Friday, January 24, 2014

New Laws Are Needed To Protect Student Privacy In The Digital Age

Students and schools around the country are utilizing new digital technologies in ways many people did not imagine at the turn of the century and those technologies offer great promise.  Just ten years ago, terms like "big data", "the cloud", "data mining", and "social media" were not well known by students, parents, and school officials.  To lower costs and to help our students learn more effectively, thousands of schools across the country have adopted new digital technologies. Unfortunately, the current legal framework designed to protect student privacy and safety has not kept up with the rapid advancements that have been created by the Digital Age. 

The federal Family Educational Rights and Privacy Act (FERPA) is the main federal law that protects student educational records.  This law was initially enacted in 1974 and has been amended multiple times by Congress; the last time being in 2001 before the widespread adoption of cloud computing and other digital platforms in schools.  While the statute hasn't been amended in more than 10 years, the rules that the U.S. Department of Education uses to implement FERPA have been more recently updated.  Despite these revisions, some public interest groups such as the Electronic Privacy Information Center allege that FERPA's rule changes undermine privacy safeguards set out in the statute and unnecessarily exposes students to new privacy risks.

At first glance, FERPA appears to be a robust law that protects the personal privacy and safety of students.  However, upon closer examination FERPA does not provide the protections that our students need in the Digital Age.  In the almost 40 years since FERPA's initial enactment, no school has been denied access to federal funds due to a violation that has put the personal privacy and/or safety of students at risk.  As more third parties have been contracted to handle student data through the spread of cloud and mobile technologies, FERPA has done little to constrain the behavior of these third parties because the statute does not contain a sanction that applies them. 

Does this mean that FERPA has been successful and that a school's actions have never put the personal privacy and/or safety of students at risk?  Or, does this validate the notion that FERPA lacks strong enforcement provisions and the U.S. Department of Education has not been provided the resources necessary to properly protect our children?

In 2002, the Supreme Court held that FERPA's nondisclosure provisions do not provide students a personal right to sue entities that fail to properly safeguard their educational records.  While this ruling appears to shield schools from student lawsuits based upon FERPA violations, it has also had a very troubling unintended side effect that may be leading some schools to put their guard down when engaging third party vendors to capture, process, and transmit student data. 

History has proved that some commercial enterprises will abuse their access to student data and that FERPA is unable to provide the privacy and/or safety protections our children need and deserve.  In 2003, multiple student survey companies were caught intentionally misleading schools, students, and parents about their data collection and utilization practices.  The FTC alleged that these entities sold personally identifiable information about millions of students to marketers for financial gain.  In addition to entering into a consent agreement with the FTC that ended these practices, the New York Attorney General's office fined these entities $75,000 for their actions.

In 2012, Time Magazine discovered that a company called UDiligence that had been hired by universities across the country to scan and archive the password protected personal digital content of student-athletes was abusing its access to student data by utilizing personal student content in advertisements for the company's services.  Only after Time Magazine questioned this practice did UDiligence stop monetizing students' personal digital content for pecuniary gain.

Several months ago, a judge in a lawsuit that accuses Google of violating multiple federal and state laws regarding its email data mining practices ruled that the case may move forward.  During a recent court filing in this lawsuit, Google admitted that its University of Alaska school branded Gmail system utilizes the information obtained from student emails for advertising purposes (Link to this document; See page 42, #88).  As part of an effort to dismiss the case, Google argued that two student plaintiffs from universities who were Google Apps for Education users consented to Google scanning their emails for advertising purposes when they signed onto the service the first time (Link to this document; See page 14).

Since Google provides this same exact service for free to thousands of schools across the country it raises a serious question of whether Google is data mining the school emails of millions of students across the country for financial gain.  Do the same arguments that Google has made in its motion to dismiss, that students have consented to this data mining, apply to students at other schools where Google Apps for Education is in use?  It does not appear that students, parents, and/or teachers have been informed and provided consent that would enable their digital interactions and the content sent and received on school contracted Gmail services to be utilized for advertising purposes. 

The personal safety of students are at risk when commercial entities obtain access to student data and act upon the information.  According to Education Week, some low-income children in Arizona were subjected to unnecessary dental work by corporate-affiliated "mobile dentists" who found their patients through easy access to school records.  In response to this troubling practice, Arizona enacted a new state law last year that tightened access to this information.

Several months ago, The New York Times discussed the privacy and safety challenges inherent when schools hire third parties to collect and store student data on the web.  A recent Fordham University Law School study found "weaknesses in the protection of student information in the contracts that school districts sign when outsourcing web-based tasks to service companies".  Fordham's findings were validated by the Maryland Attorney General's 2013 report on children's privacy that recommended a new state law that would prohibit cloud service providers from using data collected from students for commercial purposes.

Parents are extremely worried about their children's personal privacy and safety.  A new Common Sense Media Survey found broad support for stronger safeguards to protect our students in the Digital Age.  According to the survey, 91 percent of respondents support stronger parental-consent requirements related to the sharing of sensitive student data, and 89 percent supported tighter security standards for cloud storage.

Since FERPA has not been updated to reflect the tremendous change the Digital Age has brought to the education system, it is time for states to enact laws that better protect the personal privacy and safety of our students.  States should enact strict prohibitions on the use of student data (i.e.  emails, documents, or other content), ensuring that vendors do not have rights to use that data for advertising or marketing purposes or to otherwise build personal profiles of students that may be utilized to discriminate against students and/or their families.  Parents and students need to know that when they utilize school provided digital communication platforms their data is safe and secure and will not be used to prey upon their economic and/or personal situation.

Copyright 2014 by the Law Office of Bradley S. Shear, LLC All rights reserved.  

No comments:

Post a Comment