Student data privacy: what’s happening in 2015

The previous blog post on student data privacy prompted several discussions with people and organizations that are tracking student data privacy bills this year. The Data Quality Campaign, in particular, tracks legislation and provides other information related to student data privacy. I spoke with Rachel Anderson, Senior Associate, Policy and Advocacy, at DQC, who generously provided much of the detail in the information below. DQC reports that it is tracking 182 bills related to student data privacy in 46 states in 2015, and that so far this year, 14 states have passed 27 new student data privacy laws. DQC finds the following themes, which extend beyond online and blended learning and into the classroom use of websites and apps, emerging.

• Ten states have passed laws related to safeguarding data collected from students based on their use of a website or application. These laws often follow elements of the Student Privacy Pledge, which requires that organizations use data for authorized education purposes only, not sell student information, and not behaviorally target advertising.
• In addition to laws aimed at providers, other laws have given school districts new or expanded responsibilities regarding student data privacy. Nine states passed such laws in 2014, and in 2015 some of these states gave further guidance or support to help districts with these responsibilities. For example, North Dakota now requires data sharing approval by the school board and implements data governance and transparency requirements and supports including data use training. Virginia has a new law to direct the state to develop a model data security plan for districts and to designate a chief data security officer to assist local school divisions with the development or implementation of data use and security policies.
• Many bills describe some criteria or requirements that need to be included in contracts that states or districts make with providers, but these requirements vary greatly in their level of specificity.

In response to the earlier blog post, Rachel agreed with the concept that the loss of data to hackers is of paramount concern, and noted that many privacy advocates conflate data privacy and data security. She essentially captured the essence of my 500 word post in a single sentence.

Another observer of these issues—who prefers to remain in the background—shared with me two main ideas. First, he pointed out that data privacy advocates don’t speak with one voice because there are multiple groups with different philosophical starting points. Some bills that have been introduced just address the concerns of just one of these groups, while others address concerns from multiple groups. He put the groups into three categories:

• One group is concerned about anyone collecting student information, including—perhaps especially—the government. This includes the federal government, states, and schools. This group is not particularly concerned about providers, but their proposals would limit data collection and usage across the board so would greatly impact digital content and tools providers.
• The second group is specifically concerned about private providers monetizing student data, whether by selling that data to companies that want to advertise to students, or by advertising to students themselves. They are particularly concerned about companies working with schools, because the district select the providers, and parents have little or no input in the companies that are chosen.
• The third group believes that schools, states, and providers aren’t being held to best practices relative to student data. They are pushing legislation that would require districts and providers to develop and adhere to best practices.

Second, he points out that another significant development is that student data privacy has received considerable federal attention in 2015, as opposed to 2014 when most of the attention and activity was at the state level. Although no new bills passed at the federal level so far this year, the topic became part of the discussion of ESEA re-authorization, other data privacy bills were introduced, and President Obama mentioned it in the State of the Union address. New bills fall into two main categories – those that create a new set of student data privacy rights/regulations outside of the Family Educational Rights and Privacy Act (FERPA), and those that amend FERPA.

These are all valuable insights, and we are grateful to DQC, Rachel Anderson, and our other readers who are helping shed light on these issues.