The Student Data Privacy Project
On July 9, 2021, parents of school-age children from Maryland to Alaska, in collaboration with the Student Data Privacy Project (SDPP), will file complaints with the U.S. Department of Education (DoE) demanding accountability for the student data that schools share with Educational Technology (EdTech) vendors.
Formed during the pandemic, SDPP is comprised of parents concerned about how their children’s personally identifiable information (PII) is increasingly being mined by EdTech vendors, with the consent of our schools, and without parental consent or school oversight.
With assistance and support from SDPP, 14 parents from 9 states filed requests with their school districts under the Family Educational Rights and Privacy Act (FERPA) seeking access to the PII collected about their children by EdTech vendors. No SDPP parents were able to obtain all of the requested PII held by EdTech vendors, a clear violation of FERPA.
One parent in Maryland never received a response. A New Jersey parent received a generic reply with no date, school name or district identification. Yet a Minnesota parent received over 2,000 files, none of which contained the metadata requested, but did reveal a disturbing amount of personal information held by an EdTech vendor, including the child’s baby pictures, videos of her in an online yoga class, her artwork and answers to in-class questions.
Lisa Cline, SDPP co-founder and parent in Maryland said, “When I tried to obtain data gathered by one app my child uses in class, the school district said, ‘Talk to the vendor.’ The vendor said, ‘Talk to the school.’ This is classic passing of the buck. And the DoE appears to be looking the other way.”
FERPA, a statute enacted in 1974 — almost two decades before the Internet came into existence, at a time when technology in schools was limited to mimeograph machines and calculators — affords parents the right to obtain their children’s education records, to seek to have those records amended, and to have control over the disclosure of the PII in those records.
Unfortunately, this law is now outdated. Since the digital revolution, schools are either unaware, unable or unwilling to apply FERPA to EdTech vendors. Before the pandemic, the average school used 400-1,000 online tools, according to the Student Data Privacy Consortium. Remote learning has increased this number exponentially.
SDPP co-founder, privacy consultant, law professor and parent Joel Schwarz, noted that “DOE’s failure to enforce FERPA, means that EdTech providers are putting the privacy of millions of children at risk, leaving these vendors free to collect, use and monetize student PII, and share it with third parties at will.”
A research study released by the Me2B Alliance in May 2021, showed that 60% of school apps send student data to potentially high-risk third parties without knowledge or consent. SDPP reached out to Me2B and requested an audit of the apps used by schools in the districts involved in the Project. Almost 70% of the apps reviewed used Software Development Kits (SDKs) that posed a “High Risk” to student data privacy, and almost 40% of the apps were rated “Very High Risk,” meaning the code used is known to be associated with registered Data Brokers. Even more concerning, Google showed up in approximately 80% of the apps that included an SDK, and Facebook ran a close second, showing up in about 60% of the apps.
Emily Cherkin, an SDPP co-founder who writes and speaks nationally about screen use as The Screentime Consultant, noted, “because these schools failed to provide the data requested, we don’t know what information is being collected about our children, how long these records are maintained, who has access to them, and with whom they’re being shared.
“FERPA says that parents have a right to know what information is being collected about their children, and how that data is being used,” according to Andy Liddell, a federal court litigator in Austin, TX and another SDPP co-founder. “But those rights are being trampled because neither the schools nor the DoE are focused on this issue.”
The relief sought of the DoE includes requiring schools to:
- actively oversee their EdTech vendors, including regular audits of vendors’ access, use and disclosure of student PII and publicly posting the results of those audits so that parents can validate that their children’s data is being adequately protected;
- provide meaningful access to records held by EdTech in response to a FERPA request, clarifying that merely providing a student’s account log-in credentials, or referring the requester to the Vendor, does not satisfy the school’s obligations under FERPA;
- ensure that when their EdTech vendors share student PII with third parties, the Vendor and the school maintain oversight of third-party access and use of that PII, and apply all FERPA rights and protections to that data, including honoring FERPA access requests;
- protect all of a students’ digital footprints — including browsing history, searches performed, websites visited, etc. (i.e., metadata) — under FERPA, and that all of this data be provided in response to a FERPA access request.