The proliferation of private sector technology to help kids learn is being met with a push by parents, schools, and the US government to make sure students’ data is kept safe and isn’t sold for personalized advertising purposes.
The US Department of Education plans to protect children’s privacy and to address concerns about data monetization by proposing a rule under a decades-old law governing student records. The Federal Trade Commission also is ramping up its enforcement of another law focused on children’s privacy online, with agency actions going after makers of educational technology tools that misuse kids’ information or fail to secure it.
Typical school districts saw their K-12 populations utilize more than 2,000 edtech apps during the 2021-2022 school year, though about 300 of those apps accounted for almost all of students’ use, according to an analysis from educational software company Lightspeed Systems. Across grades, a single student usually used about 72 apps. Tools from
Questions about edtech’s privacy and security implications have been building for years since schools started giving students tablets and laptops to use in class. Attention on digital student records intensified during a pandemic-driven shift to remote online learning that introduced more videoconferencing apps from companies like Zoom Video Communications Inc. into K-12 educational settings.
The rush to virtual education highlighted concerns about teachers ticking boxes and consenting to technology providers’ data policies without much review. Now school districts increasingly vet apps and decide which ones are approved for use.
“The days of teachers signing up for things in the classroom are over,” said Nicki Bazer, a lawyer at Franczek PC specializing in student privacy who also formerly served as general counsel for the Illinois State Board of Education.
Some schools and edtech companies have joined forces on voluntary student-data protection initiatives meant to ease the burden on educators to decipher companies’ data practices and gauge their compliance with relevant federal or state laws. These efforts have sprouted against a backdrop of oversight responsibilities split between the Education Department, which regulates schools, and the FTC, which polices the private sector.
“This is essentially a regulatory car with two steering wheels,” said Jim Siegl, a senior technologist with the nonprofit Future of Privacy Forum’s youth and education privacy team. He previously worked as technology architect for the Fairfax County Public School District in Virginia.
The agencies co-hosted an edtech-focused workshop in 2017. Since then, each has started its own initiative to update policies governing children’s data, though neither one has resulted in a rule proposal yet.
Republicans lawmakers led by Rep.
Records Requests
The Education Department is planning a rulemaking under the Family Educational Rights and Privacy Act, known as FERPA. The federal law from 1974 gives parents rights to access their kids’ education records and prevents unauthorized disclosures of students’ personal information. Such information can be shared with edtech providers under a carve-out for “school officials.”
The department didn’t respond to requests for comment on the rulemaking, which was first placed on its agenda in 2018.
The Student Data Privacy Project, a parents’ group that advocates for stronger oversight of edtech platforms, has called for more clarity regarding what’s considered an education record in the age of virtual learning. Refining that definition is one of the goals of the rulemaking, according to a notice published in a government-wide regulatory blueprint.
Parents involved in the Student Data Privacy Project sought to use FERPA to see what information about their kids edtech platforms gathered. They filed more than two dozen complaints with the Education Department in 2021, claiming schools failed to turn over complete records concerning data collection.
The department hasn’t responded to the complaints, according to the parents.
They also point out that the agency has been reluctant to wield its FERPA enforcement powers. The law applies to districts and schools that receive federal funding, and the Education Department can pull funding from schools that don’t comply.
Given the lack of FERPA enforcement so far, the Federal Trade Commission “has stepped into that vacuum,” said parent Joel Schwarz, a cybersecurity and privacy professor at Albany Law School who co-founded the Student Data Privacy Project.
Children’s Privacy
The FTC is ramping up scrutiny of edtech platforms, as part of its consumer protection mission. In 2022, the commission warned makers of private-sector learning tools for kids to limit their collection and use of data to ensure compliance with the federal Children’s Online Privacy Protection Act, known as COPPA.
Under this law, schools can give permission for data collection on behalf of parents as long as students’ information is used for educational purposes, not commercial reasons.
The FTC recently brought an enforcement action against Edmodo Inc., an educational technology platform that shut down its US business last year. The agency accused Edmodo of collecting kids’ personal data without parents’ permission and using it for advertising.
The case was “really instructive” for fleshing out the agency’s authority over edtech and restricting the contexts in which schools can stand in for parents under COPPA, according to Phyllis Marcus, a partner at Hunton Andrews Kurth LLP who previously led the FTC’s children’s privacy enforcement program.
There’s still some confusion, though, about overlapping obligations under the children’s privacy law and the student records law.
“The interplay between COPPA and FERPA is quite blurry,” said Claire Quinn, chief privacy officer at PRIVO, a company that facilitates compliance with children’s privacy law.
As part of a rule update launched in 2019, the FTC asked for public input on how COPPA applies to the edtech sector. Some of the questions posed by the agency include whether its rules should specify who at a school can provide consent for data collection, whether parents should be able to request deletion of their kids’ information, and whether or how schools ought to notify parents of a vendor’s data practices.
The agency received thousands of comments in response and the rule review remains pending. A commission spokesperson didn’t immediately respond to a request for comment on the rulemaking’s current status.
State Laws
Meanwhile, states such as California have adopted laws that restrict the use of K-12 students’ information for delivering personalized ads. Several other states require that educators’ contracts with private vendors include provisions to safeguard privacy and security or prohibit secondary uses of student data without parental consent.
Privacy advocates have raised issues with certain aspects of such laws.
“These laws are only as good as their loopholes,” said Sophia Cope, a senior staff attorney on the nonprofit Electronic Frontier Foundation’s civil liberties team.
California’s law, for example, would prohibit Google from serving targeted ads within its educational apps, according to EFF. The measure likely wouldn’t apply if a student logged into a Google account navigates outside of educational apps to another one of the tech giant’s platforms such as the YouTube video-streaming service, according to the group.
Google says its “core” educational services have no advertisements and student information isn’t used to create profiles for ad targeting. Other Google services may show ads, but personal information from K-12 schools users won’t be used to target ads, according to the company.
Google and hundreds of other companies that provide edtech tools have promised to safeguard student privacy as part of a pledge organized by the Future of Privacy Forum and the Software & Information Industry Association. Many school districts factor in a company’s signing of the pledge as they review prospective technology vendors, according to the Future of Privacy Forum.
Standard Contracts
In another collective effort, dozens of schools and educational agencies across the US have agreed with edtech vendors on a set of common data privacy and security expectations, as a way to streamline contracts for purchasing learning tools.
“At first vendors didn’t want to sign one district’s privacy agreement,” said Steve Smith, chief information officer for Cambridge Public Schools in Massachusetts and founder of the Student Data Privacy Consortium that developed the resource. So “we formed an alliance,” he said.
This standard agreement defines student data broadly. It can include contact details, discipline records, and test results, as well as information like search activity, location records, and purchasing behavior or preferences. Its terms prohibit providers of digital learning tools from using or selling student data for targeted advertising or for building profiles on a student or their family.
The agreement emphasizes that educational institutions are in control when it comes to ownership of student data and parents seeking to review their kids’ information should go through schools, not tech vendors.
Schools that use software provider PowerSchool’s platform Schoology for virtual coursework have the ability to access their data and pull records.
“It’s not my data. I am the steward of it,” said Darron Flagg, PowerSchool’s chief compliance and privacy officer.
To contact the reporter on this story:
To contact the editors responsible for this story: