<i>Commentary</i> New Laws Needed To Protect Student Data

At first glance, FERPA appears to be a robust law that protects the personal privacy and safety of students. However, upon closer examination, FERPA does not provide the protections that our students need in the Digital Age. In the almost 40 years since FERPA's initial enactment, no school has been denied access to federal funds due to a violation that has put the personal privacy and/or safety of students at risk. As more third parties have been contracted to handle student data through the spread of cloud and mobile technologies, FERPA has done little to constrain the behavior of these third parties because the statute does not contain a sanction that applies to them. See, “Why Schools Are Flunking Privacy and How They Can Improve,” Daniel Solove.

Does this mean that FERPA has been successful and that a school's actions have never put the personal privacy and/or safety of students at risk? Or, does this validate the notion that FERPA lacks strong enforcement provisions and the DOE has not been provided the resources necessary to properly protect our children?

In 2002, the Supreme Court held that FERPA's nondisclosure provisions do not provide students a personal right to sue entities that fail to properly safeguard their educational records. See, Gonzaga University, et. al. v. Doe, 536 U.S. 273, decided June 20, 2002. While this ruling appears to shield schools from student lawsuits based upon FERPA violations, it has also had a very troubling unintended side effect that may be leading some schools to put their guard down when engaging third-party vendors to capture, process and transmit student data.

History has proven that some commercial enterprises will abuse their access to student data and that FERPA is unable to provide the privacy and/or safety protections our children need and deserve. In 2003, multiple student survey companies were caught intentionally misleading schools, students and parents about their data collection and utilization practices. See, “Student Survey Companies Settle FTC Charges,” FTC.gov. The FTC alleged that these entities sold personally identifiable information about millions of students to marketers for financial gain. In addition to entering into a consent agreement with the FTC that ended these practices (see, Educational Research Center of America, Inc. ' Consent Agreement), the New York Attorney General's office fined these entities $75,000 for their actions. See, “FTC Eyes 'Educational' Marketers,” Wired.

In 2012, Time Magazine discovered that UDiligence, a company that had been hired by universities across the country to scan and archive the password-protected personal digital content of student-athletes, was abusing its access to student data by utilizing personal student content in advertisements for the company's services. Only after Time questioned this practice did UDiligence stop monetizing students' personal digital content for pecuniary gain. See, “Jock Police,” Time.com (subscription req'd).

Several months ago, a judge in a lawsuit that accuses Google of violating multiple federal and state laws regarding its e-mail data mining practices ruled that the case may move forward. See, “Google Wiretapping Lawsuits Can Proceed, Judges Say,” Information Week. During a recent court filing in this lawsuit, Google admitted that its University of Alaska school-branded Gmail system utilizes the information obtained from student e-mails for advertising purposes (http://bit.ly/1i5fzyQ; see page 42, #88). As part of an effort to dismiss the case, Google argued that two student plaintiffs from universities who were users of Google Apps for Education consented to Google scanning their e-mails for advertising purposes when they signed onto the service the first time (http://bit.ly/1iEvg2Q; see page 14).

Since Google provides this same exact service for free to thousands of schools across the country, it raises a serious question of whether Google is data mining the school e-mails of millions of students across the country for financial gain. Do the same arguments that Google has made in its motion to dismiss ' that students have consented to this data mining ' apply to students at other schools where Google Apps for Education is in use? It does not appear that students, parents and/or teachers have been informed and provided consent that would enable their digital interactions and the content sent and received on school contracted Gmail services to be utilized for advertising purposes.

Commercial Use of Student Data

The personal safety of students is at risk when commercial entities obtain access to student data and act upon the information. According to Education Week, some low-income children in Arizona were subjected to unnecessary dental work by corporate-affiliated “mobile dentists” who found their patients through easy access to school records. In response to this troubling practice, Arizona enacted a new state law last year, SB 1450, that tightened access to this information. See, http://1.usa.gov/Mn2iHp.

Several months ago, The New York Times discussed the privacy and safety challenges inherent when schools hire third parties to collect and store student data on the Web. See, “Senator Raises Questions about Protecting Student Data,” The New York Times. A recent Fordham University Law School study found “weaknesses in the protection of student information in the contracts that school districts sign when outsourcing Web-based tasks to service companies.” See, “Fordham Study Finds Major Problems with Public School Use of Data in Cloud Computing,” The Journal. Fordham's findings were validated by the Maryland Attorney General's 2013 report on children's privacy that recommended a new state law that would prohibit cloud service providers from using data collected from students for commercial purposes. See, “Report to the Maryland General Assembly on Children's Online Privacy.”'

