Though they are not perfect, there are several laws that protect student data when schools issue devices or use educational software.
Below is an overview of key laws at both the federal and state level. Additionally, the Center for Democracy & Technology has compiled a state-by-state survey of student privacy laws (current as of October 2016) available to download here.
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a federal law that applies to districts and schools that receive federal funding. It forbids schools from disclosing student information without parental consent, but it has limitations: it only applies to certain types of student information and there are exceptions which can be exploited. The law is enforced by the U.S. Department of Education, which can cut off funding to noncompliant schools.
FERPA protects students’ “education records” including personally identifiable information. The law also protects information about students’ online activity when they are using school-issued devices, when that information is tied to personally identifiable information; according to the U.S. Department of Education, FERPA protects behavioral “metadata” unless it has been “stripped of all direct and indirect identifiers.”
FERPA generally prohibits school districts from sharing student information with third parties without written parental consent. Sometimes school districts use a loophole in the law to get around the parental consent requirement by characterizing educational software companies as “school officials.”
However, the school official exception is only applicable to a contracting company if specific conditions are met:
- The school district may only share student information without written parental consent with a contractor who has been determined to serve legitimate educational interests. A school district must articulate specific criteria in its annual notification of FERPA rights and a contractor like Google must meet those criteria.
- A contractor may receive student information without written parental consent if the company is under the direct control of the school district with respect to the use and maintenance of education records. Usually this requires very specific contract terms between the school district and the company.
- A contractor cannot use student information for any other purpose than the purpose for which it was disclosed by the school district. Again, this usually requires very specific contract terms that limit what data the contractor may collect from students and how it may use that data. The contract should also clarify the interaction between its terms and the company’s general Terms of Service and Privacy Policy.
- The contractor must perform an institutional service or function for which the school district would otherwise use employees.
Children’s Online Privacy Protection Act (COPPA)
COPPA is a federal law that applies to online companies. It is enforced by the Federal Trade Commission.
COPPA requires companies to obtain “verifiable parental consent” before collecting personal information from children under 13 for commercial purposes. Personal information can include traditional personally identifiable information such as a child’s name or contact information, as well as online behavioral data, that is, what a child does online.
A key question in the education context is whether a school district can provide consent to collect student data to a company on behalf of the parents, or whether the company must get consent directly from the parents.
The FTC made clear that if “an operator intends to use or disclose children’s personal information for its own commercial purposes in addition to the provision of services to the school, it will need to obtain parental consent.”
Specifically, a school district should ask: “Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the school? For instance, does it use the students’ personal information in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service?” If the answer to these questions is “yes,” the district “cannot consent on behalf of the parent.”
When students are logged into Google and navigate outside of Google Apps for Education, it is likely that Google collects student behavioral data to serve them ads within non-GAFE Google services such as YouTube or on third-party websites that use Google’s ad services. Thus, a company like Google must obtain consent directly from parents to collect and use the personal data of students under 13.
Student Online Personal Information Protection Act (SOPIPA)
SOPIPA is a California law that will go into effect in 2016 and applies to companies that provide online services for K-12 students. It protects not only traditional personally identifiable information such as name, birthdate and student ID number, but also online behavioral data such as “search activity.” It may be enforced by the California Attorney General (and possibly also private citizens if they can show monetary loss) under Business & Professions Code § 17200.
SOPIPA includes important privacy protections for K-12 students, but it also includes significant loopholes.
Among other things, the law prohibits a company from engaging in targeted advertising on its own website or any other website “when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired” from a student’s use of the website. A service provider also may not “use information, including persistent unique identifiers, created or gathered by the operator’s site, service, or application, to amass a profile about a K–12 student except in furtherance of K–12 school purposes.”
In short, that means online service providers for schools, like companies offering special educational software, can’t create a shadow profile or target students for reasons other than the actual educational services.
But there are some loopholes. SOPIPA expressly “does not apply to general audience Internet Web sites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator’s site, service, or application may be used to access those general audience sites, services, or applications.”
Thus, SOPIPA prohibits a company like Google from serving targeted ads within Google Apps for Education (which it has already said it has stopped doing) and from serving targeted ads through its DoubleClick ad network on third-party websites based on student behavioral data obtained from the use of Google Apps for Education. But when students are logged into Google and navigate outside of the education apps, SOPIPA likely permits the company to collect student behavioral data for a variety of purposes, including serving ads.
SOPIPA may also allow Google to collect a broad array of browser data when students are logged into the Chromebook (i.e., Chrome OS/Chrome browser). The law defines “operator” as an operator of “an Internet Web site, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K–12 school purposes and was designed and marketed for K–12 school purposes.” It is not clear if a device or browser fits into this definition.
California Constitution
The California Constitution arguably requires public school districts to provide parents and their children the opportunity not only to opt out of any classroom technology use that implicates the privacy of students, but also to provide alternative accommodations so students can benefit from technology in the classroom without giving up their privacy. The California Supreme Court held in Butt v. California, 4 Cal. 4th 668, 680 (1992), “California has assumed specific responsibility for a statewide public education system open on equal terms to all.”
Specifically, the California Constitution guarantees both the right to privacy and the right to an education:
“All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.”
“A general diffusion of knowledge and intelligence being essential to the preservation of the rights and liberties of the people, the Legislature shall encourage by all suitable means the promotion of intellectual, scientific, moral, and agricultural improvement.”