Washington Privacy Act, SB5062, does not go far enough to protect consumers or students

On January 14, 2021, the Washington state legislature will hold a hearing on a privacy bill, The Washington Privacy Act, SB 5062 which is weak and does not fully protect consumers’ right to privacy: 

  • SB5062 does nothing to better protect educational, teacher, or student data. 
  • SB5062 does not apply to state or local government agencies.
  • SB5062 has many limitations and exemptions that allow the selling of user data or its use for marketing purposes: 
    • SB5062  allows corporations and other third parties to sell your data or use it for marketing purposes UNLESS you  expressly opt out.
    • If you do opt out, companies can charge you a higher price for their services.
  • Even then, consumers  can only “opt out” of the collection and use of personal data for certain purposes.” 
    • Instead, companies should be required to get prior consent or “opt in” for any disclosure of your personal data, including its use for marketing or sale. 
  • Finally, SB5062 does not allow people to hold companies accountable for violating their privacy rights by suing, if they’ve violated the law or your decision to opt out.

 We agree with this Seattle Times op-ed: Washington needs a privacy law that protects people, not corporations. Oppose SB5062, Washingtonians deserve better. 

Sign up to leave a written comment or remotely testify against SB5062 HERE: https://app.leg.wa.gov/CSIRemote/Senate Senate Environment, Energy & Technology Committee,  Hearing on January 14, 2021 at 10:30 am.  You can sign up or leave comments up until 1 hour prior to the hearing.

Update: You can watch a recording from this January 14, 2021 hearing here.

*See Parent Coalition submitted testimony here:

WA “Senate Environment, Energy & Technology Committee” hearing on Jan 14, 2021

My name is Cheri Kiesecker, Co-Chair of the Parent Coalition for Student Privacy. Thank you for the opportunity to comment on The Washington Privacy Act, SB5062. In this time of increased use of technology, it is crucial that citizens control who is collecting data about them and how it is being used. Unfortunately, this bill neglects to protect some of the most vulnerable in our population: school children; for this reason and others, which we briefly highlight here, and in my testimony today, we oppose this bill.

The privacy and transparency protections in this bill do not apply to government agencies (schools) and students are exempted, defaulting instead to outdated FERPA, COPPA, and WA state student privacy law passed in 2015 HB1495—all of which have several limitations and exceptions.

(SB5062 Page 8) Sec. 102. JURISDICTIONAL SCOPE.

This chapter does not apply to:

4(a) State agencies, legislative agencies, local governments, or tribes

  1. Identifiable private information for purposes of the federal policy for the protection of human subjects, 45 C.F.R. Part 46;

(page 10)

  1. Personal data collected, processed, sold, or disclosed pursuant to the federal driver’s privacy protection act of 1994 (18 2U.S.C. Sec. 2721 et seq.), if the collection, processing, sale, or 3disclosure is in compliance with that law; (j) Personal data regulated by the federal family education rights and privacy act, 20 U.S.C. Sec. 1232g and its implementing regulations; (k) Personal data regulated by the student user privacy in education rights act,chapter 28A.604 RCW

Students are often required to submit an astonishing amount of personal data, often medical and mental health, behavioral and discipline information to schools; these data can be shared outside of the school walls, and uploaded to government databases. The data can be used to predict and profile children as criminals. Students are also required to use educational technology (edtech) platforms such as Zoom, Google products (Gsuite, Meet, and YouTube), and 100s of other apps, often with embedded hidden algorithms. As this recent report states, companies that rely on algorithms to profile students can discriminate and are often biased and wrong. Researchers have shown that 1000s of edtech apps often share senstitive data with advertisers and other third parties. There is little to no regulatory oversight of edtech, no parental consent, no way for parents to see data points collected or how their children’s data are being used, processed, profiled, and marketed by third parties, data brokers, etc. The FBI issued a warning about the risks associated with edtech apps and surveillance including tracking and targeting of children, misuse of sensitive data, social engineering, identify theft, and breach. (See King County, WA breach announced yesterday.) For more concerns about student data privacy, invasive surveillance technology, and opportunistic edtech, see EFF’s Student Privacy and the Fight to Keep Spying Out of Schools: Year in Review 2020.

FERPA

FERPA was weakened in 2008 and 2011 to allow disclosure of students’ personal information to businesses, researchers, agencies etc without parent knowledge or consent; in fact parents cannot opt out of this sharing. As recently reported by the US Dept of Ed, a 2 year study found that most districts violate federal privacy law FERPA. Additionally, FERPA has no private right of action, making it difficult for parents to enforce.

