Schools have become “soft targets” for companies trying to gather data and market to children because of the push in education to adopt new technology and in part because of the rise of computer-administered Common Core tests, according to a new annual report. 

The report, titled “Learning to be Watched: Surveillance Culture at School” and published Tuesday by the National Center for Education Policy at the University of Colorado at Boulder, is the 18th annual report about  schoolhouse commercialism trends.

It says student privacy is increasingly being compromised by commercial entities that establish relationships with schools — often providing free technology — and then track students online and collect massive amounts of data about them. Then they tailor their advertising to keep the young people connected to them. One important consequence, the report says, is that children who are subjected to “constant digital surveillance and marketing at school” come to accept as normal that corporations play a big role not only in their education but in their lives.

The report says:

Schools have proven to be a soft target for data gathering and marketing. Not only are they eager to adopt technology that promises better learning, but their lack of resources makes them susceptible to offers of free technology, free programs and activities, free educational materials, and help with fundraising. Schools are under relentless pressure to make ever greater use of technology. Our techno-friendly zeitgeist embraces and celebrates the rapid proliferation of education technology in every corner of our lives. In school, teachers are encouraged to integrate technology into their lessons and homework, and to rely on computerized student performance data as a diagnostic tool. State and federal laws now require that schools do extensive data reporting; in addition, the Common Core testing regime requires students to take computerized tests—and therefore to be computer-competent before they approach the tests.

Although some parents try to resist the collection and use of data about their children, the ubiquity of computers makes it easy for children and their parents to accept “constant data gathering and attendance surveillance of children” — and few look through the companies’ “long paragraphs of legalese” to understand what is really going on. Americans are, the report says, “to some extent being socialized to ignore and tacitly accept the collection, organization, and sale of information about us.”

The report notes that industry officials say that there is no danger to student privacy because much of the data being collected is not directly identified with a particular student. But, it says, “even if companies anonymize student data for security or marketing purposes, however, students’ personally identifiable information (PII) may not be fully or permanently protected.”

Why does this matter? Aside from privacy issues, the report says, marketers can influence the way young people think, feel and behave with data they collect online. It says:

Although companies that collect, sell, analyze, and buy data may not know children’s names (though they probably do), that hardly matters if they have the information and tools necessary to model everything about those children — including their interests, social networks, personalities, vulnerabilities, desires, and aspirations — and if they have personalized access to children, via their electronic devices, to shape them. By feeding children ads and other content personalized to appeal specifically to them, and also by choosing what not to show them, marketers influence children’s thoughts, feelings and behaviors. As they do, they also test, adjust, and perfect their models of influence — and then track and target some more.
Food products are not only the most marketed products to children in school, but they are also highly marketed products to children online. The food industry leads the way in developing techniques to market its products to children, particularly foods high in fat and sugar and low in nutrition, which lead to obesity, metabolic syndrome and other illnesses. The threats that over-consumption of such foods pose to children’s health also include higher cholesterol levels and blood pressure, greater incidence of type 2 diabetes, coronary plaque formation, several types of cancer, bone and joint problems, sleep apnea, gout, gall-stones, and a shorter life expectancy. Additional medical implications continue to be revealed; for example, type 2 diabetes progresses more rapidly in obese children than it does in adults, and typical treatment fails to slow it. Consequently, obese children are at risk for such complications as heart disease, eye problems, nerve damage, amputations, and kidney failure much earlier in life than people who become diabetic as adults.
In addition to threatening their physical well-being, marketing disposes children to a variety of psychological ills: heightened insecurity about themselves and their place in the social world, displacement of values and activities other than those consistent with materialism, and distorted gender socialization. Especially for adolescents, who are even more likely than younger children to be online as part of their schoolwork, marketing exploits psychological vulnerabilities—in particular, their reduced ability to control impulsive behaviors and to resist immediate gratification—and capitalizes on their susceptibility to peer influence and image advertising. Because of its specificity and omnipresence, targeted digital marketing to children, like “consumer culture on steroids,” amplifies these threats.

