EdTech and Student Privacy Collide
It would be difficult to overstate the benefits that properly implemented education technology (EdTech) can bring to learning. In the classroom, EdTech holds the potential to improve teacher efficiency and effectiveness – to make learning more engaging for students by letting teachers adapt course content and pace to the needs of the individual student.
Out of the classroom, EdTech can bring education to tens of millions who would otherwise have no access to structured educational content or simply extend student engagement and learning beyond classroom hours.
EdTech is already well entrenched in the classroom, so it should come as no surprise that many teachers now consider EdTech indispensable. But EdTech does have its “dirty little secret,” and this secret relates to student privacy. Although there are EdTech apps and cloud services that ensure students’ personal information and educational records are properly secured, there are also many that do not.
“How can this be?” you might ask. Certainly, there are laws to ensure that this student data is protected. Well, yes, there are federal laws designed to protect student data: the Family Education and Privacy Act (FERPA), and the Protection of Pupil Rights Amendment (PPRA). In addition, the Children’s Online Protection Act (COPPA) — although not targeting students specifically, does offer protection for a sub-set of students — children under age 13.
The question is: How effective are these laws?
Due to their complexity, an in-depth analysis of these laws is beyond the scope of this post. Rather, I focus on one characteristic of these laws contributing to this student privacy exposure – the disconnect between control and responsibility. By this, I mean that the entity having control over how student data is used is, more often than not, not the entity legally responsible for ensuring that this data is used appropriately.
The Disconnect Between Control of Student Data and Responsibility
Take FERPA, for example. FERPA applies to the sharing of educational records by educational institutions with third-party service providers. FERPA applies to educational institutions, which are the recipients of federal funds administered under the Department of Education.
The sole recourse for failure to comply is that this federal funding can be withheld. Third-party service providers that the educational institutions share this student data with have no statutory obligations and are not subject to action under FERPA.
What this means is that it is the educational institutions that shoulder the full weight of liability under FERPA, in spite of the fact that they often lack real control over how student data is used. In theory, the educational institution retains this “control” through a contractual agreement with the service provider, which binds the service provider to the FERPA student data usage restrictions.
Unfortunately, in reality, the presence of this contractual control is the exception, not the rule.
From the key findings of the Fordham Law School study Privacy and Cloud Computing in Schools:
“Districts frequently surrender control of student information when using cloud services: fewer than 25% of the agreements specify the purpose for disclosures of student information.”
Absent this contractual control, there is no legal recourse whatsoever (under FERPA) against a third-party vendor responsible for using student data for purposes not allowed under FERPA. It is interesting to note that in the 40 years since FERPA took effect, no institution has ever been denied federal funds for failure to comply. The reason for this is that educational institutions would be profoundly harmed if federal funds were to be withheld.
The simple truth is that these educational institutions may be unaware that student data is being used or shared inappropriately.
The Third Party Service Challenge
To understand how this happens, consider the challenge faced by teachers, schools, and school districts using these third party services. With few exceptions, the schools lack the resources necessary to vet the terms of service (TOS) agreements of these EdTech services. Nor do they have the legal resources necessary to modify these TOS to ensure compliance with FERPA, assuming the service provider would even agree such modifications.
The schools lack the resources necessary to ensure FERPA compliance effectively.
With COPPA the roles are reversed — under COPPA, the statutory obligations fall primarily to the EdTech service provider, not the educational institution. COPPA applies if an EdTech service collects personal information from users under age 13 and requires that parental consent be obtained prior to the collection of this personal information.
COPPA provides a “school exception” to this parental consent requirement where the schools “may act as the parent’s agent and can consent to the collection of kids’ information on the parent’s behalf.” However, this loco parentis authority is limited to use within an educational context – “where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose.”
Problems can and do occur when schools mistakenly assume this “loco parentis” authority applies to all applications used in the classroom, including those with data usage practices that extend beyond the educational context. Unless the EdTech service or application meets the fairly narrowly defined school exception, the service provider is still required to obtain consent from the parent (not the school) before collecting personal information from a pre-teen student. However, this parental consent is seldom obtained in compliance with COPPA.
From the Fordham Law School study:
“An overwhelming majority of cloud service contracts do not address parental notice, consent, or access to student information.“
If these laws are to be effective, the party legally responsible for ensuring the privacy of student data must have the means of control over how this data is used. Absent this control, the privacy of student data will remain at risk.