Every week this fall, we’re covering technology and education. Because Monday mornings are way more complicated than they used to be. One question we’ve gotten a lot is what all this tech means for privacy, how much data is being collected and how it’s being stored and used.
Well, the good news is there are rules. Lots of them. At the federal level, there’s the Children’s Online Privacy Protection Act, COPPA, and the Family Educational Rights and Privacy Act, FERPA. There are also over 100 state laws dealing with student privacy. But the bad news is, not everyone knows about them.
I talked with Amelia Vance of the nonprofit Future of Privacy Forum. The following is an edited transcript of our conversation.
Amelia Vance: It’s pretty locked down. You had a lot of fears as edtech was spreading in schools back in 2014, 2015. Thousands of student privacy bills have been introduced. These bills ended up restricting companies from selling or sharing without consent or targeted advertising, or really doing anything with student data that parents and policymakers wouldn’t approve of. But there are still some tensions there. When a company isn’t for education, and data is shared with it — they’re not covered by the student privacy laws.
Molly Wood: It sounds like you’re describing a system of laws that really could be effective, assuming, basically, transparency and enforcement. So do we have those two things?
Vance: I would say we’re definitely, not quite drowning, but we’re certainly inundated with student privacy laws and protections here. Most people don’t know about them. There was a great survey that Common Sense Media did a couple of years ago, that said only 25% of teachers had been trained on student privacy, and many of the laws that have passed aren’t necessarily passed down to the school districts who are supposed to enforce them.
Wood: What do you worry about, with respect to the data collection around kids?
Vance: Where I get really worried is where there’s weak security and there might be data breaches. These aren’t sort of the data breaches that we often see reported where it’s identity theft or something like that. Instead, we see the possibility of sensitive information about someone, that they just don’t want future employers or their future college or even their peers or other parents to know about. Things like disciplinary history, health issues, special education status. We know from research that the number one thing that kids care about when it comes to privacy is that interpersonal privacy, you know, keeping their business their business.
Related links: More insight from Molly Wood
Did you want to learn more about FERPA? Of course you do! Here’s the Student Privacy Compass (formerly known as FERPA Sherpa), an education privacy resource center website that Vance oversees.
And a little more of my interview with Amelia. Because there are a couple interesting wrinkles to this privacy conversation. One is education pods, where tech is being used on a much more ad hoc basis, and the rules aren’t being applied in the same way, if at all. A lot of those pods, and even some schools, are using tech products that aren’t strictly educational tech — they were intended for a commercial audience.
Vance: One big hole in those student privacy laws that I was mentioning is that they don’t cover non-education companies, even when those companies are being used in schools, unless there’s a special contract between the company and the school. And so when a foreign language teacher decides that kids better learn foreign languages by using an app that teaches them Italian or French, that app is for consumers. Generally, it’s not covered under the student privacy laws. Certainly the teacher, and the school, is still subject to FERPA. But that company doesn’t have any obligations, even if they are heavily marketing to schools. I think that’s probably the biggest loophole in these laws, and something I think is very important to close, especially as so many educators and so many parents are signing up for apps independently right now, without adequate privacy vetting.
Wood: Oh, that is a big deal. So if a school says, “all right, I’m going to start using this consumer app because it’s super useful, and it has served me a bunch of ads on Instagram saying it’s great for school,” what is the difference? How does a company or a product become specifically edtech versus general consumer?
Vance: So, they can opt into it. So, you have something like G Suite for Education, which was created, and is marketed, for schools, and has a special school terms of service, and is understood to be subject to those hundreds of laws I mentioned. They can have been originally designed for schools in the first place and be sort of that traditional education technology company. But you run into this weird fairness issue, and apologies if I’m going down a rabbit hole a bit here, where that foreign language app has no idea that teacher has had their students sign up to the app. So there’s an open question about, at what point do you cross a threshold that that company should be held liable for higher protections for children or student data, when they may or may not not know that children or students are using it?
Wood: That does indeed seem like a large loophole.
Vance: It gets tricky. And I mean, it’s also complicated by the fact that no matter what obligations are on the company, the school is still subject to FERPA, and so technically, the onus is on the school to not use those products. But, again, if you don’t have training, teachers won’t know that that’s even an issue, and they just want to do the best thing they can for their students.
Wood: Are there any recommendations for parents right now? It sounds like you’re really saying the parents and teachers kind of could use more awareness at a minimum, right?
Vance: Oh, absolutely. And especially in this emergency situation where we’re having so much happen so quickly, and where so many schools were involved in trying to go in-person and so there wasn’t perhaps as much attention paid to really educating and providing professional development on online learning for educators. So I would say, on the parent side, asking questions about privacy, asking, what is the district’s privacy vetting program for apps? What have they looked at? How are they going to use learning analytics, or other things to track attendance or student engagement? No parent wants to be surprised at that first report card when it says your child missed 10 days of school, and they’re like, “wait, what? They didn’t. What’s going on?” And so definitely asking those questions and moving privacy up the priority list. I also highly recommend that parents and teachers leverage existing resources and lesson plans for digital citizenship and literacy skills. Overwhelmingly, the data breaches that I talked about or other ways that children’s information gets online is because of human error. It’s the teacher or the student with the weak password, with “123456” or “password” as their password. So, by teaching students, and by, themselves, exercising good cyber hygiene, they can help them better protect that information and prevent the vast majority of privacy and security issues that come up.
The future of this podcast starts with you.
Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.
As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.