The report says Google and Facebook are probably the largest companies that data mine in schools, and they also spend a lot of money to lobby lawmakers “to keep regulation at bay.”

In 2013, Advertising Age noted that Google and Facebook, “two of the most pervasive digital-data collectors,” significantly increased their lobbying expenditures between 2011 and 2012 — to $19.6 million for Google  and $4.6 million for Facebook in 2012. … According to one Google blog post, it reaches “more than 30 million students, teachers and administrators globally” via its Google Apps for Education (GAFE).

There are several federal laws that are meant to address student privacy: the Family Educational Rights and Privacy Act, known as FERPA; the Children’s Online Privacy Protection Act, known as COPPA, and the Protection of Pupil Rights Act. Each has significant weaknesses, the report says, which leave younger children and teenagers open to having their student records disclosed to commercial entities without parental consent.

Most of the laws dealing with study data apply to the disclosure to third parties of personally identifiable information. There is a voluntary Student Privacy Pledge that businesses can take, but there is no assurance that digital data will not be sold to advertisers or that companies won’t track students’ online behavior.

It is important to understand why the federal laws don’t do a complete job of protecting student privacy. The report notes:

FERPA, which applies to almost all public and private schools, provides the primary set of regulations governing student privacy in the U.S. Any agency or institution that violates FERPA regulations loses eligibility for federal funds. However, FERPA’s scope is limited to “educational records”; the legislation does not protect such items as data collected by education websites or digital “pupil-generated content” (such as essays), unless PII is included in that information.
Moreover, several FERPA exceptions allow student records to be disclosed to certain parties or under certain conditions without parental consent. The most significant exception is that without consent, school officials may release student records for any educational purpose they deem legitimate, as when an organizations is conducting studies for or on behalf of a school; records are also available to authorized representatives of the U.S. Comptroller General, U.S. Education Secretary, or state educational authorities.
Changes to FERPA in 2008 and 2011 expanded the definitions of both school officials and authorized representatives. In one of the most important changes, the U.S. Department of Education now considers “school officials” to include “contractors, consultants, volunteers, and other parties to whom an educational agency or institution has outsourced institutional services or functions it would otherwise use employees to perform.”
This change has far-reaching implications for student privacy. For example, when school leaders sign a contract to use Google Apps for Education (GAFE), they assign Google the authority of “school official.”  The Department also considers “authorized representatives” to be any individuals or entities that local or state educational authorities, U.S. Secretary of Education, or U.S. Comptroller General select as an authorized representative. As a result of these changes, schools may now provide data to private companies without parental consent. Significantly, these private companies are not named “partners,” but rather “school officials” or “authorized representatives.”
The Children’s Online Privacy Protection Act (COPPA), which applies to children under the age of 13, requires companies to obtain parental consent before they can collect personal information from children for commercial purposes.  In December 2012, the Federal Trade Commission (FTC) expanded several definitions under COPPA, increasing protection of children by accounting for new tracking technology.  While these changes are significant, the law does not apply to teens. Teens are especially at risk because they are online more than young children both in and out of school, and also because developmentally they are particularly susceptible to targeted marketing.
Although it may be impractical or impossible to impose a parental approval requirement for teens’ online activity, teens’ personal information needs to be safeguarded as carefully as younger children’s. Jennifer Harris and her colleagues at the University of Connecticut’s Rudd Center for Food Policy and Obesity have argued, for example, that children need policy protections from unhealthy food marketing at least until the age of 14.
When a school is using an educational application that involves collection of student data, an important question for districts is whether school personnel can provide consent to a company on behalf of parents, or whether parents themselves must provide consent. If a vendor intends to use or share student information for commercial purposes unrelated to the school or district’s educational purposes, then COPPA requires direct parental consent.
Finally, the Protection of Pupil Rights Act addresses consent in relation to the collection, disclosure, or use of personal student information for marketing purposes or as a product (a data set) for sale to others.  It allows schools and districts to participate in gathering student information for marketing purposes, but it requires them to tell parents they are doing so and to allow parents to view the data collection instruments and/or opt their children out.

Here is the executive summary, with recommendations:


And here’s the full report: