(Update: legislators did not introduce legislation on Monday as planned).
Two U.S. legislators are set to introduce a bill in the House that they say is aimed at limiting the way education technology companies can use data that they collect about students from kindergarten through the 12th grade. It’s called the Student Digital Privacy and Parental Rights Act, and its chief sponsors say it is meant to address a growing concern among students, parents and educators about the use of the oceans of data being collected about America’s young people. But a new analysis of the legislation, which you can read below, concludes that it doesn’t do much to protect the privacy of student data — and that it doesn’t stop the actual collection and mining of data by companies, which can use it to make money.
Student data privacy has become a big issue in the era of standardized testing, with education companies collecting a seemingly endless amount of information on public school students, some of it incredibly detailed.
Last year, a controversial $100 million student data collection project funded by the Gates Foundation and operated by a specially created nonprofit organization called InBloom shut down after concerns about privacy led states to withdraw. The information was to be stored in a data cloud that would hold incredibly detailed data points on millions of schoolchildren with the stated mission of allowing education officials to use the information to target educational support. Activists led by New York’s Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, raised alarms that InBloom could not provide a 100 percent guarantee that the data could be stored securely.
The House sponsors of the proposed bill are Rep. Jared Polis (D-Colo.), and Rep. Luke Messer (R-Ind.); Sen. Richard Blumenthal (D-Conn.) also is expected to introduce student privacy legislation. In February, the White House issued a statement about its efforts to improve data privacy that said it was working with these legislators on advancing student data privacy. Polis and Messer were expected to introduce the bill on Monday but did not; a spokewoman for Messer said in an e-mail that a draft bill had been released and the sponsors were working on technical details before formally introducing it.
The draft Polis-Messer bill is called the Student Digital Privacy and Parental Rights Act. But Haimson said in a piece on the Student Privacy Matters Web site that the bill addresses virtually none of the concerns that parents have about what is being done with data about their children. She said:
“The bill doesn’t require any parental notification or consent before schools share personal data with third parties, or address any of the current weaknesses in FERPA. It wouldn’t stop the surveillance of students by Pearson or other companies, or the collection and sharing of huge amounts of highly sensitive student information, as inBloom was designed to do.”
“All the bill does is ban online services utilized by schools from targeting ads to kids – or selling their personal information, though companies could still advertise to kids through their services and or sell their products to parents, as long as this did not result from the personal information gathered through their services. Even that narrow prohibition is incomplete, as vendors would still be allowed to target ads to students as long as the ads were selected based on information gathered via student’s single online session or visit – with the information not retained over time.”
Rachael Stickland, Colorado co-chair of the Parent Coalition, said:
“The bill doesn’t bar many uses of personal information that parents are most concerned about, including vendor redisclosures to other third parties, or data-mining to improve their products or create profiles that could severely limit student’s success by stereotyping them and limiting their opportunities.”
Here are other weaknesses of the bill, as identified by Haimson and Stickland:
- Parents would not be able to delete any of the personal information obtained by a vendor from their children, even upon request, unless the data resulted from an “optional” feature of the service chosen by the parent and not the district or school.
- Vendors would be able to redisclose students’ personal information to an unlimited number of additional third parties, as long as these disclosures were made for undefined “K12 purposes.”
- Vendors would be able to redisclose individual student’s de-identified or aggregate information for any reason or to anyone, without restrictions or safeguards to ensure that the child’s information could not be easily re-identified through widely available methods.