According to a study by the Benenson Strategy Group on behalf of Common Sense Media, an advocacy group for children and families, parents are extremely worried about their children's personal privacy and safety. See, “Immense Unease over Advertisers Nabbing Student Data: Poll,” Huffington Post. A new Common Sense Media Survey found broad support for stronger safeguards to protect our students in the Digital Age. According to the survey, 91% of respondents support stronger parental-consent requirements related to the sharing of sensitive student data, and 89% supported tighter security standards for cloud storage.

Up to the States

Since FERPA has not been updated to reflect the tremendous change the Digital Age has brought to the education system, it is time for states to enact laws that better protect the personal privacy and safety of our students. States should enact strict prohibitions on the use of student data (i.e., e-mails, documents, or other content), ensuring that vendors do not have rights to use that data for advertising or marketing purposes or to otherwise build personal profiles of students that may be utilized to discriminate against students and/or their families. See, “Will More Schools Make Privacy a Priority in 2014?,” USA Today. Parents and students need to know that when they utilize school provided digital communication platforms their data is safe and secure and will not be used to prey upon their economic and/or personal situation.

Bradley S. Shear is a lawyer in Bethesda, MD, and an Adjunct Professor at George Washington University. A member of this newsletter's Board of Editors, he practices cyber and social media law, privacy and advertising law, and copyright and trademark law. Shear advises state and federal lawmakers around the country on digital media law and public policy issues. He can be reached at www.shearlaw.com and on Twitter @bradleyshear.

Students and schools around the country are utilizing new digital technologies in ways many people did not imagine at the turn of the century ' and those technologies offer great promise. Just 10 years ago, terms like “big data,” “the cloud,” “data mining” and “social media” were not well known by students, parents or school officials. To lower costs and to help our students learn more effectively, thousands of schools across the country have adopted new digital technologies. Unfortunately, the current legal framework designed to protect student privacy and safety has not kept up with the rapid advancements that have been created by the Digital Age.

The federal Family Educational Rights and Privacy Act (FERPA) is the main federal law that protects student educational records. This law was initially enacted in 1974 and has been amended multiple times by Congress; the last time being in 2001 before the widespread adoption of cloud computing and other digital platforms in schools. See , “Legislative History of Major FERPA Provisions,” ED.gov. While the statute hasn't been amended in more than 10 years, the rules that the U.S. Department of Education (DOE) uses to implement FERPA have been more recently updated. Despite these revisions, some public interest groups such as the Electronic Privacy Information Center (EPIC) allege that FERPA's rule changes undermine privacy safeguards set out in the statute and unnecessarily exposes students to new privacy risks. See, “Comments of Electronic Privacy Information Center to the Department of Education,” May 23, 2011, EPIC.org.

FERPA Lacks Teeth

At first glance, FERPA appears to be a robust law that protects the personal privacy and safety of students. However, upon closer examination, FERPA does not provide the protections that our students need in the Digital Age. In the almost 40 years since FERPA's initial enactment, no school has been denied access to federal funds due to a violation that has put the personal privacy and/or safety of students at risk. As more third parties have been contracted to handle student data through the spread of cloud and mobile technologies, FERPA has done little to constrain the behavior of these third parties because the statute does not contain a sanction that applies to them. See, “Why Schools Are Flunking Privacy and How They Can Improve,” Daniel Solove.

Does this mean that FERPA has been successful and that a school's actions have never put the personal privacy and/or safety of students at risk? Or, does this validate the notion that FERPA lacks strong enforcement provisions and the DOE has not been provided the resources necessary to properly protect our children?

In 2002, the Supreme Court held that FERPA's nondisclosure provisions do not provide students a personal right to sue entities that fail to properly safeguard their educational records. See, Gonzaga University, et. al. v. Doe, 536 U.S. 273, decided June 20, 2002. While this ruling appears to shield schools from student lawsuits based upon FERPA violations, it has also had a very troubling unintended side effect that may be leading some schools to put their guard down when engaging third-party vendors to capture, process and transmit student data.

