Reaching a Congressional Consensus Will Likely Require Additional Deliberation
During the current 114th U.S. Congress, a variety of House and Senate bills have been introduced that propose different approaches to addressing the growing bipartisan concern about protecting the privacy of student data (below, "Personally Identifiable Information" or "PII"). The bills address PII maintained by public and private educational institutions and state educational agencies and, in some cases, PII maintained or accessible by technology service providers or other third parties doing business with these educational entities.
Consensus regarding how and whether to increase federal mandates and penalties concerning protection of PII has not yet been reached, but awareness exists that student PII, whether for K-12 students or older, is becoming increasingly vulnerable to unauthorized disclosure or misuse, in particular for marketing purposes. Another concern is that the Family Educational Rights and Privacy Act (FERPA)—the primary federal statute designed to protect private student information—may not be adequate to respond to technological changes in how PII is stored, shared and accessed, although how and whether to amend FERPA to address this concern is far from settled.
As summarized in this Alert, the congressional proposals introduced thus far take very different approaches, including establishing a study commission to develop legislative proposals with the input of the government and the private sector; imposing additional regulation on K-12 technology service providers; and strengthening and updating FERPA, with or without enhanced governmental and private enforcement mechanisms to incentivize compliance by educational institutions and service providers.
Approach 1: Establishment of a Study Commission
- Examine whether there is a need to provide or update standard definitions for terms related to student privacy, including: "(i) education record; (ii) personally identifiable information; (iii) aggregated, de-identified, or anonymized data; (iv) third-party; and (v) educational purpose";
- Identify which federal laws should be updated and the appropriate federal enforcement authority to execute such laws;
- Address data sharing in an increasingly technological world, including evaluating protections in place for student data when it is used for research purposes; establishing best practices for any entity that is charged with handling, or that comes into contact with, student education records; ensuring that identifiable data cannot be used to target students for advertising or marketing purposes; and establishing best practices for data deletion and minimization;
- Discuss transparency and parental access to personal student information by establishing best practices for ensuring parental knowledge of any entity that stores or accesses their student’s information; parental rights to amend, delete or modify their student’s information; and the designation of a central contact in a state or a political subdivision of a state who can oversee transparency and serve as a point of contact for interested parties;
- Establish best practices for the local entities who handle student privacy, which may include professional development for those who come into contact with identifiable data; and
- Discuss how to improve coordination between federal and state laws.
Not later than 270 days after the date of enactment, the Committee would prepare and submit a report to the Secretary of Education and to Congress containing the findings of the study.
A House counterpart to S. 1177 passed in the House in July. This bill, H.R. 5, or the "Student Success Act," contains a "sense of Congress" provision, stating that the Secretary of Education has the responsibility to ensure every entity receiving federal funding under the Act holds PII in "strict confidence" and states that the Secretary should review regulations and ensure all PII is protected. The House bill, therefore, appears to urge the Secretary to more vigorously enforce current law.
In sum, both S. 1177 and H.R. 5 advocate a relatively modest approach to protecting student data privacy. These approaches would avoid establishing a new federal regulatory regime for student data privacy. The bills need to be conferenced, and it remains to be seen whether the proposals will make it into the final law in any form.
Approach 2: Target Operators Providing Certain Technology Services to K-12 Educational Institutions
Another approach that takes a direct aim at online applications used or designed and marketed for K-12 education purposes is set forth in a bill pending in the House Education and the Workforce Committee and the House Energy & Commerce Committee. The Student Digital Privacy and Parental Rights Act of 2015, H.R. 2092 [Rep. Messer (R-Ind.) and Rep. Polis (D-Colo.) co-sponsors], a counterpart to S. 1788, applies to any entity (other than an educational agency or institution) that operates Internet websites; online services, such as cloud computing services; online applications; or mobile applications that are used for K-12 purposes and were designed and marketed for K-12 purposes (defined as "operators" in the Act). The legislation would, among other things:
- Prohibit an operator of a school's Internet or online service that is designed and marketed for K-12 educational or administrative purposes from presenting students or parents with targeted advertisements that are selected based on information obtained or inferred from students' online behavior, use of online or mobile applications or PII about the students. (The proposed Act would exempt from these prohibitions online advertisements that are contextually relevant and selected based on a single visit or session of use during which the advertisements are presented, provided that information about the students' online behavior is not collected or retained over time.)
- Prohibit an operator from selling students' personal information to third parties or collecting student information to create a personal profile or for purposes unrelated to educational instruction, school collaboration or administrative activities.
