Google Apps for Education has recently come under fire with a Federal Trade Commission complaint filed by a nonprofit organization, Electronic Frontier Foundation. In a press release issued last week, EFF claims that Google’s “Chrome Sync” function allows it to mine student data in violation the Student Privacy Pledge signed by Google earlier this year. If true, EFF’s claims could establish not only a violation of FTC rules, but also a violation of federal and some state laws. Google denies that the claims have any merit, claiming that it strips all identifying information from Sync data before using it for non-school purposes, and that it does not improperly advertise or market to students. At this time, there has been no finding that Google’s actions violate its Pledge or any other state or federal law. Understanding the issues at play in this case is essential for school leaders, however, who are tasked with ensuring that school-supplied electronic devices, software, apps, and services comply with relevant state and federal student data privacy laws.

The EFF says it came across concern with Google’s Apps for Education, or GAFE, while researching its “Spying on Students” campaign, which aims to raise awareness about privacy risks of school-supplied electronic devices and software. In the Complaint, EFF argues that Google is violating the Student Data Privacy in three ways:

• When students are logged in to GAFE, student personal information in the form of data about their use of non-educational Google services is collected, maintained, and used by Google for its own benefit, unrelated to authorized educational or school purposes.

• The “Chrome Sync” feature of Google’s Chrome browser, which is turned on by default on all Chromebook laptops, enables Google to collect and use students’ entire browsing history and other data for its own benefit, unrelated to authorized educational or school purposes. In its press release, EFF argued that Sync “allows Google to track, store on its servers, and data mine for non-advertising purposes, records of every Internet site students visit, every search term they use, the results they click on, videos they look for and watch on YouTube, and their saved passwords” without obtaining permission from students or parents.

• The administrative settings, which enable school administrators to control settings for all Chromebooks, allow administrators to choose settings that share student personal information with Google and third-party websites in violation of the Student Privacy Pledge. The EFF press release explains further that “the administrative settings Google provides to schools allow student personal information to be shared with third-party websites in violation of the Student Privacy Pledge. The ability to collect and potentially share student information follows children whenever they use Chrome to log into their Google accounts, whether on a parents’ Apple iPad, friend’s smartphone or home computer.”

If true, these allegations could establish not only a violation of FTC rules, but also potentially could establish a violation of federal laws, like the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA), and some state laws, such as, in Illinois, the Illinois School Student Records Act (ISSRA) and specific student data privacy laws in other states. Such a violation might occur if the school did not obtain express prior written authorization from parents/guardians before requiring students to use GAFE, because in such cases, schools are required to ensure that the company offering the products only use personally identifying information collected from or created by students when using the products for the school’s purposes. This means personally identifying data and information cannot be used for any other purpose, including marketing or targeting ads to students.

Google, while commending EFF for its “focus on student data privacy,” completely denies the allegations, saying that its products and services “comply with both the law and our promises, including the Student Privacy Pledge….” Google defended its actions with the following description:

Personally-identifiable Chrome Sync data in GAFE accounts is only used to power features in Chrome for that person, for example allowing students to access their own browsing data and settings, securely, across devices. In addition, our systems compile data aggregated from millions of users of Chrome Sync and, after completely removing information about individual users, we use this data to holistically improve the services we provide. For example if data shows that millions of people are visiting a webpage that is broken, that site would be moved lower in the search results. This is not connected to any specific person nor is it used to analyze student behaviors. If they choose to, educators, students and administrators can disable Chrome Sync or choose what information to sync in settings whenever they choose. GAFE users’ Chrome Sync data is not used to target ads to individual students.

EFF has asked the FTC to investigate Google’s use of Sync and to, if warranted, initiate proceedings for injunctive relief to require Google to destroy all student data so far collected, maintained, or used in violation of the Student Privacy Pledge and to prevent Google from further improper collection or sharing of data in the future. At this time, however, there has been no finding of any wrongdoing by Google.

School leaders should still take note of this case, however, even assuming the FTC finds in Google’s favor. Google may be the most sophisticated Ed Tech company out there, and if they are being accused of failing to fully comply with the law, you can bet less sophisticated Ed Tech vendors are engaging in behavior that will cause concerns for community members and watch groups, too. School districts must be on high alert when it comes to contracts with all companies that require sharing, collection, or creation of student identifying data. If your district has not conducted an audit of existing contracts (which we discussed in an FR Alert earlier this year) and set up a process by which future contracts will be vetted by legal counsel, it may be asking for a student data privacy complaint of its own down the line.