Student privacy advocates collectively rejoiced Monday at President Obama’s announcement of the Student Digital Privacy Act (SDPA). As roughly outlined in his speech, the bill would extend three explicit privacy protections to students and their parents:
- student data could not be used for targeted advertising,
- student data could not be sold to or by third parties “for purposes other than education,”
- and student data could not be used to profile students.
In an era of Big Data, troves of student data borne from educational technology systems represent untapped insight into learning processes–and immense financial value for those who mine and broker personally identifiable information.
The president remarked that state legislation already serves as a good model for how the SDPA should ultimately be written. California’s “Student Online Personal Information Protection Act” provides privacy protections specifically to K-12 students, including prohibiting companies from “knowingly using, disclosing, compiling or allowing a 3rd party” to use data derived from and about minors to target advertisements, products, or services. Furthermore, companies that provide services that use student data are required to delete a student’s data if the district or school requests. Actions by California and other states to protect student privacy are laudable and needed, especially given the federal government’s failure to overhaul FERPA in order to meet the growing challenges presented by data-driven educational technologies and practices.
The SDPA is a welcome announcement at just the right time, but as drafted currently, it has a glaring problem. In his speech to the Federal Trade Commission, Obama remarked, “We need a structure that ensures that information is not being gathered without us as parents or the kids knowing it. We want our kids’ privacy protected–wherever they sign in or log on, including at school.” For the president, however, “school” does not include higher education institutions.
Elementary and secondary students–minors–will be afforded extra privacy protections under the SDPA–not college students. It was unclear in Obama’s initial statement who, in fact, would be protected under the SDPA, but administration officials later confirmed that higher education students would not reap the protective benefits of the act. Without an explicitly stated justification to explain the distinction, the extension of privacy protections for one set of students but not the other seems arbitrary at best.
Herein, I want to briefly address two questions stemming from this announcement:
- Why are college students left unprotected?
- Are such protections actually needed in light of already existing student privacy law?
The most plausible reason for why college students are left unprotected under the SDPA is that they are adults who are of an age and with experience that allows them to make rational, autonomous decisions. Adults can choose what data-driven technologies they want to participate with and the degree to which they want to disclose information about themselves in the process. In contrast, minors may not have enough understanding about what educational technology companies do with their data, how third party data brokers make a profit on very personal information, or the harm that may come from entering into a relationship with a company that cares more about profit and less about privacy. The difference is the assumption that adults students seem to be able to make informed choices where minors can’t.
College students are afforded few choices regarding their use of educational technologies in the context of higher education. While they may be informed about the negative aspects of such data-driven technologies, including potential risks to their privacy, they often cannot choose to be non-users. In reality, their institution and their instructors are foisting data-driven educational technologies upon them.
Many data-driven technologies, like learning analytics applications or eTexts, are implemented in courses by faculty who seek the insights into student learning behaviors such systems provide in order to aid instructional practices. Students often cannot choose not to use a learning analytics enabled learning management system, nor can they choose not to read a print text as an alternative, especially if the technology is closely associated with assessment practices. As a result, students are forced to participate in data mining practices that potentially reveal sensitive information to educational technology companies and the third parties with whom the companies do business.
Regardless of a college student’s understanding of our data-driven society, the way data brokers buy and sell her information, and regardless of her ability to make informed decisions, she cannot protect herself from invasions of privacy that may come from using this genre of educational technology. Laws, like the SDPA, can protect her. Strongly worded memorandums of understanding between institutions and edTech companies can protect her. And faculty can protect her by choosing educational technologies carefully and with forethought of the potential privacy problems. But she can do very little to protect herself against the same privacy concerns that affect elementary and secondary students.
Perhaps a less obvious answer for why college students are left unprotected under the SDPA is a sense in the Obama administration of lower perceived risk to privacy. This is conjecture, of course, since we have little information regarding behind the scenes conversations about how the SDPA will be written, but it is important to consider nonetheless.
I argue that the risk is just as real for a first year in college as it is for a junior in high school. Selling personal information gleaned from educational technologies is potentially detrimental to the privacy of all students, regardless of where they are at in their educational career. College students may feel that a space they once found safe–their physical and virtual classroom–is no longer so, and they may curtail their thoughts and behaviors as a result. When our labs, classrooms, and lecture halls are no longer forums for freedom of expression and the open exchange of ideas due to the fact that some company may be amassing profiles of student data, then surely the risk to privacy is just as real for college students as it is for elementary and secondary students.
Given FERPA’s pre-existing protections, are the privacy protections extended in the SDPA actually needed in higher education? There are moral, social, and economical reasons why protections like those offered up in the SDPA are needed, but I want to focus on the legal argument. The final construction of the SDPA is anyone’s guess at this point, but if we use California’s student privacy law as the framework on which the SDPA will be written, we should ask what the new law will do that current law–FERPA–doesn’t.
The first question to ask is whether or not the information used in data-driven educational technologies is considered a part of a student’s record. AT §99.3, FERPA “clearly” defines an education record as data and information that is directly related to an identifiable student and maintained by the institution. Data created by and about students in the course of interacting with educational technologies is arguably a part of a student’s record, especially since the data was created within the context of an educational experience (i.e., it’s not simply data exhaust from interacting with some system). If the data is a part of the student’s educational record, then all FERPA protections apply.
The next question to ask is if the protections the SDPA extends are already covered under FERPA. Remember, the purpose of the new privacy rights at the core of the SDPA are to protect students from targeted advertising, to severely restrict the sale of student data, and to limit student profiling.
FERPA says nothing of advertising, but it does require that educational technology companies who provide services on behalf of an institution use student data for pre-determined purposes. I find it implausible that such purposes would include targeted advertising. An institution would not direct an edTech company to use student data to market products for the financial gain of the company.
With regard to the sale of student data, §99.33 states that a company acting on behalf of the institution or providing services to the institution cannot disclose student information to other parties (e.g., data brokers), since doing so would change the original purpose of the disclosure and use of student information. Therefore, selling student data would be unlawful.
Finally, amassing troves of student data for the purposes of profiling comes under fire from two directions. First, doing so runs counter to the expectation that student data will be used for specific, pre-determined purposes; squirreling away student data may be useful for educational technology companies to build new products, but it doesn’t provide a direct service to the institution with whom the company is contracted. Second, educational technology companies who provide products and services to students on behalf of the institution are “under the direct control” of the institution, meaning that the college or university remains the steward of student data and can direct the company to expunge its data warehouses of information related to its students; as I read FERPA, it remains the responsibility of the institution to direct their contracted companies to do so.
While it is arguable that FERPA already protects college students regardless of the SDPA, my reasoning is based on my reading of FERPA and my interpretations of its definitions and requirements. This is the most significant issue with current student privacy law: the wide interpretive range of the law allows for too many privacy problems to slip by without full consideration. What the SDPA does that FERPA does not (in the little that we know about it) is clearly define data practices that will be illegal. FERPA needs similar language with sharper clarity that delimits what uses of data are strictly prohibited.
In the SDPA, student privacy advocates have reason to believe that data mining in education won’t run rampant regardless of the harmful effects that may occur by analyzing and using sensitive student information. But failing to extend privacy protections to all students, including college students, is a significant oversight that the Obama administration needs to justify. Furthermore, all of us who care about student privacy or interact with student privacy laws must seek clarity in the legislation that will come to govern our use of data-driven educational technology. If student privacy is truly a priority, as the Presidents says it is, then now is the time to inform his administration and our legislators of our need for a student privacy law that represents the current technological landscape, encapsulates the enduring value of privacy, and acts as instructive document to govern our use of student information and holds us accountable for our missteps.