Editor's note: The author of this article is one of the project leaders for the Student Data Privacy Project.
On July 9, parents of school children across the U.S., in collaboration with the Student Data Privacy Project, filed more than a dozen complaints with the U.S. Department of Education alleging violations of the Family Educational Rights and Privacy Act when schools share children’s data with educational technology providers.
FERPA was passed in 1974 by the 93rd Congress, almost two decades before the internet. At that time, the personal computer was merely a dream of 19-year-old Bill Gates and educational technology meant calculators and mimeograph machines. It was during a time no one could have foreseen today’s digital advancements in the classroom.
Even before the pandemic, parents were increasingly concerned about the use of tech in schools and the personally identifying information ed tech providers collect, process and share courtesy of public schools.
Although FERPA limits access to and disclosure of student PII with parental consent (for students under 18), there are a number of exceptions that circumvent parental consent. One such exception — probably the most often used — is the "school official exception," which permits schools to outsource educational services and functions to third parties provided:
- The third party performs a service or function for which the school would otherwise use its own employees.
- The third party is under “the direct control” of the school.
- The third party uses the student’s PII for only educational purposes.
- The school provides annual notice to parents of this sharing.
Unfortunately, like the rest of FERPA, the “school official exception” is outdated. In 1974, third parties usually provided their services in person or onsite, making it relatively simple to maintain “direct control.” Today, ed tech providers offer services remotely, gathering enormous amounts of data, often without anyone’s knowledge.
Likewise, using a contract as the primary means of maintaining “direct control” over third parties made sense in 1974. That’s not true today when large, faceless ed tech providers offer schools non-negotiable contracts of adhesion, replete with boilerplate language that enables them to utilize students’ data in ways that benefit the companies but aren’t in students’ best interests.
Realistically, can a small school district in upstate New York truly hope to exercise meaningful control over a company with the size, power and resources of a multinational tech giant? Yet schools often contract with a number of these ed tech providers, not to mention hundreds of smaller companies, under the false assumption of direct control. Even before the pandemic, the average U.S. school used 400 to 1,000 online tools, according to the Student Data Privacy Consortium, each of which is required to exercise direct control over.
Yet the DOE still presumes a school meets the “direct control” threshold so long as there’s a contract, regardless of how onerous and one-sided it might be; even a unilateral “terms of service,” which reserves virtually all rights to use the data as the ed tech provider sees fit, suffices under this interpretation.
This has resulted in ed tech providers operating on autopilot, vacuuming up student PII at will, with an estimated 67% of public schools sharing children’s personal data with third-party advertising and analytics companies.
In light of these concerns, the Student Data Privacy Project was formed, organizing parents around the country to request access to the data and metadata held by their schools’ ed tech providers. Unsurprisingly, not a single request resulted in securing all of the information collected by ed tech providers. In many cases, no information was provided.
For example, my school district — Montgomery County, Maryland — offered to provide me with the login ID and password to my children’s accounts. But this is highly insufficient because logging in to a user account will not reveal what a provider has collected and saved or retained on my child, such as keyword searches, accounts interacted with and other metadata. Yet, it’s clear from the DOE’s guidance metadata is covered by FERPA and must be provided in response to a FERPA access request. While my school district eventually sent some records relating to my child — in July, approximately eight months late under FERPA — tellingly, those records still didn’t contain any of the information held by the school’s ed tech providers.
And yet, this is not an isolated result. In SDPP's experience, schools across the U.S. were unable or unwilling to provide access to student records held by ed tech providers, while they simultaneously allowed ed tech providers to access and use students’ PII in ways inconsistent with students’ privacy rights.
According to an audit performed of a sampling of applications used by schools implicated in our complaints by the Me2B Alliance — a nonprofit focused on independent testing of websites, applications and devices — almost 70% of used software development kits posed a “high risk” to student data privacy and almost 40% were rated “very high risk,” meaning the code was associated with registered data brokers.
So, what’s the solution? In the SDPP’s opinion, the DOE must exercise the enforcement and oversight authority granted to them under FERPA and issue policy or guidance explicitly clarifying:
- When schools disclose student PII to ed tech providers and allow those providers to collect information from or about a student, the school is responsible for providing that data to the parent pursuant to a FERPA access request.
- In order for schools to exercise direct control over ed tech providers, they must conduct regular compliance audits and spot checks of providers’ access, use and disclosure of student PII, and publicly post the results of those audits for transparency, taking prompt action to remedy any violations identified.
- FERPA covers metadata, and thus schools and ed tech providers must provide access to all this data upon receipt of a FERPA access request.
To be clear, SDPP’s goal is not to end ed tech in schools; that ship has already sailed. The goal is for schools to exercise effective, meaningful and transparent control over their ed tech providers. In the end, DOE guidance, coupled with enforcement against noncompliant schools, will necessarily result in schools using a smaller number of ed tech providers, for which they will then have the time and resources to exercise real and effective control and oversight. This, in turn, should result in a net improvement for student data privacy across school systems and the country.
Photo by Jeffrey Hamilton on Unsplash