COPPA

Advocates and lawmakers agree, COPPA needs to be updated. SB502 should be updated to cover children up to 17-18 years old (California CCPA increases the coverage to 16), should include a providers’ constructive knowledge, should address behavioral advertising,

Current WA state law HB15-1495, which SB5062 relies on to protect students, does not afford parental consent, does not give adequate transparency (does not require written contracts, exempts algorithms and adaptive learning (protection from dark patterns AI SB5062 would not be afforded to students), finally your student privacy law has no enforcement mechanism or penalty. Subsequently, Washington’s student privacy law HB15-1495, earned a D+ on our state-by-state report card comparison of student privacy laws.

SB5062 has many limitations and exemptions that allow the selling of user data or its use for marketing purposes:

  • SB5062 allows corporations and other third parties to sell your data or use it for marketing purposes UNLESS you expressly opt out. SHOULD BE OPT IN consent for collection and third party sharing.
  • If you do opt out, companies can charge you a higher price for their services.
  • Even then, consumers can only “opt out” of the collection and use of personal data for certain purposes.”
  • Companies can choose to refuse consumers’ request* to see what data the company has collected about them, and can charge a fee for this service. (*If they find the request –unfounded or excessive)
  • SB5062 allows personal data from Dept of Motor Vehicles to be sold. According to a 2019 report this information is sold, often to databrokers and resold; name, address, and other personal information. States are making millions off the sale of this data. Data in this data base, including social security numbers, is also often disclosed and matched to track students.
  • Finally, SB5062 does not have a strong private right of action, as last year’s House version did.

We don’t believe citizens data, especially school children’s data, should be bought and sold, profiled, used for research, or shared without their consent. — Data collection and disclosure should be OPT IN, and those collecting and disclosing the data should be held accountable with strong enforceable penalties. We hope you agree.

Thank you.

Cheri Kiesecker

Co-Chair Parent Coalition for Student Privacy

https://www.studentprivacymatters.org

Parents of Disabled Students: Do NOT Grant College Board Unlimited Access to Your Child’s Sensitive Information

We recently received a query from a Chicago parent whose child has a disability, and was seeking an accommodation when taking a College Board test. Her child’s high school asked her to sign a SSD Accommodation Consent form allowing her school to disclose her child’s disability records, as well as any other information in the school’s custody that the College Board requests for the purpose of determining my eligibility for testing accommodations on College Board tests“.  The form also grants the “College Board permission “to discuss my disability and needs with school personnel and other professionals.” 

The Chicago parent was concerned with these overly broad permissions and crossed out portions that she disagreed with. Unfortunately for this parent, she subsequently discovered that her child’s previous high school had apparently already released confidential information to the College Board without asking for her consent.  

We wonder if this has happened to other parents. Have parents been asked to sign this form authorizing the school to release their children’s highly sensitive disability information, or worse, have their schools disclosed this personal information without obtaining parent consent?  If so, please email us at [email protected]  .

We would like all parents to know that you do NOT have to consent to the school providing College Board unlimited access to your child’s sensitive disability information for the purpose of accommodations. College Board says this is only a sample SSD consent form.

I recently emailed the College Board Services for Students with Disabilities (via their general SSD email) to ask if parents cross out the overly board permissions they don’t agree with, would the form still be valid? The College Board SSD  replied and verified that this is the current SSD Parent Consent Form, reiterated that the College Board does require schools to obtain written consent from the parent before sharing student disability data, and that schools must keep this signed form on file. However,  the College Board SSD email (erroneously) said parents cannot modify the consent form; I knew this to be incorrect because in 2018, I had previously questioned the Colorado Department of Education and College Board about the broad permissions and was told that parents could modify the form.

So, I again reached out to the Colorado Department of Education this past week and asked for their help in contacting the College Board privacy department to verify that parents can in fact modify the form. The complete response from the Colorado Department of Education and College Board can be seen here; relevant excerpts are posted below.  First, the College Board apologized for their earlier, incorrect response: 

“Thank you for sharing the inquiry you received. I apologize that the parent received some misleading information. The Accommodations Consent form shared by the parent is the standard template College Board makes available on the SSD website to all schools. As you know, in Colorado, we have developed an alternate template which is shared through trainings with SSD Coordinators…

The purpose of the consent form is to give schools a sample consent form in order to request testing accommodations on behalf of a student and share relevant information with College Board about their disability and requested accommodation(s). College Board requires schools to agree that they have a “signed consent form or equivalent signed consent on file.” Schools are instructed to keep the parent consent on file for their records. It is not submitted to College Board. Once a student is approved for an accommodation, this accommodation may be used for all College Board assessments throughout the student’s high school career.”–College Board

Then the Colorado Department of Education confirmed that parents could delete the overly broad language in the consent form:

“…if there are any parts to the form to which you do not want to provide your consent, you can cross those portions off, or you can add additional language to meet your needs.  Note that the required information needed by College Board to process any accommodations request is listed at the top of p.2 of the enclosed form. “

(See Required Data listed on page 2 of Colorado Accommodations Consent form but applicable to all requests.) 

