Student Privacy Bill Splits Observers

The bill is “a welcome change” from existing, nonbinding Department of Education (DOE) data privacy guidelines, said Khaliah Barnes, director of the Electronic Privacy Information Center’s (EPIC) Student Privacy Project. Others, like Data Quality Campaign (DQC) Director of Federal Policy Kristin Yochum, see those guidelines “as a foundation” upon which individual states, not the federal government, should “build up their privacy house,” she said. Markey and Hatch tweaked some language in the bill’s discussion draft (WID May 15 p11) based on concerns from DQC and the Software & Information Industry Association (SIIA), but was unable to get their support for the final draft, said representatives from both groups. “We want to make sure there’s no new legislation that gets ahead of any perceived problem,” said SIIA Senior Director-Education Policy Mark Schneiderman.

The Protecting Student Privacy Act limits third-party student data collection, use and retention (http://1.usa.gov/1obyAzv). It focuses on data security and the use of student data for marketing purposes, pleasing privacy advocates and raising concerning among industry groups about unintended consequences. The Family Educational Rights and Privacy Act (FERPA) outlines student data privacy requirements, a framework that industry and some education officials see as adequate, but that privacy advocates argue is insufficient and unclear (WID Feb 26 p7). DOE, which neither supports nor opposes the bill, recently updated its guidance on handling student data in compliance with FERPA (http://1.usa.gov/Ozw38T) (WID Feb 25 p6). “We appreciate and share the senators’ commitment to student privacy, and look forward to working with Congress to continue to protect student privacy,” emailed DOE Press Secretary Dorie Nolt.

The bill strengthens and clarifies DOE’s guidelines with the force of law, said Barnes. “It goes further than the guidance.” Barnes pointed to the bill’s strict prohibition on using student information for advertising or marketing purposes. DOE’s guidelines allow use of certain types of non-personally identifiable information (PII) for general -- not targeted -- “to create new products and services that the provider could market to schools and districts” (http://1.usa.gov/Ozw38T). Barnes argued the direct prohibition in the Markey-Hatch bill is a needed addition to FERPA, which doesn’t specifically address marketing.

"There’s no way to say marketing is an approved way to use data,” Yochum said. “There’s no way to squint and look ... and say maybe marketing could be there.” Schneiderman echoed Yochum. “We believe that it’s clear in the current law,” he said. “I'm not sure what clarity [the new bill] brings.” Having a direct prohibition on the books is “especially important because students don’t really have a choice in the platforms used in the classrooms,” said Barnes. “When your school mandates a certain provider, it shouldn’t necessarily come at the cost of student privacy.”

Limits on Schools?

The specific marketing prohibition could limit schools’ technology choices and risks misinterpretation, Schneiderman said. Schools analyze collected data to determine which products are best suited for various subjects and students, he said. “Down the road somewhere, this could be interpreted as marketing because your recommendation engine is pointing to a certain resource,” he said. “We have concerns about hampering our ability to use evolving technologies to create a customized student learning environments."

Even basic services -- transportation providers, cafeteria services -- rely on large amounts of data, Yochum said. “When you pass legislation that uses terms like vendors very broadly, there could be unintended consequences for other vendors that need information to do their job.” The bill clumsily handles the issue of data deletion, Schneiderman said, potentially crippling other necessary services. The law’s wording -- PII data must be “destroyed when the information is no longer needed for the specified purpose” -- has some companies “concerned they could wind up deleting data they're not supposed to,” he said.

State legislatures and attorneys general have been moving on student data privacy in recent months. In 2014, 36 state legislatures introduced 110 bills on the issue, and 28 became law, said Yochum. But observers viewed local activity differently. To Barnes, the state movement shows “student privacy is really now part of the national dialogue.” The heightened focus gives the Markey-Hatch measure a chance in the legislatively-challenged Congress, she said. To Yochum, the plethora of local bills shows states are “seriously” handling the problem in a way “that best responds to the needs and concerns of their citizens.” Federal legislation might impede or supercede local progress and restrict the ability of state education agencies to go after third parties for improperly handling student data, she said.

FERPA includes strict sanctions for vendors that misuse student data, Yochum said. Under the law, if DOE’s Family Policy Compliance Office concludes a third party “improperly rediscloses personally identifiable information from education records,” the local institution that shared the data can restrict the company’s access to data for at least five years (http://bit.ly/1qSnJxF). Such a restriction “could be devastating to a company,” Yochum said. “That’s actually a really huge punishment to level against a private vendor."

Vendor Oversight

Yochum worried the Markey-Hatch effort might sap some of that local power over vendors. The bill is trying to find a “workaround” to impose federal penalties on vendors, Yochum said. That’s tough, she said -- FERPA is an appropriations law, unlike another prominent Markey bill, the Children’s Online Privacy Protection Act, which authorizes the federal government to bring legal action against vendors that run afoul of the law. Hearing these concerns, lawmakers tweaked some language between the discussion draft and final offering, but not enough to get SIIA and DQC onboard, Yochum said. “There were some improvements,” said SIIA’s Schneiderman. “But our bottom line position is we don’t believe additional legislation is needed."

But Barnes wondered if DOE is assertive enough in its investigations of data misuse, which is needed to empower local punishment. EPIC filed a Freedom of Information Act request in April for documents about DOE investigations of FERPA violations (http://bit.ly/UZeykJ). Initial returns “reveal that schools and districts have disclosed students’ personal records without consent, possibly in violation of” FERPA, said an EPIC blog post (http://bit.ly/1pWhZRE). Barnes said: “What we've seen is the Education Department hasn’t been really investigating FERPA violations.” She said EPIC expects to receive more documents in the coming months, and hopes Congress will examine how DOE uses enforcement powers.

While Yochum and Schneider would prefer to work on raising industry’s privacy self-regulation standard, Barnes thinks the Markey-Hatch bill is just the start of the needed congressional fixes. But FERPA’s definition of “education record,” the same one used in the Markey-Hatch measure, is not appropriately inclusive, Barnes said. “The elephant in the room is a lot of the personally identifiable information education companies collect isn’t coming from education records.” The growth of education apps and online education services generates robust data often falling outside of the traditional definition of “education record” (WID Jan 15 p7).

A recent House hearing on the issue (WID June 26 p8) and the bipartisan nature of the bill show lawmakers can move on the issue, Barnes said. At the hearing, lawmakers on both sides of the aisle agreed Congress should move on legislation. “There’s an interest in tackling what does it mean to be an education record,” said Barnes.