Obama Calls for Student Privacy Standards

In a speech before the Federal Trade Commission on Jan. 12, President Barack Obama called for the passage of a Student Digital Privacy Act that would allow student-related information to be collected only for educational purposes, not for marketing. See, http://1.usa.gov/1ATwUSn.

The White House did not release specifics about the potential legislation, but the President said, “we didn't have to completely reinvent the wheel on this proposal.”

“California just passed a landmark law,” Obama said. “And I hope Congress joins us in this national movement to protect the privacy of our children.”

California last year enacted the Student Online Personal Information Protection Act. The law, which doesn't go into effect until 2016, bars websites and apps designed for use in K-12 schools from amassing profiles on students and selling information gathered from them.

The state legislation passed with overwhelming, bipartisan support, something that's likely to happen with a similar federal bill, even in hyper-partisan Washington, DC, says Michael Goldstein, cochair of Cooley's higher education practice group.

“Protecting children from predatory practices is an easy one to sign on to,” says Goldstein. “With a Republican Congress and a Democratic president, I think you're going to end up with legislation that is very much right down the middle.”

The Proposal

The President outlined his student data proposal as part of a series of consumer privacy initiatives laid out in his speech before the FTC. Obama said he will also seek federal legislation creating a national standard of 30 days for notifying consumers about data breaches, and he will pursue a broader privacy “bill of rights” that would give individuals control over what personal data companies can collect from them.

President Obama stated:

We've already seen some instances where some companies use educational technologies to collect student data for commercial purposes, like targeted advertising. We believe that there ought to be some basic baseline protections across industries. ' I want to encourage every company that provides these technologies to our schools to join this effort. It's the right thing to do. And if you don't join this effort, then we intend to make sure that those schools and those parents know you haven't joined this effort. So, this mission, protecting our information and privacy in the Information Age, this should not be a partisan issue. This should be something that unites all of us as Americans.

The president is expected to give speeches addressing cybersecurity and broadband availability in the weeks following his stated commitment to a “free and open Internet” in his State of the Union Address'last month.

College Students Not Included

As much as privacy groups applaud the President for making student privacy a front-burner issue, the proposal focuses on elementary and high-school students, not college students, according to The Chronicle of Higher Education, citing Obama administration officials. A post on The Chronicle's Wired Campus blog quotes Barmak Nassirian, director of federal relations and policy analysis for the American Association of State Colleges and Universities, as saying the bill drew an “artificial distinction” by focusing on elementary and secondary students, and leaving college students to fend for themselves. “From a privacy perspective, there is really no reason to do that,” said Nassirian. See, “Obama Proposes Bill to Protect Student Data, but Not in Higher Education.”'

The blog post points out that a lot of data follows students to college, citing Michael Abbiatti, executive director of the WICHE Cooperative for Educational Technologies, a nonprofit that supports e-learning collaborations. So much data get “shipped” across that border, according to Abbiatti, that definitions and systems that govern data collection in elementary and secondary schools tend to influence those in higher education.

Tech Support

The real fight may be over federal preemption. Tech groups generally lauded the President's student privacy proposal but said that the nation must have one set of rules for companies to follow.

“While we fully support the protection of student data, we must be sure that any legislative proposal is necessary, effective and contains state preemption, while allowing industry to continue to better their products for use,” Elizabeth Hyman, TechAmerica's executive vice president of public advocacy said in a prepared statement.

Consumer and privacy groups, by contrast, want any federal rules to serve as a regulatory floor, not a ceiling.

“It's good that the president has refocused on privacy and data security issues, but it would be terrible [if] his proposals preempt stronger state laws and offer less protection,” John Simpson, the privacy project director for Consumer Watchdog, said in an e-mail. “States must be allowed to enact stronger measures.”

Venture capital tracker CB Insights reported in December that ed tech was on pace to set new funding records in 2014. Online programs and apps can now track everything from students' homework assignments to their physical fitness and even behavioral issues. States have responded to the growth of these programs ' and a sense that federal laws aren't always clear about what pupil information a company can collect and use ' by creating their own laws and rules. Lawmakers in 36 states considered 110 bills addressing student data privacy in 2014, according to the group Data Quality Campaign.

“Getting ahead of the game and creating a single standard to be followed will be viewed as a positive by industry,” says Goldstein.

