Blog

Privacy concerns with NYC student use of Teenspace online counseling service

Update Sept. 12, 2024:  Our letter was covered by  Daily News , Chalkbeat , State Scoop  and K12 Dive so far.  We just learned that in California a class action lawsuit was filed against Talkspace, the parent company of Teenspace, for sharing with TikTok the personal information of clients and visitors to its website, including the information of minors. We also learned that when a NYC student visits the Teenspace website on their phone, their personally identifiable information is shared with 15 ad trackers and 34 cookies, as well as Facebook, Amazon, Meta, Google, and Microsoft among other companies, which we saw from using the Blacklight  privacy audit tool,.

note:  corrected email address for Ann Williams-Isom is [email protected]

Sept. 10, 2024

See below and here: a letter sent today to NYC Mayor Adams,  Chancellor Banks, the NYC Health Commissioner, and the Deputy Mayor for Health and Human Services.  The letter was written and signed by the Parent Coalition for Student Privacy, NYCLU and AI for Families, and expresses our collective privacy concerns with the Teenspace telehealth mental health service.  The city is paying $26 million for this service, which has been widely promoted by the Mayor and NYC DOE to be used by NYC students.  

Teenspace is owned by a company called Talkspace and collects a huge amount of very sensitive personal information from teens before they even can create accounts  or access the privacy policy – and much of this information would be barred from collection by the federal student privacy law PPRA without parental consent or opt out if the district had contracted for these services rather than the city’s Department of Health.  The list of these questions is included in the appendix to our letter.

To make things worse, Talkspace says personal student data can be used for marketing purposes, which would be prohibited by the NY Student privacy law 2D, again if the DOE had signed the contract.

In 2022, several US Senators wrote to Talkspace, pointing out how the company also appeared to be taking advantage of a “regulatory gray area” in HIPAA, to exploit their patients’ data for profit.

Especially with all the breaches and misuse of student data by DOE contractors, the privacy of NYC students should be better protected than this. Finally, there have been widespread consumer complaints about Talkspace’s inadequate counseling services and overcharging of clients.  All of this and more is touched on in our letter below.   

 Teenspace Letter 2024.9.10

Blog

No more student data sales by College Board/ACT!

May 6, 2024

No More Student Data Sales May 6 2024

Here is the presentation we gave on May 6 to parents from states throughout the nation, with tips on how to ensure their children’s data is not sold by the College Board or ACT.  Our spreadsheet with links to state laws where this is illegal for school vendors is here.  A video of the event is available on YouTube; Part I with the presentation, and Part II, with a Q and A.

Here is a template letter that you can use to write to your State Attorney General urging them to stop these vendors from selling student data in violation of your state law, as the NY AG did, is below.

If you are an Illinois resident, here is a form to write to the Illinois AG asking him to enforce Illinois’ state student privacy law, sponsored by Illinois Families for Public Schools.

Please email us if you have any questions at: [email protected]

Also contact us if you are a parent at one of the states that do not have a law prohibiting the sale of student data by the College Board/ACT, or have a state law that allows this with student consent, but without specifying the age of that student.  We can help you file a FERPA complaint to the US Department of Education.

Thanks!  Leonie and Cassie

Blog

PCSP comments on how the privacy protections in the proposed COPPA regs should be improved

See below comments that PCSP and attorney Zephyr Teachout submitted to the Federal Trade Commission, urging them to strengthen their proposed student privacy and security regulations for the federal law entitled COPPA, for Children’s Online Privacy Protection Act.  COPPA is one of a few key federal laws that protect student privacy. There has not been a change to the rule implementing COPPA for more than a decade, and the new one will have major implications for data collection for children under age 13 in schools and elsewhere.  Some discussion about the weaknesses in these proposed regs are here; the public comments from over 700 individuals and groups that were due March 11 are posted here.

PCSP comments on FTC proposed COPPA rule change – March 2024
Blog

Please urge the FTC to strengthen their new COPPA rule by Monday March 11!!

In December 2023, the Federal Trade Commission announced a proposed change to the rule for the Children’s Online Privacy Protection Act (COPPA) and requested public feedback.

COPPA is one of a few key federal laws that protect student privacy. There has not been a change to the rule implementing COPPA for more than a decade, and the new one will have major implications for data collection for children under age 13 in schools and elsewhere.

The Parent Coalition for Student Privacy will be submitting comments, and we’re encouraging parents and other student privacy advocates to weigh in as well. We are concerned that this change in language will further weaken privacy and security protections for children.  See below for some suggested language to use. The deadline to submit  comments on the proposed changes to the rule closes on Monday March 11th at 11:59pmET

Why is the rule change important?

