How Third Parties Can Collect Student Data Without Parental or Individual Consent
By Henry Kronk
June 30, 2018
With each new semester and school year, educators are constantly seeking to determine how they can improve their teaching methods and learning outcomes. And in the past few years, that quest has repeatedly taken the same route: digital technology. Pedagogies like personalized or blended learning have shown promising results. Use of tools such as G Suite for Education by Google, AI-powered platforms, or curricula that direct content to students using deep learning algorithms have begun to change they way students learn. But there’s another aspect of these teaching methods that many parents have found difficult to stomach—they collect student data.
In order to personalize learning, an application needs to know a thing or two about the learner it’s teaching. That means they’ll need to track students’ grades, keep track of areas in which they study and spend the most amount of time, along with countless other metrics.
Many services also collect student data for their own purposes. These companies typically offer their product for free or at a very low cost. The most notorious case would be Google’s G Suite for Education, which at one time used student search behavior to target them with ads. The company is no longer carrying on such practices, but they still collect student data for their own purposes.
Privacy in the Classroom
‘But,’ you might ask, ‘isn’t a student’s data protected under federal law?’
The short answer is, ‘Yes, with a few exceptions.’ Two laws protect student data. The main one is the Family Educational Records Protection Act, or FERPA. This mandates that parents/legal guardians must give consent for third parties to collect student data. After they turn 18, those students themselves must give consent. The second is the Child Online Privacy Protection Act, or COPPA. This law further protects the privacy of learners aged 12 and younger.
Like much legislation that now controls internet use, FERPA went into effect at a time when digital technology was a military initiative. It was signed into law in 1974 by President Gerald Ford and was last revised in 2012. That revision actually decreased protection of students. It is administered by the Department of Education, which has the power to cut funding if it finds a school in violation.
In essence, FERPA raises many instances in which parents must offer signed consent for student education data to exchange hands. But the law also includes several loopholes. The main one, as per 34 CFR 99.21 allows “School officials with legitimate educational interest” to give consent in a parent’s place.
In other words, a school official can give consent to third parties to collect student data if it is done with legit educational interest at heart. As one might imagine, it isn’t too difficult to establish educational value in a given digital tool or technology.
To take the example of Google again, many districts continue to use G Suite for Education without obtaining individual parental consent because a district administrator has already given it in their stead.
It might give parents some comfort to know that COPPA isn’t quite as old as FERPA. It was passed by the Clinton administration in 1998 and is administered by the FTC. While the law does dovetail with FERPA in a few areas, there are still situations in which third parties can collect student data without parental consent. Again like FERPA, many of these instances are reasonable. But some open up some leeway.
For example, parental consent is not required to “provide support for internal operations of your site or service,” according to the FTC. Among other reasons, this can include:
- maintaining or analyzing the functioning of the site,
- performing network communications,
- authenticating users of the site or personalizing content,
- serving contextual ads or frequency capping,
The FCC does state that if “an operator intends to use or disclose children’s personal information for its own commercial purposes in addition to the provision of services to the school, it will need to obtain parental consent.”
How to Ensure Your Child’s Data Is Safe
It can be a challenge keeping up with all the new technology and digital services used in the classroom. When a new one comes along, however, all it takes is questioning an administrator with some direct language.
According to the Electronic Frontiers Foundation, parents and school district administrators should ask the following: “‘Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the school? For instance, does it use the students’ personal information in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service?’ If the answer to these questions is ‘yes,’ the district ‘cannot consent on behalf of the parent.'”
Cover Image: Taskin Ashiq, Unsplash.