In recent years, school districts have begun incorporating computers and tablets in the classroom to instantly deliver personalized content and interactive technologies to enhance student learning. However, the increasing use of technology in classrooms coupled with the expanding market for targeted advertising has sparked major concerns over third-party collection and use of student data. Children are particularly vulnerable because, unlike adults who generally understand the implications of consumer privacy policies, children are unable to give any sort of meaningful consent to the type of collection scheme utilized by education technology companies. While the federal law does offer some protection to the online privacy of children, these laws were written before the information era of smartphones and cloud storage.
On Sept. 29, California became the first state to pass a sweeping law that protects the use of student educational data by third-party vendors. The Student Online Personal Information Protection Act (SOPIPA) prohibits online education service companies from selling and/or using student data for purposes of targeted advertising. Specifically, it prohibits the use of “information, including persistent unique identifiers, created or gathered by the operator’s site, service, or application, to amass a profile about a K-12 student, except in furtherance of K-12 school purposes.” The law also requires online service providers to implement security procedures to protect student data and requires that these providers delete data at the request of a school.
In response to SOPIPA, certain key industry players signed onto a pledge to adopt similar student data protections nationwide. By signing the pledge, the participating companies publicly promise not to sell information or conduct targeted advertising using data obtained from K-12 students. This pledge is not legally binding, but does leave the participating companies open to enforcement actions by the Federal Trade Commission. Notably, Google refused to sign the Pledge, despite that fact that SOPIPA was pushed through largely in response to breaking news that Google was scanning student emails for advertising purposes. According to social media attorney Bradley Shear, “Google’s refusal to sign the industry backed pledge appears to be an acknowledgement that if it signs the Pledge it will be in violation of Article 5 of the FTC Act regarding unfair and deceptive trade practices.”
A lack of federal standards allows companies like Google to continue questionable data collection practices. The lack of federal standards also makes compliance with SOPIPA and other state-implemented privacy laws extremely difficult for online education companies that provide services in multiple states. While SOPIPA has the potential to serve as a template for federal reform, there are some ambiguities in the law that should be addressed. First, it is unclear what is encapsulated by the phrase “K-12 school purposes.” Should it be read narrowly to cover services used solely for instructional and educational purposes or more broadly to cover products used for administrative functions like storing student records? Arguably, the provision could be interpreted to include social media sites that have some educational connection but are not exclusively used for K-12 purposes. Furthermore, because SOPIPA does not include any user control provisions, a school might elect to retain student records for educational analytics purposes for an unlimited amount of time. In addition to clarifying the definition of K-12 purposes, federal legislation should consider including such user control provisions in order to give students and parents some ability to decide how their data is collected, used, and stored.
Regardless of these ambiguities, SOPIPA represents an admirable first step towards establishing national standards for student data protection.