COPPA only applies to data collected from children under 13, and it only applies to data collection by for-profit companies. But it is enforced by the FTC, and that agency recently has been willing to hold tech companies accountable, especially with respect to children and social media.

Previously, COPPA gave strong rights to parents, requiring parental consent before companies could collect any data directly from children under 13, and giving parents the right to consent to this data collection, review what was collected, and the right to have data deleted.

Then in  guidance in 2019, COPPA said schools could consent to data collection in the place of a parent, but that parents’ rights to control that data were retained even if it was the school that originally consented.

But that was only guidance, which doesn’t have the legal weight of a rule.

What’s the upside of the proposed changes?

The new rule makes it official that schools can authorize collection of data from children—and that collection can only be for an educational purpose, so data can’t be used for advertising, sale, marketing or other commercial purposes. And now schools will need to have written agreement with a company before data can be shared. (That’s a requirement in place in some states, but far from all.)

Those are both good things, especially with the weight of the FTC’s enforcement power behind them.

What’s not good about the proposed changes?

Though it bars the use of personal student data for “commercial purposes” it doesn’t clearly define what that means and would allow it be used to develop new products and services.

There are many other aspects of the new rule that are worrisome and might even weaken existing parent rights under FERPA – the other major federal student privacy law, which is already too weak. Namely, it omits the right for parents to access the data that is held for their children and to challenge it if it is inaccurate.  It is also far too weak regarding data security, data minimization and deletion, and parent notification for data collection and in case of breaches.

There are also no additional protections or parental controls when it comes to the collection by companies of highly sensitive data, including student behavioral, physical, and mental health data, as well as biometric and geolocation data, and no additional controls on surveillance.

Please take the time to submit a comment on this proposed rule change via this interface. In the past, we’ve found that parent voices sometimes matter to federal regulators, and we are hoping that the FTC will hear our concerns and those of other parents who are wary of the rapid proliferation of invasive ed tech in our schools, as well as the widespread and harmful breaches that have followed.

Here’s some suggested language you can use or adapt, but please feel free to alter the language in any way you like.  thanks!  Leonie and Cassie

Re: COPPA Proposed Rule, 16 CFR part 312, Document 89 FR 2034

I am submitting this comment as a {parent, teacher, privacy advocate}. I support the goal of clarifying and strengthening the protection of children’s privacy in a school context, and  agree that schools should only allow data to be collected from children by companies that have a written agreement with the school. I also agree that data collected from children in school should only be used for educational purposes.

However, I am concerned that the definition of school-authorized educational purpose could allow companies to make use of children’s data for developing and improving products. That’s not acceptable.  Moreover, if schools can now authorize companies to collect data from children, parents must still have at least as much control over their child’s data as they do under FERPA,including the right to inspect, challenge and amend their children’s information if it is inaccurate.

There must be strong data security safeguards as well,  at minimum including independent security audits and encryption in motion and at rest, given the frequent and widespread occurrence of hacking and data breaches in our schools.  Without effective data security there can be no data privacy. 

Finally, in all cases, schools should be required to notify parents directly about what companies are collecting what type of data from their children, how that data is being used and that it will be deleted after it is no longer needed for educational purposes.  And in the case of the collection of biometric and geolocation data, and the use of invasive surveillance programs in schools, parents need and deserve the right of prior notification and consent as well.

[Include, if you can, an anecdote about what’s happening in your school or district—do parents know what software is being used, are they asked for consent, and how out of control this data collection has become collected data from your child, etc.]

Yours sincerely, name and address.

Blog, press release

Advocacy Orgs To Illinois AG: Stop College Board From Selling Student Data

Press release cross-posted here.

On February 26, 2024, nine state and national advocacy organizations, including privacy, consumer and government watchdogs, sent a letter to the Illinois Attorney General Kwame Raoul calling on him to follow the lead of New York Attorney General Letitia James and end the College Board’s illegal practice of selling Illinois students’ personal data. Full press release below.

MEDIA RELEASE

FOR IMMEDIATE RELEASE
February 27, 2024

CONTACT
Cassie Creswell
Illinois Families for Public Schools
773-916-7794

ADVOCACY ORGS TO ILLINOIS ATTORNEY GENERAL: 
STOP THE COLLEGE BOARD FROM SELLING STUDENT DATA

Yesterday, nine state and national advocacy organizations, including privacy, consumer and government watchdogs, called on Illinois Attorney General Kwame Raoul to follow the lead of New York Attorney General Letitia James and end the College Board’s illegal practice of selling Illinois students’ personal data.