We thank the the Colorado Department of Education for their clarification and for confirming that if a parent crosses out the overly intrusive portions (labeled A and B below), this signed consent form would still be valid; one would hope that the right to privacy afforded Colorado students with disabilities would be afforded to all disabled students. We encourage parents to ask your school and the College Board ( [email protected] ) if you can cross out this overly broad language and only provide the minimum required information for accommodations. 

2019: College Board says it changed its disability accommodation review procedures

The College Board said that it had changed its policies and now relies on schools to verify student disabilities and accommodations, according to a May 2019 Wall Street Journal article:

“The College Board said it has to balance the large number of students who really need a special accommodation against a small number who are exploiting the system.

The College Board used to do more checking, the organization said, but found that responding to special-accommodation requests was taking more than a month. The College Board said it relies on schools because they are closer to the medical professionals and teachers who know the students.”

If it is true that since 2019, the College Board is no longer checking into and reviewing accommodation requests and is instead relying on schools to verify these requests,  why are schools still asking parents to sign consent forms from 2017 which give College Board access to any information in the school’s custody? (You can see this form sent to Chicago parents, still posted on the internet, which is dated 2017 on the bottom right.)

Time to Update Consent Form.

Since the College Board confirmed this consent form is just a template and can be modified, we urge the College Board to update the template and remove the overly broad request for any information in the school’s custody and remove consent to discuss with other professionals. 

Additional concerns with how the College Board and ACT share data

We know that the testing company ACT was sued and recently had to pay a $16 million dollar settlement for allegedly disclosing student disability information to colleges. We also know the College Board has been sued for selling licenses to a range of personal student data to colleges and other companies including score ranges — though they insist that a student’s disability status is not included. The company admits sharing access to student disability data with the third parties listed at the end of the consent form.  By requiring that parents give their consent for the release of this data to these companies as well as others unspecified in the consent form, in granting this unlimited access, disabled students are singled out and discriminated against, while their non-accommodated peers do not face this medical scrutiny and do not have to provide College Board access to any other information in the school’s custody.  Concerns about sharing this sensitive information are echoed in this 2016 Education Week article,  regarding the U.S. Department of Justice Civil Rights Division scrutiny of College Board and ACT refusals to allow accommodations in college admission tests. 

Schools must also record disclosures and obtain written parent consent

Schools should never disclose student disability records or evaluations unless specifically required by the College Board and schools must obtain prior written parent consent. Per federal IDEA law part B, in addition to written consent, schools must keep a record of disclosures. They must tell a parent: what information was disclosed, the purpose of for the disclosure, to whom it was revealed, and when this occurred.

Finally, many states are now requiring students take a College Board exam as their federally-mandated high school assessment.  If so, schools must ensure that College Board adheres to specific federal privacy restrictions as specified in both FERPA and IDEA.  See this May 2018 guidance from the US Department of Education regarding privacy and College Entrance exams:

IDEA is a Federal law that protects the rights of students with disabilities…These IDEA provisions also prohibit the unauthorized disclosure and use of PII from the education records of students with disabilities, consistent with FERPA. Thus, if parent consent is required under FERPA to disclose PII from students’ education records, and if a student is covered under IDEA, parent consent would also be required under IDEA to disclose PII in education records collected, maintained, or used under Part B of the IDEA.

Please let us know if you have privacy questions about College Board or ACT admissions tests, or the optional surveys associated with these tests. Also reach out to us if your school asks you to consent to providing College Board unlimited access to any information in the school’s custody to verify your child’s disability accommodations for College Board tests.  If your school did NOT get your written consent before sharing your child’s disability information with the College Board or ACT, let us know that as well. 

In general, parents should be cautious before sharing their children’s personal and sensitive information with companies; only share what is absolutely necessary. For College Board privacy related questions, parents can email the College Board at [email protected] .  Parents can also email us at [email protected] .