- Require operators to implement information security procedures and a process for responding to data breaches; to notify the Federal Trade Commission (FTC) and students, parents, educational agencies or institutions, school officials or teachers of unauthorized acquisitions of, or access to, personal information; and to delete certain student information that is not required to be maintained by the school within 45 days after a request from an educational agency, institution or student's parent, or within one year after the operator ceases to provide the service.
- Require operators to disclose publicly the types of personal information they collect or generate, the purposes for which the information is used or disclosed to third parties and the identity of any such third parties.
- Instruct operators to establish procedures for parents and system users to access and correct certain information.
- Allow operators to disclose students' information only for certain lawful purposes or pursuant to a process that requires the student's or parent's express affirmative request. It requires an operator to receive the student's or parent's request before providing transcripts for admission to an institution of higher education or to a potential employer.
- Provide authority to the FTC to enforce the Act and treat violations as unfair or deceptive acts or practices under the Federal Trade Commission Act.
Approach Three: Amend FERPA to Strengthen Student and Parent Protections and Enhance FERPA Enforcement Mechanisms
The remaining approaches all involve proposed amendments to FERPA.
- The Student Privacy Protection Act, H.R. 3157 [Rep. Rokita (R-Ind.), Rep. Fudge (D-Ohio), Rep. Kline (R-Minn.) and Rep. Scott (D-Va.)] was introduced on July 22, 2015, and referred to the House Education and the Workforce Committee. The bill applies to public and private elementary and secondary schools, local educational agencies and institutions of higher education, as well as to education service providers defined as any provider other than a school official or employee of services developed and targeted to students for an educational purpose, whether specifically marketed to schools, institutions of higher education, educational agency or institutional employees or officials, or other individuals primarily engaged in the provision of educational services. The bill would, among other things:
- Amend FERPA to strengthen privacy protections for students and parents through expanding parental access rights to information held by an educational agency or institution, or state educational authority, for the purpose of inspecting, reviewing, challenging and correcting information in the education records of minors.
- Require that an educational agency or institution, and the state educational authority:
- establish, implement and enforce policies and procedures regarding information security practices that: serve to protect the education records (and PII contained therein) held or maintained by that educational agency or institution, or state educational authority; and require any party that is given access to such education records (or PII contained therein) on behalf of the educational agency or institution, or state educational authority, to have information security practices that serve to protect such records and information;
- designate an official who is responsible for maintaining the security of education records; and
- establish a breach notification policy in the case of a breach of the security practices or the release of the education records or information, under which the educational agency or institution, or state educational authority provides notification of the breach or violation to parents in not less than three days of being made aware of such breach and works with the third parties involved with such breach or violation to gather the information necessary to provide such notification.
- Establish a marketing and advertising ban that prohibits any person with access to an education record or a student's PII contained in the education record from marketing or otherwise advertising directly to students with the use of the information gained through access to such record or information.
- Prohibit an educational agency or institution or state educational authority from contracting with or entering into an agreement with an education service provider that has a policy or practice of using, releasing or otherwise providing access to PII in the education record of a student to advertise or market a product or service or for the development of commercial products or services.
- The Act makes exceptions for contracts related to official school pictures, class rings, yearbooks or other traditional school-sanctioned commemorative products, events or activities; for PII that may be used by an education service provider to develop, diagnose or deliver services to improve a student's academic outcomes or to assist an educational agency or institution to develop, diagnose or deliver services to improve a student's academic outcomes; for an educational agency or institution or state educational authority sharing information on educational opportunities offered by such agency, institution or authority; or for a case in which the parent of a student at an educational agency or institution has provided written consent for an educational service provider to utilize PII.
- Vest enforcement in the Secretary of Education and authorize the Secretary to terminate federal assistance and impose fines on an educational agency or institution, or state educational authority. Fines may be imposed for a failure to voluntarily comply with the law or for a substantial violation of the law (even a single violation). Fine amounts are a minimum of $100 and a maximum of $1,500,000, depending on the severity of the violation, except in no case may such a fine exceed 10 percent of the annual budget of such agency or institution, or authority. The Act states that action to terminate federal assistance may be taken only if the Secretary finds there has been a failure to comply with the law and the Secretary has determined that compliance cannot be secured by voluntary means.
- Extend enforcement of the Act, with respect to a release of an education record or PII contained therein, which was made by a party that is not subject to a fine by the Secretary (i.e., education service provider and others), by authorizing the Secretary to:
- refer such violation, and the supporting material for such violation, to the Commissioner of the Federal Trade Commission or the Attorney General for action; and
- require the educational agency or institution, or local educational agency or state educational authority involved, to prohibit access to such PII by such party (or individuals who worked for or with such party at the time of such violation) for a period of not less than five, and not more than 12 years, as determined by the Secretary.
