Update 10/10/19: This post was reprinted with the title Is New York state about to gut its student data privacy law? in the Washington Post Answer Sheet on Sept. 11, along with responses from ACT and College Board.
As a result of the comments and concerns expressed by many parents and privacy advocates, the NY State Education Department decided to omit the provision they had added to the proposed regs to allow for the sale or commercial use of student data with parent consent. Yet a third version of these regulations will be posted shortly for public comment, and will be voted on in January by the Board of Regents.
The New York Board of Regents is currently considering whether to approve a radical weakening of the state student privacy law, which would allow the College Board, the ACT and other companies that contract with schools or districts to use the personal student information they collect for marketing purposes – even though the original New York law that was passed in 2014 explicitly barred the sale or commercial use of this data. Parents and all others who care about protecting children’s privacy should send in their comments to the state now, by clicking here or sending their view to [email protected]. Deadline for public comment is Sept. 16. More on this below.
Starting in 2014, many states, including New York, approved legislation to strengthen the protection of student privacy, due to a growing realization on the part of parents that their children’s personal data was being shared by schools and districts with a wide variety of private companies and organizations without their knowledge or consent. The US Department of Education had weakened the federal student privacy law known as FERPA twice over the past decade, rewriting the regulations during the Bush and Obama administrations to allow for non-consensual disclosures for different purposes.
At that time, few parents were aware how federal law had been altered to allow their children’s information from being passed into private hands. Then controversy erupted over the plans of nine states and districts to share personal student data with a comprehensive databank called inBloom, developed with more than $100 million of funding from the Gates Foundation.
InBloom Inc. was designed to collect a wide variety of personal student data and share it with for-profit vendors to accelerate the development and marketing of the ed tech industry, to facilitate the adoption of online instruction and assessment. As a result of widespread parental activism and concerns, all nine states and districts that had originally intended to participate in the inBloom data-sharing plan pulled out, and 99 new state student privacy laws were passed across the country between 2014 and 2018.
New York was one of the first to pass a new student privacy law. In March of 2014, our State Legislature approved Education Laws § 2-c and §2-d , which among other things, prohibited the state from sharing student data with inBloom or another comprehensive databank, and also regulated the way schools and vendors must secure student data, including imposing a complete ban on the sale of personal student information or its use for marketing purposes .
As a result of these provisions, New York received a grade of A- in the category of “Limitations on the Commercial Use of Data” in our State Student Privacy Report Card, released last January by the Parent Coalition for Student Privacy (PCSP), which I co-chair, and the Network for Public Education. In turn, this high mark raised New York’s overall grade for protecting student privacy in our rating system to B-, the second highest grade of any state after Colorado. (You can check out the interactive map that grades every one of the fifty states on its student privacy laws, overall and in seven different categories).
Yet to the frustration of many parents and privacy advocates, it would be nearly five years before New York State Education Department drafted any regulations to implement its 2014 student privacy law. In October of 2018, NYSED finally released proposed regulations for public comment. In March 2018, PCSP along with the statewide coalition New York State Allies for Public Education (NYSAPE), submitted recommendations on how to strengthen and clarify those regulations, as did more than 240 parents and privacy advocates.
After the initial period of public comment had ended, instead of strengthening the regulations, the NYSED gutted them, and now proposed allowing student data to be used for commercial purposes as long as there was parental “consent” – a huge loophole that would create the opportunity for districts, schools and vendors to misuse this data in myriad ways.
In their rationale to the Board of Regents, posted here, NYSED officials were frank about their reasons for revising the proposed regulations in this way: to allow the College Board and ACT to offer “college search services to students and parents who consent to the release of college entrance test data to colleges and higher education institutions by college admissions testing companies.”
Yet the College Board and ACT do not just share the test score data in the ordinary ways that parents expect, that is, send these scores to whatever specific colleges that their children have applied to attend. They also sell personal student data to many unspecified organizations and institutions which then re-sell it to unscrupulous for-profit companies.
In particular, the College Board makes untold millions of dollars from marketing personal student data through their “Student Search Service”. Much of this confidential data is deceptively harvested through surveys administered to students right before they take the PSATs and SATs, or when they register for the test online, a practice that we have written about previously and more recently has been criticized by the US Department of Education.
In May of 2018, the Privacy Technical Assistance Center (PTAC) of the US Department of Education released guidance that if states and districts contract with the College Board or ACT to give these exams to students, as is increasingly the case across the country including in New York City, they may be violating federal privacy laws in several different ways.
First of all, as PTAC officials pointed out, the supposedly “voluntary” surveys given to students before taking the PSAT or SAT may include questions relating to highly sensitive issues including their religion, grade point averages and/or family income. Often, it’s not clear to these students that they have a choice not to offer this information, and since they are already feeling high levels of anxiety before taking these exams, they may feel pressured to do so. They certainly are not told that the data is sold will be sold at a profit by the College Board. In any case, some questions relating to sensitive issues cannot be asked legally of students who are under 18 without the prior notification and opt out or consent of their parents, according to the federal law known as the Protection of Pupil Rights Amendment (PPRA).
As the PTAC guidance document also makes clear, “the testing companies then sell [personal student] information to colleges, universities, scholarship services, and other organizations for college recruitment and scholarship solicitation.” If students are asked to take these exams by their districts, and the data is offered to third parties without explicit parental consent, this widespread practice also likely violates both FERPA and IDEA, the Individuals with Disabilities Education Act, the latter which has special provisions to protect the private data of students with disabilities.
