Addressing one of the more controversial and complex issues in the U.S. privacy landscape, a U.S. House of Representatives committee conducted a hearing Thursday on how to improve existing federal student privacy law, featuring testimony from industry, academia, advocacy and school practitioners. Overall, there appears to be bipartisan support for updating the 40-year-old legislation, called for by President Barack Obama in his recent privacy initiative, and even interest from other non-committee members who took part in the hearing, but the devil remains in the details.
At issue is the 1974 Family Educational Rights and Privacy Act (FERPA), the rapidly developing education technology industry and whether the statute is equipped to deal with 21st century digital issues.
“Educational technology and data use are transforming U.S. education,” said Fordham University Law Prof. Joel Reidenberg, who testified on FERPA last summer as well. “At the same time, the scope of data collection is massive and privacy laws simply aren’t working.” As the main U.S. privacy law protecting student privacy, FERPA “desperately needs updating for the 21st century,” he added.
Microsoft Director of Education Policy and Programs Allyson Knox said Microsoft believes students and parents own their data and that it's important for industry to be transparent about how they use data to decrease fear and increase trust.
That trust is being eroded, and Knox warned that states are stepping in to fill gaps left by FERPA—including more than 100 bills introduced in 32 states—potentially creating a patchwork of laws across the country. She also highlighted industry’s involvement in the Student Privacy Pledge to help engender transparency and trust for parents and schools alike.
Yet, there was disagreement on whether the pledge is enforceable. Knox said signatories to the pledge would be liable under Section 5 of the FTC Act for deception if they did not adhere to its tenets. Calling the pledge “terrific,” Reidenberg countered, however, that it may be difficult to prove deception and that the FTC has limited resources in a landscape that has thousands of edtech companies.
Reidenberg listed three main areas in which the federal statute needs improvement: FERPA’s scope is outdated, narrowly defines educational records and fails to cover third-party data collection of student activities, metadata and habits. Since FERPA is a financing statute, the vendor community has no statutory obligations and schools are often placed in difficult positions because they are under FERPA’s scope but often do not have legal counsel to help them navigate complex vendor relationships.
FERPA’s approach is also outdated, according to Reidenberg, as its focus is on confidentiality and access. The digital landscape, he argued, requires a data-use approach, similar to the Fair Credit Reporting Act, that identifies permissible uses of student data. “I don’t think our children should be required to subsidize private commercial gain to get an education through their information being monitored and used,” he intoned.
Plus, FERPA is “essentially unenforceable,” he said. The U.S. Department of Education has never used the “nuclear option” of withdrawing a school’s funding and, at the same time, parents have no means of redress if they are victimized by a violation. Instead, Reidenberg suggested the need for graduated fines and sanctions based on the transgression. State attorneys general should also be granted enforcement authority, he said, and state departments of education should have chief privacy officers.
However, Calcasieu Parish Public Schools Chief Technology Officer Sheryl Abshire warned against Congressional overreach. “I encourage Congress to ensure that school districts must lead efforts to protect student privacy,” but congressional efforts should not place an extra burden on those districts. “Please do not overreach,” she intoned, “Instead take a balanced approach.”
A proscriptive regulation may not allow for the varying contexts in which student data is gathered, for example. National Parent Teacher Association Vice President for Advocacy Shannon Sevier made this point. Does the school cafeteria need to do a biometric scan on a student in order to deliver school lunch? No. But, she pointed out, biometric data could provide valuable insights and benefits for a student undergoing speech therapy.
“Congress has to update FERPA,” Reidenberg said, “so that it matches what will be happening in the school communities. Otherwise, parents will not have trust and there will be a constant struggle between the communities and the schools and the educators and national education policy.”
If you want to comment on this post, you need to login.