- Establish or designate an office within the Department of Education for the purpose of investigating, processing, reviewing and adjudicating violations of this section and complaints that may be filed concerning alleged violations.
- The Protecting Student Privacy Act of 2015, S. 1322 [Senator Markey (D-Mass.), Senator Hatch (R-Utah) and Senator Kirk (R-Ill.)] was introduced on May 13, 2015, and referred to the Senate Committee on Health, Education, Labor and Pensions. The bill applies to educational agencies and institutions, including local educational agencies, receiving federal funding and to any "outside party"—meaning "a person that is not an employee, officer, or volunteer of the educational agency or institution or of a Federal, State or local governmental agency and includes any contractor or consultant acting as a school official or authorized representative or in any other capacity." Among other things, the bill would:
- Amend FERPA to prohibit programs administered by the Department of Education from making funds available to any educational agency or institution that has not implemented information security policies that protect PII in education records and require each outside party to whom PII from education records is disclosed to have a comprehensive security program to protect such information.
- Prohibit such funds from being made available to any educational agency or institution that has a policy or practice of using, releasing or providing access to PII to advertise or market a product or service.
- Require state agencies receiving such funds, and each educational agency or institution, to ensure that any outside party (including any contractor or consultant acting on behalf of or with the school's authority) with access to such records to: provide parents with access to any PII it holds about their students; provide a process to challenge, correct or delete any inaccurate, misleading or inappropriate data through a hearing by the agency or institution providing the outside party with access; maintain a record of all individuals, agencies or organizations that have requested or obtained access to the education records of a student; and have information security procedures in place.
- Prohibit funds from being made available to any educational agency or institution, or any state educational agency, unless the agency or institution has a practice that promotes data minimization by meeting requests for student information with non-PII and requires PII held by any outside party to be destroyed when the information is no longer needed for the specified purpose.
It is important to note that the bill's enforcement mechanism is tied solely to federal funds access and would thus place the burden on educational entities to ensure outside party compliance with the law.
- The Student Privacy Protection Act, S. 1341 [Senator Vitter (R-La.)], was introduced on May 14, 2015, and referred to the Senate Committee on Health, Education, Labor and Pensions. The bill applies to educational agencies or institutions as currently defined in FERPA and defines "student data" as "information about a student collected and maintained by an educational agency or institution, by a person or third party collecting or maintaining such information through the active intervention, facilitation, or authorization of such agency or institution, or by a person or third party acting for such agency or institution."
The legislation would:
- Amend FERPA to prohibit funding of educational agencies or institutions that allow third parties to access student data, unless:
- the agency or institution, prior to receiving parental consent, notifies parents of the data that would be accessed, that the data will be made available to the third party only if the parent consents, that the parent has the ability to access and correct inaccurate data and that the agency or institution and the outside party are liable for violations;
- the agency or institution can ensure that the data cannot be used to determine the student’s identity;
- the student data remains the property of the agency or institution and is destroyed when the individual is no longer served by the agency or institution; and
- the third party agrees to be liable for FERPA violations.
- Extend FERPA rights to parents of any students for whom the agency or institution maintains student data, including home-schooled students who do not attend such agency or institution.
- Remove an exception that currently allows educational agencies or institutions to permit the release of student educational records without parental consent to organizations studying predictive tests, student aid programs and instruction.
- Require parental consent before authorized representatives under the direct control of the Comptroller General, the Secretary of Education or state educational authorities may access records for audits and evaluations of federally supported education programs administered by state or local public education agencies or institutions, or enforcement of federal legal requirements.
- Prohibit the Department of Education or fund-receiving educational agencies or institutions from appending student data with PII obtained from federal or state agencies through data matches.
- Bar funds from being used to track a student’s educational and career progression activities or obligate an elementary or secondary school student to involuntarily select a career or related job training.
- Require aggregation, anonymization and de-identification of student data permitted to be released or collected under various exceptions.
- Make federal agencies and fund-receiving educational agencies, institutions and third parties that do not comply with FERPA civilly liable for a monetary award to affected persons.
- Prohibit psychological testing or predictive modeling of behaviors, beliefs or value systems. It would also bar video monitoring or computer camera surveillance without a public hearing and consent of teachers and parents.
- Prohibit surveys soliciting specified information about students or their families, including information on political affiliation, religious practices or gun ownership.
This legislation would likely place greater responsibility on educational institutions to require compliance with the law by third parties with access to PII and includes a private right of action for violations.