History has proven that some commercial enterprises will abuse their access to student data and that FERPA is unable to provide the privacy and/or safety protections our children need and deserve. In 2003, multiple student survey companies were caught intentionally misleading schools, students and parents about their data collection and utilization practices. See, “Student Survey Companies Settle FTC Charges,” FTC.gov. The FTC alleged that these entities sold personally identifiable information about millions of students to marketers for financial gain. In addition to entering into a consent agreement with the FTC that ended these practices (see, Educational Research Center of America, Inc. ' Consent Agreement), the New York Attorney General's office fined these entities $75,000 for their actions. See, “FTC Eyes 'Educational' Marketers,” Wired.

In 2012, Time Magazine discovered that UDiligence, a company that had been hired by universities across the country to scan and archive the password-protected personal digital content of student-athletes, was abusing its access to student data by utilizing personal student content in advertisements for the company's services. Only after Time questioned this practice did UDiligence stop monetizing students' personal digital content for pecuniary gain. See, “Jock Police,” Time.com (subscription req'd).

Several months ago, a judge in a lawsuit that accuses Google of violating multiple federal and state laws regarding its e-mail data mining practices ruled that the case may move forward. See, “Google Wiretapping Lawsuits Can Proceed, Judges Say,” Information Week. During a recent court filing in this lawsuit, Google admitted that its University of Alaska school-branded Gmail system utilizes the information obtained from student e-mails for advertising purposes (http://bit.ly/1i5fzyQ; see page 42, #88). As part of an effort to dismiss the case, Google argued that two student plaintiffs from universities who were users of Google Apps for Education consented to Google scanning their e-mails for advertising purposes when they signed onto the service the first time (http://bit.ly/1iEvg2Q; see page 14).

Since Google provides this same exact service for free to thousands of schools across the country, it raises a serious question of whether Google is data mining the school e-mails of millions of students across the country for financial gain. Do the same arguments that Google has made in its motion to dismiss ' that students have consented to this data mining ' apply to students at other schools where Google Apps for Education is in use? It does not appear that students, parents and/or teachers have been informed and provided consent that would enable their digital interactions and the content sent and received on school contracted Gmail services to be utilized for advertising purposes.

Commercial Use of Student Data

The personal safety of students is at risk when commercial entities obtain access to student data and act upon the information. According to Education Week, some low-income children in Arizona were subjected to unnecessary dental work by corporate-affiliated “mobile dentists” who found their patients through easy access to school records. In response to this troubling practice, Arizona enacted a new state law last year, SB 1450, that tightened access to this information. See, http://1.usa.gov/Mn2iHp.

Several months ago, The New York Times discussed the privacy and safety challenges inherent when schools hire third parties to collect and store student data on the Web. See, “Senator Raises Questions about Protecting Student Data,” The New York Times. A recent Fordham University Law School study found “weaknesses in the protection of student information in the contracts that school districts sign when outsourcing Web-based tasks to service companies.” See, “Fordham Study Finds Major Problems with Public School Use of Data in Cloud Computing,” The Journal. Fordham's findings were validated by the Maryland Attorney General's 2013 report on children's privacy that recommended a new state law that would prohibit cloud service providers from using data collected from students for commercial purposes. See, “Report to the Maryland General Assembly on Children's Online Privacy.”'

According to a study by the Benenson Strategy Group on behalf of Common Sense Media, an advocacy group for children and families, parents are extremely worried about their children's personal privacy and safety. See, “Immense Unease over Advertisers Nabbing Student Data: Poll,” Huffington Post. A new Common Sense Media Survey found broad support for stronger safeguards to protect our students in the Digital Age. According to the survey, 91% of respondents support stronger parental-consent requirements related to the sharing of sensitive student data, and 89% supported tighter security standards for cloud storage.

Up to the States

Since FERPA has not been updated to reflect the tremendous change the Digital Age has brought to the education system, it is time for states to enact laws that better protect the personal privacy and safety of our students. States should enact strict prohibitions on the use of student data (i.e., e-mails, documents, or other content), ensuring that vendors do not have rights to use that data for advertising or marketing purposes or to otherwise build personal profiles of students that may be utilized to discriminate against students and/or their families. See, “Will More Schools Make Privacy a Priority in 2014?,” USA Today. Parents and students need to know that when they utilize school provided digital communication platforms their data is safe and secure and will not be used to prey upon their economic and/or personal situation.

Bradley S. Shear is a lawyer in Bethesda, MD, and an Adjunct Professor at George Washington University. A member of this newsletter's Board of Editors, he practices cyber and social media law, privacy and advertising law, and copyright and trademark law. Shear advises state and federal lawmakers around the country on digital media law and public policy issues. He can be reached at www.shearlaw.com and on Twitter @bradleyshear.