of state law.

While in the House, Will Hurd (R) offered Amendment 54 that expressed the sense of Congress that student privacy is “important to protect,” especially “with the use of more technology, and more research about student learning the responsibility to protect students’ personally identifiable information is more important than ever.”

But as ESEA heads to conference committee, the future of these amendments as well as the act itself is uncertain.

So although the fate of the current student privacy legislation may be uncertain, we can expect that the conversation around student data and privacy will continue to play a central role in our national conversations about education, technology, and innovation.