The Parent Coalition for Student Privacy released a comprehensive report card on each state’s privacy laws. It is an amazing tool for parents, teachers, legislators, and privacy advocates. The full press release is posted below. You will want to be sure to use the downloadable comparison matrix and share the report cards with your schools and legislators.
Why Student Privacy is Important
Thanks to the federal student privacy law FERPA being weakened in 2011, student’s personal data can be shared outside of school walls, without parents knowledge or consent. The data can be shared and analyzed by government agencies, nonprofits, businesses, researchers, and edtech companies who can further share with third parties, (or even sell student data), or used for advertising to students. Online “Personalized Learning”, computer “edtech” programs that collect millions of points of data, and use hidden algorithms to profile children are not regulated by federal law and are exempted from state laws. Recently, the FBI issued a warning about the dangers of edtech data collection. With multiple data breaches, and cyber hacks into school databases, education performs dead last in terms of cyber security. Over the last few years, parents across the country have gone to schools, state and local boards, state legislators, and asked for transparency and more control of their children’s data. In every state, parents have received pushback, often from the BigTech lobbyists who send representatives to weaken bills and fight privacy legislation. Silicon Valley spends millions to lobby and shape “tech favorable” privacy policies at the federal level. Google led the multimillion-dollar tech industry lobbying blitz in 2018.
Besides the millions of data points collected by edtech, astonishing amounts of student data are stored in local and state databases, often called SLDS, or P20 databases. With the recent passage of Federal law HR4174, making data held in federal and state databases linkable, (shareable) and interoperable, it is more important than ever to minimize what student data, especially sensitive medical, mental health, disability data, goes into these databases. FERPA is a 45 year old law that needs updating. We need a strong data privacy law that ensures opt-in consent, provides enforceable penalties, data minimization, and private right of action to parents. This 2015 Answer Sheet article in the Washington Post, explains the issue and need for student privacy legislation:
“During a February 2015 congressional hearing on “How Emerging Technology Affects Student Privacy,” Rep. Glenn Grothman of Wisconsin asked the panel to “provide a summary of all the information collected by the time a student reaches graduate school.” Joel Reidenberg, director of the Center on Law & Information Policy at Fordham Law School, responded:
“Just think George Orwell, and take it to the nth degree. We’re in an environment of surveillance, essentially. It will be an extraordinarily rich data set of your life.”
Most student data is gathered at school via multiple routes; either through children’s online usage or information provided by parents, teachers or other school staff. A student’s education record generally includes demographic information, including race, ethnicity, and income level; discipline records, grades and test scores, disabilities and Individual Education Plans (IEPs), mental health and medical history, counseling records and much more. [Emphasis added]
Under the federal Family Educational Rights and Privacy Act (FERPA), medical and counseling records that are included in your child’s education records are unprotected by HIPAA (the Health Insurance Portability and Accountability Act passed by Congress in 1996). Thus, very sensitive mental and physical health information can be shared outside of the school without parent consent.
… the federal government has mandated that every state collect personal student information in the form of longitudinal databases, called Student Longitudinal Data Systems or SLDS, in which the personal information for each child is compiled and tracked from birth or preschool onwards, including medical information, survey data, and ….
Every SLDS has a data dictionary filled with hundreds of common data elements, so that students can be tracked from birth or pre-school through college and beyond, and their data more easily shared with vendors, other governmental agencies, across states, and with organizations or individuals engaged in education-related “research” or evaluation — all without parental knowledge or consent.
Every SLDS uses the same code to define the data, aligned with the federal CEDS, or Common Education Data Standards, a collaborative effort run by the US Department of Education, “to develop voluntary, common data standards for a key set of education data elements to streamline the exchange, comparison, and understanding of data within and across P-20W institutions and sectors.”… You can check out the CEDS database yourself, including data points recently added, or enter the various terms like “disability,” “homeless” or “income” in the search bar.”