 

 

Why students should be allowed to keep their cameras off during remote learning

December 2020

Endorsed by Access Living, ACLU of Illinois, Brighton Park Neighborhood Council, Chicago Lawyers’ Committee for Civil Rights, Children’s Screen Time Action Network, Civitas ChildLaw Center, Hartlieb & Horste, LLC, Illinois Families for Public Schools, Parent Coalition for Student Privacy, Raise Your Hand for Illinois Public Education  

Adapted from IFPS here; see the one-page Summary here.

Many US public schools have been operating remotely since March, either full-time or part-time as a result of the Covid pandemic.  And with infection rates steeply increasing in the US, the timing of any return to fully in-person schooling remains uncertain.

The use of technology was widespread even before this spring. Now its use is nearly universal. But tech use should not impinge on students’ right to privacy and access to schooling.

In a recent national survey, 60% of educators said students would face negative consequences for having cameras off.   However, students should never be forced to choose between maintaining their privacy and receiving an education .  Moreover, surveillance does not equal safety.

Surveillance can be especially stressful for disadvantaged students,  students of color; those with disabilities; undocumented students; students in temporary living situations and/or those from low-income families, living in crowded homes or apartments.

There are many other ways teachers can check if students are paying attention, such as calling on them verbally, asking them to use the chat function or polling function.

We have assembled a set of best practice policy recommendations on tech use during remote learning:

  • Camera-on requirements: Students should always be permitted to participate in class without turning on video. And if live-video streaming is used during synchronous learning, schools should obtain written consent from parents explaining the risks and benefits of their children opting in to having their cameras on.
  • Recording video conference sessions: Recording should never be obligatory for students, including for one-on-one sessions of a sensitive nature, e.g. counseling and therapy. Families must receive clear information about their rights to inspect, correct, receive copies of and, for children 13 and under, delete recordings.
  • Observers in the virtual classroom: Schools/districts should issue clear guidelines to allow parents, guardians or other participants, for example childcare workers or family members, to assist their child in participating and/or to observe live video-conference sessions.
  • Use of surveillance software to monitor devices: Students and families should be informed of the role of any browser in monitoring online activity and physical location, especially for the use of non-school owned devices. No third party provider of a computer hardware or software should be able to collect, use, generate or retain student data without explicit parental “opt in” permission.
  • Use of surveillance software for proctoring tests remotely: Rather than subjecting students to highly invasive monitoring in pursuit of test security, schools and teachers should implement methods of assessment during remote learning that do not require surveillance spyware.
  • Policy transparency for families: Schools should not only establish clear policies for tech use and privacy, but also make information about these policies accessible to all families (e.g. providing paper copies, translating all documents).

These recommendations are intended as a resource to assist students and families, teachers, administrators, and school board members, whether they are writing, revising or advocating for improvement of policies covering the role of tech in students’ remote learning experiences. Technology is  crucial to accessing education during remote learning, but policy makers must be thoughtful in addressing its potential risks as well.

Much thanks for Cassie Creswell of IFPS for taking the lead on drafting this guidance.

A Privacy Blueprint for Biden

Privacy And Digital Rights For All

The weakening of The Family Educational Rights and Privacy Act (FERPA) and the Covid19 rush to usher in virtual learning and edtech in place of in-person learning, have created a perfect storm for student data collection and tracking. Students are increasingly subjected to edtech data collection, profiling, and surveillance as a condition of attending a public school. We call on the next administration to protect children and begin implementing these important recommendations within the first 100 days of office.

Leading privacy and civil rights advocates recently called on the next U.S. administration to make protecting digital privacy a top priority. The press release signed by Campaign for a Commercial-Free Childhood, Center for Digital Democracy, Color of Change, Consumer Action, Consumer Federation of America, Electronic Privacy Information Center, Privacy Rights Clearinghouse, Parent Coalition for Student Privacy, Public Citizen, and U.S. PIRG states:

“The Biden administration and the next Congress should make protecting digital privacy a top priority, and 10 leading privacy, civil rights and consumer organizations today released a memo of recommendations for executive actions on Day One, actions during the first 100 days and legislation.

“The United States is facing an unprecedented privacy and data justice crisis,” the blueprint memo reads. “We live in a world of constant data collection where companies track our every movement, monitor our most intimate and personal relationships, and create detailed, granular profiles on us. Those profiles are shared widely and used to predict and influence our future behaviors, including what we buy and how we vote. We urgently need a new approach to privacy and data protection. The time is now.”

“The U.S. urgently needs a comprehensive baseline federal privacy law. The Biden administration and Congress should not delay in setting out strong rights for internet users, meaningful obligations on businesses, and establishing a U.S. Data Protection Agency with strong enforcement powers,” said Caitriona Fitzgerald, policy director, Electronic Privacy Information Center.

