For immediate release: January 12, 2015
Contact: Leonie Haimson, [email protected], 917-435-9329; Rachael Stickland, [email protected], 303-204-1272
Parent Coalition for Student Privacy on President’s Announcement of Need for New Federal Student Privacy Protections
The Parent Coalition for Student Privacy thanks the President for recognizing the need for new federal student privacy protections, but points out how the California law that the President lauded as a model cannot be used without strengthening its provisions around parental notification, consent, security protections and enforcement.
“Any effort to ban the sale of student information for targeted advertising is a good first step, but the White House’s proposal appears to allow companies to sell and monetize student data for unspecified ‘educational purposes,’ including to develop products that would amass enormous personal profiles on our children. Profiling children based on their learning styles, interests and academic performance and then being able to sell this information could undermine a student’s future. Parents want to ban sale of student data for any use and demand full notification and opt-out rights before their children’s personal information can be disclosed to or collected by data-mining vendors,” said Rachael Stickland, co-chair of Parent Coalition for Student Privacy.
Leonie Haimson, Parent Coalition co-chair and Executive Director of Class Size Matters said, “We also need strong enforcement and security mechanisms to prevent against breaches. Schools and vendors are routinely collecting and sharing highly sensitive personal information that could literally ruin children’s lives if breached or used inappropriately. This has been a year of continuous scandalous breaches; we owe it to our children to require security provisions at least as strict as in the case of personal health information.“
Here is a summary of the gaps and weaknesses in the California student privacy bill, which the President said should serve as a model for a federal law:
- Bans vendors using personally identifiable information (PII) student data to target advertising or selling of data, but not in case of merger or acquisitions, or presumably in case of bankruptcy, as in the recent Connectedu case. The President’s proposal would be even weaker, as it would apparently allow the sale of student data for unspecified “educational purposes”;
- Only regulates online vendors but not the data-sharing activities of schools, districts or states;
- Provides no notification requirements for parents, nor provides them with the ability to correct, delete, or opt out of their child’s participation in programs operated by data-mining vendors;
- Unlike HIPAA, sets no specific security or encryption standards for the storage or transmission of children’s personal information, but only that standards should be “reasonable”;
- Allows tech companies to use children’s PII to create student profiles for “educational” purposes or even to improve products;
- Allows tech companies to share PII with additional and unlimited “service” providers, without either parent or district/school knowledge or consent – as long as they abide by similarly vague “reasonable” security provisions;
- Allows tech companies to redisclose PII for undefined “research” purposes to unlimited third parties, without parental knowledge or consent –without requiring ANY sort of security provisions for these third parties or even that they have recognized status as actual researchers;
- Contains no enforcement or oversight mechanisms;
- Would not have stopped inBloom or other similar massive “big data” schemes designed to hand off PII to data-mining vendors – and like inBloom, would also be able to charge vendors or “service providers” fees to access the data, as long as states/districts consented.