WASHINGTON — When the educational company ConnectEDU filed for bankruptcy about a year ago, it tried to do what any business would — sell off its most valuable asset: student data.
Millions of students submitted personal information such as email addresses, birth dates and test scores to the college and career planning company.
Some student educational records are protected through the Family Educational and Privacy Rights Act, or FERPA. Originally signed into law in 1974, FERPA essentially protects the records schools collect on students and gives parents certain oversight and disclosure rights.
The growing influence of technology in classrooms and in administrative data collection, though, is making FERPA out-of-date.
Teachers, students and parents now routinely submit information to educational services companies, such as ConnectEDU. FERPA does not regulate how these companies use that data. And there is no other federal law that does. The companies’ own privacy policies are the only limit to what the companies can do with the information users provide.
The concern is that ConnectEDU may not be the only education technology company that is trying to sell its data to third parties.
ConnectEDU’s databases, for example, were filled with students’ personally identifiable information including names, birthdates, email addresses and telephone numbers. The sale of that information to other companies is not regulated.
In order to make FERPA up-to-date, President Barack Obama, in conjunction with partners in the private sector, called for a legislation to establish a national standard to protect students’ data in January.
“It’s pretty straightforward,” Obama said in a speech at the Federal Trade Commission. “We’re saying the data collected on students in the classroom can be used for educational purposes — to teach our children, not to market to our children. We want to prevent companies from selling student data to third parties for purposes other than education. We want to prevent any kind of profiling about certain students.”
Dubbed the Student Digital Privacy Act, the White House’s plan is loosely based on a 2014 California law that prohibits third-party education companies from selling student information. While other states have laws regulating and increasing the transparency, regulation and collection of student data, the California law seems to be the most far-reaching.
Because FERPA doesn’t cover third-party use, some private sector leaders have taken a vow to establish clear industry standards for protecting student data through the Student Privacy Pledge.
Created by the Future of Privacy Forum and the Software and Information Industry Association in the fall of 2014, Obama mentioned the pledge as an encouraging sign for the protection of student information.
“I want to encourage every company that provides these technologies to our schools to join this effort,” Obama said. “It’s the right thing to do. And if you don’t join this effort, then we intend to make sure that those schools and those parents know you haven’t joined this effort.”
So far, 123 companies have signed the pledge, including tech and education giants such as Apple, Microsoft, Google and Houghton Mifflin Harcourt.
“There was a lack of awareness, information and understanding about what school service providers did and didn’t do with data and what the laws required and allowed,” Mark Schneiderman, senior director of education policy at SIIA, said. “Rather than waiting for public policy and public debate to play itself out, we figured, let’s just step in and make clear that the industry is supporting schools, is using data only for school purposes, not selling the data, not doing other things that there was a perception out there that maybe [companies were doing].”
The National Parent-Teacher Association and other groups support the pledge, according to Schneiderman.
“It is imperative that students’ personal informational formation is protected at all times,” the National PTA wrote in a statement.
The companies that signed the pledge are not subject to any policing body, but by signing the pledge they show consumers their commitment to student privacy, Schneiderman said.
But many notable educational technology companies, like Pearson Education, have not signed the pledge. Pearson was recently the subject of a POLITICO investigative report that revealed that the company’s use of student data was unmonitored.
According to the report, Pearson claims it does not sell the students’ data it collects.
The College Board, ACT and Common Application are often viewed as integral to the college admissions process, but are also not included in the pledge.
Instead, these education companies point consumers to their privacy policies, which can often be difficult to understand because of the legal jargon and ambiguous terms.
Some groups such as the Parent Coalition for Student Privacy think the pledge and the privacy policies aren’t enough.
“We also need strong enforcement and security mechanisms to prevent against breaches,” Leonie Haimson, one of the group’s co-chairs, said in a statement responding to Obama’s speech. “This has been a year of continuous scandalous breaches; we owe it to our children to require security provisions at least as strict as in the case of personal health information.”
Out of the 12 commitments listed in the pledge, only one deals with preventing leaks or breaches.
The signees must “maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks,” the pledge states.
Haimson said the policies are a decent start, but do not go nearly far enough in protecting educational data.
Regardless, a bill for a comprehensive national standard has yet to be introduced despite the White House’s push.
In early February, though, the White House said that it had been working closely with Republican Rep. Luke Messer of Indiana and Colorado Democrat Rep. Jared Polis to introduce a bipartisan bill to Congress.