More and more, students are using technology in school, from learning apps to online forums to class websites. And understandably, there is growing concern as to the efficacy of the privacy measures in place and the adequacy of the laws protecting student information. In response to this concern, two weeks ago the Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA) introduced the Student Privacy Pledge, which commits school service providers to the secure handling of data for K-12 students. But what does this really mean?
Basically the pledge holds accountable school service providers to the following –
- Not sell student information
- No behaviorally targeted advertising
- Use data for authorized education purposes only
- Not change privacy policies without notice and choice
- Enforce strict limits on data retention
- Support parental access to, and correction of errors in, their children’s information
- Provide comprehensive security standards
- Be transparent about collection and use of data
As of today, 32 school service providers made the pledge to keep data secure and private. You can see the list here. This pledge comes at a point where, according to trade group estimates, the pre-K – 12 education sector generates approximately $7.9 billion annually. Schools are increasingly adopting data driven technologies for learning apps and software; technology that needs student data to operate efficiently. The revenue generating numbers obviously create skepticism that the pledge is an empty set of words and a mere PR move by companies because it is not a legally binding document. But if companies violate their own public representations they could be subject to enforcement by the Federal Trade Commission under deceptive trade practices (Section 5 of the FTC Act). This is important. And though some might want to dismiss this, the FTC has charged companies with either deceptive or unfair practices. And even if there is no legal action against a company we know that a strong group of voices criticizing a company’s policies can create tremendous damage to a company’s reputation. Some call this “App Store death”. This pledge makes school service providers accountable for student’s data whether it is collected by the school and then passed to the vendor, or directly by the vendor via an app used by a student. By taking the pledge companies are making a public commitment to students, parents and schools to ensure the safe use of student information.
And while there is no substitute for a strong federal law, the pledge does address some of the weaknesses in FERPA. For example, the pledge applies to all student and personal data whether it is viewed as an “educational record” or not. It also applies whether the data is collected through the school or by the websites and the apps students use. It applies whether or not there is a formal contract with the school. The pledge promotes the transparency we have been asking for; transparency that is necessary to build trust amongst all stakeholders to ensure widespread participation. Parents and students have been stating, “don’t just say you are protecting student privacy, show us you are.” And as a parent, I encourage pledge signatories to do just that. For without it users will mistrust ed-tech products, hampering their adoption to the detriment of all.
I think the greatest value of the Student Privacy Pledge is that it establishes a common baseline of privacy principles that the ed-tech industry did not have before. Let’s use it to remind companies of the responsibility they have towards students, data and privacy. And while this does not create a uniform federal law or strengthen existing privacy laws, it provides a good framework for lawmakers and encourages dialogue between parents, ed-tech companies, schools and other stakeholders to ensure student data is safeguarded. As a parent, I appreciate a document stating a uniform commitment being issued by vendors in their role as stewards of student data.
I hope that this encourages other firms to sign on to the pledge to demonstrate their duty to be responsible data “citizens”. It is an interesting list of signatories. It is worth looking at who has and who has not signed on. And if not, why not?
The pledge goes effective January 2015 but it operates under a rolling admissions policy so companies can sign on to it at any time – no worries. If anybody needs a pen to sign on to the pledge, I have one you can borrow.