A student privacy bill, which lawmakers promised to bring before the House in bipartisan effort, was introduced by Reps. Luke Messer, R-Ind., and Jared Polis, D-Color., on Wednesday.
The Student Digital Privacy and Parental Rights Act would restrict how educational data belonging to K-12 students can used by businesses. Polis and Messer announced that nearly two dozen organizations spanning the technology, privacy and educational space have backed the bill in its current form, including tech giant Microsoft, the Center for Democracy and Technology (CDT), the International Society for Technology and Education, and the National Education Association.
“The status quo surrounding the protection of our students’ data is entirely unacceptable,” Polis said in a statement. “It’s like the Wild Wild West – there are few regulations protecting student’s privacy and parental rights, and the ones that do exist were written in an age before smartphones and tablets. Our bipartisan bill is a much-needed first step in providing a framework that can address these concerns of parents and educators while at the same time allowing for the promise of education technology to transform our schools.”
The lawmakers’ efforts follow President Obama’s call to Congress in January to put forth legislation that would further protect student data. And after revealing last month that they would co-sponsor such a bill, Messer and Polis released the 21-page bill (PDF) to the public this week.
In its current form, the Student Digital Privacy and Parental Rights Act of 2015 prohibits operators – meaning any entity that provides “online and similar services to educational agencies or institutions” – from engaging in targeted advertising on a school service or collecting, generating, using or disclosing “any covered information for purposes of targeted advertising,” the bill said.
The legislation also bans operators from selling covered information, meaning personally identifiable information (PII) or data that is linkable to PII, to a third party, and from creating personal profiles of students for non-school related purposes.
In a release, Polis’s office explained that “the bill would also mandate that operators disclose publicly and directly to schools the types of information being collected and how that information will be used.”
“Operators also would have to establish and maintain strong security procedures to prevent data breaches. In the event of a data breach, operators must notify the FTC [Federal Trade Commission] and all potential victims of the breach in compliance with existing law,” the release continued.
Under the law, parents would also have the ability to authorize the use of their childrens’ data for non-educational purposes, “and the right to access and correct a student’s covered information” – or delete student data that the school isn’t required to maintain, the release said.
The Parent Coalition for Student Privacy, which initially expressed last month that the bill failed to go far enough in its protections, said in a Wednesday statement that the Act “still has many loopholes,” even in its amended version.
Rachael Stickland, co-chair of the coalition, said that, while the organization was “pleased to see some our recommendations reflected in the this draft, including enhanced transparency and some limitations on redisclosures…This bill allows parents to delete personal information from the data collected from their children, but it doesn’t require that parents be informed by either the vendor or the school that this data is being disclosed, collected and data-mined.”
Stickland questions how parents would have adequate knowledge about what information to delete, in the first place.
“So how would parents know to ask to delete it?” she questioned.
The coalition also said that other weaknesses in the bill might allow vendors to transfer personal student data to another company during a merger or acquisition. Furthermore, the Act’s privacy protections do not apply to children in preschool.
“This bill is clearly a step in the right direction, but it needs to be further improved if it is going to protect our children from commercial exploitation and devastating breaches,” Stickland said later in the statement. “Our children’s privacy and safety is invaluable and should not be put at risk by being handed off carelessly for profit or for gain.”