The groups, including Parent Coalition for Student Privacy, Illinois Families for Public Schools, Citizen Action Illinois, Electronic Frontier Foundation (EFF), Electronic Privacy Information Center (EPIC), Fairplay, Good Government Illinois, Student Data Privacy Project, and Surveillance Resistance Lab, sent a letter to urge the Illinois Attorney General to enforce Illinois’ student privacy law with respect to the ongoing illegal sales of Illinois’ public school students’ personal data by the College Board, a multi-million dollar state vendor.

Two weeks ago, the New York Attorney General announced a consent decree with the College Board that fined the test vendor $750,000 and prohibited them from any further sale of student data collected via the administration of tests in school, a practice that has been illegal under New York state law since 2014. Now, in the letter to AG Raoul, the nine organizations said, “We hope that you agree that Illinois students deserve the same protections that New York students now enjoy.”

Illinois Families for Public Schools executive director Cassie Creswell said, “As a public school parent, I am appalled that the College Board has been profiting off the sale of Illinois children’s personal data for decades, a practice that has been illegal for school or district vendors ever since our student privacy law was passed in 2017. Student data shouldn’t be commercially exploited at all.”

Leonie Haimson, the co-chair of the Parent Coalition for Student Privacy said, “Thanks to New York Attorney General Letitia James, the College Board will no longer be able to sell personal data collected from New York students via the PSAT, SAT and AP exams given in school. The College Board made $28 million selling New York student data they collected via in-school PSAT and SAT exams during the years 2018 through 2022 alone—not counting the millions more they likely made from selling the data of AP students. God knows how much they’ve made from illegally selling the data of Illinois students over the last seven years. It is past time for the Attorney General Kwame Raoul to step up and protect student privacy going forward, as Attorney General Letitia James has done.”

Via the administration of its tests during the school day, the College Board has access to the personal data of hundreds of thousands of Illinois students, including their names, addresses, ethnicity and race, economic status, test score ranges, and other personal information, some of which they collect from students before the administration of these tests or online when students create accounts on the College Board’s website. This data is sold by the College Board, for anywhere from $2,575 for 5000 student records up to $540,000 for an unlimited number of records, via their Student Search Service.

Illinois’ student data privacy law, passed in 2017 and known as the Student Online Personal Protection Act, or SOPPA, prohibits school, district and state vendors from selling student data collected in school, but has yet to be enforced in Illinois, one of at least 20 states with a similar prohibition on the books.

The State’s existing almost $55 million contract with the College Board for SAT and PSAT tests was signed in 2018, after the passage of SOPPA, but it explicitly allows the College Board to sell student data acquired under the contract. Illinois also pays the College Board fees for Advanced Placement tests for low-income students, and school districts across the state have individual contracts with the College Board for additional administrations of the SAT, PSAT and AP tests.

Illinois public high schools must give the SAT and PSAT to comply with state and federal law, and students must take the SAT to receive a diploma from a public high school in Illinois.

The current contract between the State and the College Board expires on June 30 this year. The Illinois State Board of Education released a request for proposal in December 2023 for a new contract, and it is likely that the College Board will again be chosen as the vendor for the state high school assessment.

In 2019, eight state legislators asked the Illinois AG Kwame Raoul to investigate the College Board’s data sales and whether they were in violation of SOPPA. Individual Illinois parents also filed complaints with the AG about their children’s data being sold. At the time, the AG’s Office said they were “looking into” the issue, but no actions resulted. In summer 2022, the AG’s Office falsely told the Chicago Tribune they were not “aware of any SOPPA violations being reported to the office.”

In May 2018, the US Department of Education issued guidance specifically warning local and state education agencies about the various legal problems involving potential violations of federal student privacy law surrounding the collection and sale of this personal data, when college admissions exams, including the SAT and ACT, are administered in schools.

About Illinois Families for Public Schools

Illinois Families for Public Schools (IL-FPS) is a statewide, grassroots, non-profit 501c4 advocacy group founded in 2016. IL-FPS is the voice of public school families in Springfield and across the state, advocating to defend and improve Illinois public schools. More at ilfps.org.

About the Parent Coalition for Student Privacy

The Parent Coalition for Student Privacy (PCSP) is a national grassroots advocacy organization, founded in 2014, which built on the success of parent advocates to stop the creation of inBloom, a national database of K-12 student data to be used for commercial purposes. PCSP includes parents from nearly every state and assists families in addressing individual and systemic threats to student privacy. More information at studentprivacymatters.org

###