“The President's recent announcement that he is backing stronger student privacy protections is welcome news,” says Bradley Shear, a Board of Editors member of this newsletter and a long-time advocate of student privacy rights. “While the industry backed Student Privacy Pledge is a step in the right direction, the Pledge alone absent stronger student privacy laws provides a false sense of security to families.”

Shear says for the policy to work, all parties must buy in. “While I am optimistic about the opportunity for stronger student privacy protections to become law,” he comments, “I know there is a lot of work ahead. Therefore, it is imperative for students, parents, teachers, school administrators, privacy advocates, and education technology vendors to work with regulators, lawmakers, and the President to enact a thoughtful and forward thinking bill into law.”

After initially choosing not to, on Jan. 19 Google signed the Student Privacy Pledge introduced by The Future of Privacy Forum (FPF) and The Software & Information Industry Association (SIIA). See, “Student Privacy Pledge Hits 90 Signers!” Shear says Google signed the Pledge only after the President stated he would call out companies who refuse to do so, and points out that last year, Google was caught scanning student e-mails for advertising purposes and it still refuses to state whether it has created user profiles of students, both activities which violate the Pledge.” (See, “Google Under Fire for Data-Mining Student Email Messages,” Education Week.) “Google's troubling actions demonstrate the need for stronger student privacy laws that hold violators legally accountable for putting our children's personal information at risk of being utilized to discriminate against them,” Shear concludes. (Editor's Note: As this issue was going to press, a federal judge in Newark, NJ, dismissed multidistrict litigation against Google and Viacom Inc., rejecting claims that the companies' online data collection violates the privacy of children under 13. The litigation failed to state a claim under the Video Privacy Protection Act (VPPA) because no showing was made that the companies ever learn the children's actual identities, U.S. District Judge Stanley Chesler of the District of New Jersey said. A claim under the tort of intrusion upon seclusion also failed because the defendants' conduct would not be “highly offensive” to a reasonable person, Chesler said in his Jan. 20 ruling.)

Cheryl Miller is a reporter for The Recorder, an ALM sibling publication of this newsletter in which this article also appeared. She can be reached at [email protected]. Steven Salkin, Esq., is Managing Editor and Web Editor of Internet Law & Strategy. He can be reached at [email protected] or on Twitter @ljn_online. Reports from The New Jersey Law Journal also contributed to this article.

In a speech before the Federal Trade Commission on Jan. 12, President Barack Obama called for the passage of a Student Digital Privacy Act that would allow student-related information to be collected only for educational purposes, not for marketing. See, http://1.usa.gov/1ATwUSn.

The White House did not release specifics about the potential legislation, but the President said, “we didn't have to completely reinvent the wheel on this proposal.”

“California just passed a landmark law,” Obama said. “And I hope Congress joins us in this national movement to protect the privacy of our children.”

California last year enacted the Student Online Personal Information Protection Act. The law, which doesn't go into effect until 2016, bars websites and apps designed for use in K-12 schools from amassing profiles on students and selling information gathered from them.

The state legislation passed with overwhelming, bipartisan support, something that's likely to happen with a similar federal bill, even in hyper-partisan Washington, DC, says Michael Goldstein, cochair of Cooley's higher education practice group.

“Protecting children from predatory practices is an easy one to sign on to,” says Goldstein. “With a Republican Congress and a Democratic president, I think you're going to end up with legislation that is very much right down the middle.”

The Proposal

The President outlined his student data proposal as part of a series of consumer privacy initiatives laid out in his speech before the FTC. Obama said he will also seek federal legislation creating a national standard of 30 days for notifying consumers about data breaches, and he will pursue a broader privacy “bill of rights” that would give individuals control over what personal data companies can collect from them.

President Obama stated:

We've already seen some instances where some companies use educational technologies to collect student data for commercial purposes, like targeted advertising. We believe that there ought to be some basic baseline protections across industries. ' I want to encourage every company that provides these technologies to our schools to join this effort. It's the right thing to do. And if you don't join this effort, then we intend to make sure that those schools and those parents know you haven't joined this effort. So, this mission, protecting our information and privacy in the Information Age, this should not be a partisan issue. This should be something that unites all of us as Americans.

The president is expected to give speeches addressing cybersecurity and broadband availability in the weeks following his stated commitment to a “free and open Internet” in his State of the Union Address'last month.