Yet on another page on their website, they hedge this claim by saying they don’t “sell information about participating students to any third party without the student’s permission.” [Never mind that many of these students have not reached the age of consent.]
On a different, third page on their website designed for potential commercial customers, the purchase price of this data is made clear: 47 cents per student name.
A longer and more specific list of data is listed on the Student Search webpage, revealing that, depending on the test taken, it may include student email addresses, ethnicity, GPA, sports, or “educational aspirations.” On that same page, the College Board affirms that “we never share” information through this service relating to a student’s “disability status, self-reported parental income, Social security number, phone numbers, or actual test scores.”
Parents are forced to dig even deeper into a SAT registration booklet, to discover that while their child’s “actual test scores” may not be sold to third parties, “Colleges participating in Student Search … can ask for names of students within certain score ranges[emphasis mine].”
So unknowingly, students who are asked to answer questions from a survey before the administration of these exams may at the same time be unknowingly giving their permission to sell their data to a variety of institutions and organizations, who in turn, may then redisclose the data to other organizations and/or for-profit companies.
Last summer, in July of 2018, in an explosive article entitled “For Sale: Survey Data on Millions of High School Students,” the NY Times exposed how the College Board sells the personal information they collect via these surveys to various “partners,” who in turn may re-sell the data to for-profit companies, allowing them to use the information to market their dubious products and services to unsuspecting families.
The article described how thousands of students attended a “Congress of Future Science and Technology Leaders” costing $985, run by the for-profit National Leadership Academies. The company had bought their names and other data from an unnamed university, which in turn had purchased it from the College Board: “In filling out those surveys, the teenagers ended up signing away personal details that were later sold and shared with the future scientists event.” Once the data is sold by the College Board, it is nearly impossible to monitor any other use or redisclosures of the data.
College Board is far from the only untrustworthy actor in this regard. ACT has been similarly surreptitious about what personal student data is collected and sold to colleges and other third parties, through the survey on the online ACT Student Profile Section that students are asked to voluntarily fill out when registering or before taking the exam.
Without their knowledge, ACT allegedly identified student disability status through this information on the score reports sent to colleges and sold this information to colleges and other third parties. After this practice was discovered, a class action lawsuit was filed in August 2018 in the US District Court in Los Angeles. In a recent legal filing, ACT informed the court that it will no longer sell student disability status in the data collected voluntarily by students, but refused to admit to flagging its regular score reports with this information.
As Joel Reidenberg, a professor at the Fordham University School of Law, the head of the Center on Law and Information Policy told the NY Times, “The harm is that these children are being profiled, stereotyped, and their data profiles are being traded commercially for all sorts of uses — including attempts to manipulate them and their families.”
A research report co-authored by Professor Reidenberg found that there exists a thriving marketplace in student data, in which brokers offer a wide variety of sensitive student information for sale, including their ethnicity, income, religion, and interests, and that this data could “be used for a range of malicious purposes, including discrimination and identity theft.”
In 2014, after both New York and California passed laws prohibiting the selling of personal student data or their use for any commercial purposes, College Board and the ACT stepped in, realizing how these laws represented a severe threat to their thriving business in student data.
In Colorado, the College Board stepped in to persuade legislators to provide a special exemption from the law for their benefit – to allow school vendors to “sell, rent, or trade” personal student information for the “purpose of providing the student with information about employment, educational scholarship, financial aid, or postsecondary educational opportunities “ – as long as parents or students over the age of thirteen gave their consent.
In Arizona, Nebraska, North Carolina, Texas and Washington D.C. as well, their student privacy laws incorporated these exemptions, to allow the College Board and ACT to continue selling personal data for these purposes.
Now, these same companies, College Board and ACT, have apparently persuaded the NY State Department of Education to rewrite our state law by creating an expansive new loophole that would allow these practices to continue, by redefining the term “marketing” in the following way:
“Where a parent or eligible student requests a service or product from a third-party contractor and provides express consent to the use or disclosure of personally identifiable information by the third-party contractor for purposes of providing the requested product or service, such use by the third-party contractor shall not be deemed a marketing or commercial purpose prohibited by this Part.”
As PCSP and NYSAPE wrote in a letter to NYSED after the new draft regulations were revealed,
“To create a new, huge loophole in the law that would allow the College Board, ACT or any other contractor or subcontractor to sell student data and/or use it for marketing purposes, by making the untenable claim that such sale or marketing purpose is not truly marketing if there is consent, is a drastic weakening of the law which should NOT be contemplated….
If the College Board lobbyists or its supporters would like to eliminate the prohibition of the sale or marketing of student personal data in the law, they should go to the Legislature and ask that it be amended. This should not be done through regulations or by attempting to redefine the meaning of the term “marketing.”
This wholesale rewriting and evisceration of the New York student privacy law should not be allowed. The deadline on public comment on the new regulations is September 16, and the Board of Regents are due to vote on the new regulations during their monthly meeting on October 8-9. Parents and all others who care about protecting children’s privacy should send in their comments now, by clicking here or sending their view to [email protected].
They should also call their Regents members, to urge them to reject these regulations which would violate the original intent of the law, and would open a Pandora’s box of an unfettered marketplace of personal student data, with potentially damaging results.