“Privacy is a basic human right, and children’s personal information should not be profiled, licensed, sold, commercialized or shared with third parties as a condition of attending a public school. We hope policymakers will move to prohibit the use of student data for marketing purposes and require all public schools and education agencies to adopt strict security and privacy standards,” said Leonie Haimson, co-chair, Parent Coalition for Student Privacy.

“For far too long, companies have deceptively tracked kids and used their sensitive data to exploit their vulnerabilities and target them with marketing. Families are counting on the Biden administration and the next Congress to recognize that children and teens are vulnerable, and to put protections in place which will allow young people to use the internet more safely,” said David Monahan, campaign manager, Campaign for a Commercial-Free Childhood.

The recommendation memo, Privacy and Digital Rights for All, specifically calls for protection of children, teen, and student data, including parent consent before sharing student data:

Action item within the first year: Protect children and teens.

Action 8: Protect Children and Teens from Corporate Surveillance and Exploitative Marketing Practices Recommendations for First 100 Days
•Urge the FTC to begin 6(b) studies on ad tech and ed tech companies’ data practices and their impacts on children and teens before undertaking any rulemaking under the Children’s Online Privacy Protection Act (COPPA).
•Protect students through an executive order that requires the Department of Education (DoE) to:
o Prohibit the selling or licensing of student data;
o Issue recommendations on transparency and governance of algorithms used in education;and
o Minimize data collection on students,ensure parental consent is affirmatively obtained before disclosing student data, and issue rules enabling parents to access and also govern data on their child.
Recommendations for Legislative Action
•Ensure children and teen privacy is legislatively protected as part of a comprehensive baseline federal privacy bill that:
o Establishes the special status of children and teens as vulnerable online users; provides strong limits on collection, use, and disclosure of data, and narrowly defines permissible uses;
o Requires employing privacy policies specific to children’s data on all sites and platforms used by children; and
o Prohibits targeted marketing to children and teens under the age of 18 and profiling them for commercial purposes.
•Strengthen COPPA by raising the covered age to 17 years and under, banning behavioral and targeted ads, banning the use of student data for advertising, and requiring manufacturers and operators of connected devices and software to prominently display a privacy dashboard detailing how information on children and teens is collected, transmitted, retained, used, and protected.
See more recommended principles for protection of children and teens here.

It’s time for the U.S. to take data privacy seriously.  Citizens should have consent and control over collection and use of their data; “pay-for-privacy provisions” and “take-it-or leave it” terms of service should be prohibited.  Finally,  our most vulnerable, our children should be protected, not exploited and surveilled as a condition of attending public school.

NY State Student Privacy Survey

Class Size Matters, NY Allies for Public Education, and the Parent Coalition for Student Privacy would like to know which online apps or programs are being employed by schools throughout New York state, and whether they are sufficiently protective of children’s privacy. We are asking parents and teachers to take our survey here, to let us know what apps or programs your schools are using.

Since the pandemic hit, districts across New York State have purchased many commercially-produced online apps and digital programs to implement remote learning. Even before last spring, schools had been using a large number of programs, many of which collect and use personal student information. In NYC alone, more than 75 commercially available online programs have been acquired for teachers to assign to their students, and “The DOE has informed schools that for SY 2020-21, they must have a shared, inclusive and digital curriculum in all core subject areas,” according to the UFT.

Many of these digital apps collect and use personal student data in ways we do not understand. In some cases, the publicly available privacy policies of these vendors are NOT sufficiently protective and do not comply with the NY state student privacy law, Education Law 2D, which was passed in 2014.

Among other things, this law and its regulations adopted in Jan. 2020 require that every contract with a vendor with access to personal student data must have a separate Parent Bill of Rights [PBOR], which specifies how the data will be protected and how parents can access the data and challenge it if necessary.

Each of these separate Parent Bill of Rights are supposed to be posted on the district website, along with other important information, including your district’s overall data privacy protection policy, and how you can contact the district data privacy officer in charge of ensuring these protections. Links to the Education Law 2D, the regulations, and a summary of some of their most important provisions are here and below.

Please take a few minutes to fill out our online survey to let us know what online apps and/or digital programs are being used in your schools, and whether the district has provided the necessary information about the ways in which that data is being protected from breach and abuse.

Thanks!

NYS Student Privacy Regulations Summary (Final)

NYS Student Privacy Regulations Summary (Final)

In addition, the full law and regulations are available at the following links: