Student privacy laws remain the same, but children are now the product

The Federal Trade Commission (FTC) recently issued a policy statement about the application of the Children’s Online Privacy Protection Act (COPPA) to Ed Tech providers, warning that they can only use student personally identifiable information (PII) collected with school consent for the benefit of the school, and that they cannot retain it for longer than required to meet the purpose of collection. Ironically, days later, a Human Rights Watch investigative report observed that almost 90 percent of Ed Tech products it reviewed “appeared to engage in data practices that put children’s rights at risk.”

These revelations are no surprise to children’s privacy advocacy groups like the Student Data Privacy Project. But in the midst of a COVID-fog, much like the fog of war, Ed Tech remained largely insulated from scrutiny, siphoning student PII with impunity.

Taking a step back, it’s important to understand how Ed Tech providers access and collect this information. In 1974, the Family Educational Rights and Privacy Act (FERPA) was passed to protect school-held PII, such as that found in student directories. But FERPA contains a “School Official Exception” that allows schools to disclose children’s PII without parental consent so long as it’s disclosed for a “legitimate educational interest” and the school maintains “direct control” over the provider.  

In 1974, it was easy to maintain direct control over entities because there was no internet.

Today, schools increasingly rely on Ed Tech platforms to provide digital learning, pursuant to an electronically signed agreement, hosted by a nameless/faceless server, somewhere in the ether. Yet the law has barely changed since 1974. For example, the Department of Education (DOE) maintains that direct control can be established through use of a contract between the parties, despite the fact that online contracts and Terms of Service are often take-it-or-leave-it propositions that favor online services. In law, we called these “contracts of adhesion.” In Ed Tech advocacy, we call them data free-for-alls.

Given these concerns, in 2021 the Student Data Privacy Project (SDPP) helped parents from North Carolina to Alaska file access requests with their children’s schools under a FERPA provision mandating that schools provide parents access to their children’s PII. Most parents received nothing. Many schools seemed unable to get their Ed Tech providers to respond, and other schools didn’t know how to make the request of the provider.

One Minnesota parent received over 2,000 files, revealing a disturbing amount of personal information held by EdTech. How might this data be used to profile this child? And how does this comport with the FTC’s warning about retaining information only for as long as needed to fulfill the purpose of collection?

Despite this isolated example, most parents failed to receive a comprehensive response. As such, SDPP worked with parents to file complaints with the DOE in July 2021. As the one-year anniversary of these complaints draws near, however, the DOE has taken no substantive action. 

Ironically, in cases where the DOE sent copies of the parent’s complaint to the affected school district, the school’s response only bolstered concerns. One Alaska school district misapplied a Supreme Court case dealing with FERPA, asserting that “data gathered by technology vendors is not ‘educational records’ under FERPA” because the Ed Tech records are not “centrally stored” by the school. Ironically, that school attached its FERPA addendum to that same letter, which explicitly states that it “includes all data specifically protected by FERPA, including student education records, in any form.”

Unfortunately, this is indicative of widespread confusion by schools about applying FERPA to Ed Tech.

Yet parents have few options for holding Ed Tech providers accountable. Parents can’t sue Ed Tech because the schools have the direct contractual relationship. Parents can’t directly enforce FERPA because FERPA doesn’t offer a private right of action. Even state privacy laws are of little help when consent for sharing is given — and FERPA allows schools to consent on parents’ behalf.

There is some cause for hope. For example, President Biden’s March 1 State of the Union speech challenged Congress to strengthen children’s privacy protections “by banning online platforms from excessive data collection and targeted advertising for children.” And in January, Rep. Tom Emmer (R-Minn.) sent DOE a letter inquiring about the SDPP parent complaints. Most recently, we have the FTC’s warning to Ed Tech about protecting student data privacy. Beyond that, however, we’ve seen little progress, or action, by the government.

So here are three things that need to happen to hold Ed Tech accountable:

1. The FTC needs to enforce COPPA obligations on Ed Tech providers.
2. The DOE must enforce FERPA, compelling schools to hold Ed Tech vendors accountable.
3. Congress must update FERPA for the realities of the 21^st century.

A 50^th Anniversary is always a big occasion in a relationship, warranting a grand gesture to renew the commitment.

So what better gesture for the 50^th anniversary of FERPA in 2024 than for the government to renew its commitment to protecting the privacy of nearly 50 million students by enforcing the law and closing the gaps that have allowed Ed Tech providers to exploit children’s PII for their own profit, without oversight or accountability?

Joel Schwarz,J.D., CIPP, CDPSE, is a consultant and attorney specializing in privacy, cybersecurity, cyberintelligence and electronic surveillance. He previously served as the civil liberties and privacy officer for the National Counterterrorism Center and was a cybercrime prosecutor for the U.S. Department of Justice and the State of New York Attorney General’s Office. He’s also an adjunct professor at Albany Law School, teaching courses on cybercrime, cybersecurity and privacy. He is co-founder and board member of the Student Data Privacy Project.

Emily Cherkin, MA Ed, is a former educator, a parent, an activist, and The Screentime Consultant. She co-founded the Student Data Privacy Project. Her work has been featured on The Today Show, Good Morning, America, The New York Times, and The Washington Post.