Myths in student privacy and advertising
Editor’s note: Brendan Desetti of SIIA responds to a recent report from the National Education Policy Center called “Learning to Be Watched: Surveillance Culture at School.” A story about the report appeared in EdScoop on Thursday.
In making claims about how student data is being protected, NEPC’s report conflates the issues of student data privacy and advertising. The truth is that strong, multi-layered protections now exist to protect student information and ensure it is used only for educational purposes. In addition, current law and subsequent regulation forbids the use of student information for targeted advertising.
In addition to the federal protections under the Family Educational Rights and Privacy Act (FERPA), the Children Online Privacy Protection Act (COPPA), and the Protection of Pupil Rights Amendment (PPRA), the last several years has seen nearly 40 strong, new student privacy laws enacted around the nation.
In addition, nearly 270 companies have signed the Student Privacy Pledge detailing the privacy protections available to all students. The pledge is not only enforceable by the Federal Trade Commission, as the NEPC report notes, but also by state attorneys general in any state with a deceptive practices statute. The FTC has a strong history of enforcement actions against companies violating privacy policy.
Concern that current law and practice allow targeted advertising by service providers to students is entirely unfounded. FERPA has always prohibited school service providers from utilizing student information for targeted advertising. The U.S. Department of Education even went further in clarifying this prohibition:
“Under FERPA, the [educational technology provider] provider may not use data about individual student preferences gleaned from scanning student content to target ads to individual students for clothing or toys, because using the data for these purposes was not authorized by the district and does not constitute a legitimate educational interest as specified in the district’s annual notification of FERPA rights.”
The school official exemption under FERPA does not give any school service provider carte blanche to use student data as they please. Schools may only disclose student information to a provider under the school official exemption if the provider “performs an institutional service or function for which the school or district would otherwise use its own employees.”
Providers under this exemption are contracted for specific purposes and are under the direct control of the district. They cannot use the information collected for purposes not related to providing the service to the school. Here’s what the department has said about the school official exemption:
“Any PII from students’ education records that the provider receives under FERPA’s school official exception may only be used for the specific purpose for which it was disclosed (i.e., to perform the outsourced institutional service or function, and the school or district must have direct control over the use and maintenance of the PII by the provider receiving the PII). Further, under FERPA’s school official exception, the provider may not share (or sell) FERPA-protected information, or re-use it for any other purposes, except as directed by the school or district and as permitted by FERPA.”
The use of de-identified and aggregate information by schools, researchers and service providers is appropriate and necessary in order to, among other things, understand how federal, state, and local programs are performing, how a product is being utilized and can be improved, and how students in general are performing. Policies should continue to protect student information but not tie our classrooms to the past.
Brendan Desetti is the director of education policy for the Software & Information Industry Association.