College Students Not Included

As much as privacy groups applaud the President for making student privacy a front-burner issue, the proposal focuses on elementary and high-school students, not college students, according to The Chronicle of Higher Education, citing Obama administration officials. A post on The Chronicle's Wired Campus blog quotes Barmak Nassirian, director of federal relations and policy analysis for the American Association of State Colleges and Universities, as saying the bill drew an “artificial distinction” by focusing on elementary and secondary students, and leaving college students to fend for themselves. “From a privacy perspective, there is really no reason to do that,” said Nassirian. See, “Obama Proposes Bill to Protect Student Data, but Not in Higher Education.”'

The blog post points out that a lot of data follows students to college, citing Michael Abbiatti, executive director of the WICHE Cooperative for Educational Technologies, a nonprofit that supports e-learning collaborations. So much data get “shipped” across that border, according to Abbiatti, that definitions and systems that govern data collection in elementary and secondary schools tend to influence those in higher education.

Tech Support

The real fight may be over federal preemption. Tech groups generally lauded the President's student privacy proposal but said that the nation must have one set of rules for companies to follow.

“While we fully support the protection of student data, we must be sure that any legislative proposal is necessary, effective and contains state preemption, while allowing industry to continue to better their products for use,” Elizabeth Hyman, TechAmerica's executive vice president of public advocacy said in a prepared statement.

Consumer and privacy groups, by contrast, want any federal rules to serve as a regulatory floor, not a ceiling.

“It's good that the president has refocused on privacy and data security issues, but it would be terrible [if] his proposals preempt stronger state laws and offer less protection,” John Simpson, the privacy project director for Consumer Watchdog, said in an e-mail. “States must be allowed to enact stronger measures.”

Venture capital tracker CB Insights reported in December that ed tech was on pace to set new funding records in 2014. Online programs and apps can now track everything from students' homework assignments to their physical fitness and even behavioral issues. States have responded to the growth of these programs ' and a sense that federal laws aren't always clear about what pupil information a company can collect and use ' by creating their own laws and rules. Lawmakers in 36 states considered 110 bills addressing student data privacy in 2014, according to the group Data Quality Campaign.

“Getting ahead of the game and creating a single standard to be followed will be viewed as a positive by industry,” says Goldstein.

“The President's recent announcement that he is backing stronger student privacy protections is welcome news,” says Bradley Shear, a Board of Editors member of this newsletter and a long-time advocate of student privacy rights. “While the industry backed Student Privacy Pledge is a step in the right direction, the Pledge alone absent stronger student privacy laws provides a false sense of security to families.”

Shear says for the policy to work, all parties must buy in. “While I am optimistic about the opportunity for stronger student privacy protections to become law,” he comments, “I know there is a lot of work ahead. Therefore, it is imperative for students, parents, teachers, school administrators, privacy advocates, and education technology vendors to work with regulators, lawmakers, and the President to enact a thoughtful and forward thinking bill into law.”

After initially choosing not to, on Jan. 19 Google signed the Student Privacy Pledge introduced by The Future of Privacy Forum (FPF) and The Software & Information Industry Association (SIIA). See, “Student Privacy Pledge Hits 90 Signers!” Shear says Google signed the Pledge only after the President stated he would call out companies who refuse to do so, and points out that last year, Google was caught scanning student e-mails for advertising purposes and it still refuses to state whether it has created user profiles of students, both activities which violate the Pledge.” (See, “Google Under Fire for Data-Mining Student Email Messages,” Education Week.) “Google's troubling actions demonstrate the need for stronger student privacy laws that hold violators legally accountable for putting our children's personal information at risk of being utilized to discriminate against them,” Shear concludes. (Editor's Note: As this issue was going to press, a federal judge in Newark, NJ, dismissed multidistrict litigation against Google and Viacom Inc., rejecting claims that the companies' online data collection violates the privacy of children under 13. The litigation failed to state a claim under the Video Privacy Protection Act (VPPA) because no showing was made that the companies ever learn the children's actual identities, U.S. District Judge Stanley Chesler of the District of New Jersey said. A claim under the tort of intrusion upon seclusion also failed because the defendants' conduct would not be “highly offensive” to a reasonable person, Chesler said in his Jan. 20 ruling.)

Cheryl Miller is a reporter for The Recorder, an ALM sibling publication of this newsletter in which this article also appeared. She can be reached at [email protected]. Steven Salkin, Esq., is Managing Editor and Web Editor of Internet Law & Strategy. He can be reached at [email protected] or on Twitter @ljn_online. Reports from The New Jersey Law Journal also contributed to this article.