The US needs to do more to protect students from identity theft, invisible digital profiling, trafficking and selling of their personal data. Children should not be subjected to compulsory surveillance, forced to forego privacy, as a condition of attending public schools. Parents, not corporations, not the government, need to know what data is collected and should have the Right to NO when it comes to sharing or processing their children’s data.
New Report Card Grades Each State On How Well it Protects Student Privacy
In the first of its kind, the Parent Coalition for Student Privacy and the Network for Public Education have released a report card that grades all fifty states on how well their laws protect student privacy.
The State Student Privacy Report Card analyses 99 laws passed in 39 states plus DC between 2013 and 2018, and awards points in each of the following five categories, aligned with the core principles put forward by PCSP: Transparency; Parental and Student Rights; Limitations on Commercial Use of Data; Data Security Requirements; and Oversight, Enforcement, and Penalties for Violations.
Two more categories were added to the evaluation: Parties Covered and Regulated and Other, a catch-all for provisions that did not fit into any of the above categories, such as prohibiting school employees from receiving compensation for recommending the use of specific technology products and services in their schools.
No state earned an “A” overall, as no state sufficiently protects student privacy to the degree necessary in each of these areas. Colorado earned the highest average grade of “B.” Three states – New York, Tennessee and New Hampshire– received the second highest average grade of “B-“. Eleven states received the lowest grades of “F” because they have no laws protecting student privacy: Alabama, Alaska, Massachusetts, Minnesota, Mississippi, Montana, New Jersey, New Mexico, South Carolina, Vermont and Wisconsin.
The report tracks specific versions of state laws over time. For example, many of the state privacy laws enacted since 2013 were modeled after the California’s 2014 law known as the Student Online Personal Information Protection Act (SOPIPA). While California barred all school vendors from selling student data, eight states subsequently passed laws that allowed the College Board and the ACT to do so. Laws with specific loopholes to allow these companies to sell student data were enacted in Arizona, Colorado, District of Columbia, Nebraska, North Carolina, Texas, Utah and Virginia –presumably because of lobbying efforts.
The issue of data security is also critical. The primary federal student privacy law known as FERPA requires no specific protections against data breaches and hacking, nor does it require families be notified when inadvertent disclosures occur. In recent years, the number of data breaches from schools and vendors have skyrocketed, and some districts have even been targeted by hackers with attempted blackmail and extortion. A recent report rated the education industry last in terms of cybersecurity compared to all other major industries. As a result, this fall the FBI put out an advisory, warning of the risks represented by the rapid growth of education tech tools and their collection of sensitive student data, saying that this could “result in social engineering, bullying, tracking, identity theft, or other means for targeting children.”
“The inBloom debacle in 2013 exposed the longstanding culture of fast and loose student data sharing among government agencies, schools and companies,” said Rachael Stickland, co-chair of the Parent Coalition for Student Privacy, parent of two public school children in Colorado and the primary author of the report. “Consequently, parents across the nation began urging their state legislators to address the problem, resulting in a complex web of state privacy laws that are difficult to untangle and understand. Our hope is to bring attention to state laws that make a reasonable effort to protect student privacy and identify those that need improvement. Parents and advocacy groups can use our findings to advocate for even stronger measures to protect their children.”
NPE Executive Director Carol Burris noted, “This report card provides not only critical information regarding the existing laws, but also serves a blueprint for parents to use for lobbying for better protections for their children.”
As Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, pointed out, “FERPA was passed over forty-five years ago and has been weakened by regulation over time to allow for the sharing of personal student data by schools and vendors without parent knowledge or consent. State legislators have stepped up to the plate to try to fill in some of its many gaps and to require more transparency, security protections, enforcement, and the ability of parents and students to control their own data. Yet none of these laws are robust enough in each of these areas. Congress must strengthen and update FERPA, but meanwhile, this report card can serve as a guide to parents and advocates as to which state laws should be strengthened and in which specific ways.”
An interactive map that shows the grades of each state, both overall and in each of the categories is posted here. The report is posted here; here is a technical appendix with a more detailed account of how each law was evaluated. There is also a downloadable matrix with links to all of the state laws, as well as specifying how many points were awarded in every category.