For immediate release: April 29, 2015
The student privacy bill just introduced by Representatives Messer and Polis is an improvement from their previous draft, but still has many loopholes that make it inadequate to address many parental concerns about their children’s privacy and safety.
Leonie Haimson, co-chair of the Parent Coalition for Student Privacy said, “The bill still doesn’t require any parental notification or consent before schools share personal data with third parties. It wouldn’t stop the surveillance of students, or the collection of huge amounts of highly sensitive student information by third parties, as inBloom was designed to do.”
“The bill still allows targeting ads to kids –as long as the ads are “contextual” or selected based on information gathered via student’s single online session. We strongly believe that there should be no advertising allowed in instructional programs assigned to students at school, as ads do not aid learning but is a huge distraction to kids. Moreover, how can a parent know if their child is subjected to an ad, whether it is based on data-mining during one session or over time?”
Rachael Stickland, Colorado co-chair of the Parent Coalition said: “We’re pleased to see some of our recommendations reflected in this draft, including enhanced transparency and some limitations on re-disclosures. This bill allows parents to delete personal information from the data collected from their children, but it doesn’t require that parents be informed by either the vendor or the school that this data is being disclosed, collected and data-mined, so how would parents know to ask to delete it? It also allows vendors to data-mine personal information to improve their products or create profiles that could severely limit student’s success by stereotyping them and limiting their opportunities.”
Other remaining weaknesses of the bill:
- There are NO specific security protections outlined in the bill, only that procedures should be “reasonable.” We believe that any vendor collecting and using sensitive student personal information should be required to employ data encryption, undergo regular security audits, and other important measures to protect against damaging breaches.
- Vendors would not have to inform parents or even school officials of data breaches unless they deem this “appropriate” without defining when that would be required, and there are no specific amounts required for fines.
- Vendors could transfer the personal student data to another company if there is a merger or acquisition.
- Vendors would be able to re-disclose students’ personal information to an unlimited number of unspecified service providers, without the knowledge or consent of schools or parents
- Vendors would be allowed to disclose de-identified and aggregate data, while using “reasonable” methods to ensure that the data could not be re-identified. This again is inadequate protection, given how easy it has become to re-identify personal information with current methods and widely available data sets.
- The bill’s protections would not apply to children in preschool and “K-12 Purposes” is only vaguely defined.
- Vendors could use student information for many commercial purposes including “maintaining, developing, supporting, improving, or diagnosing the operator’s school service.”
Rachael Stickland concludes: “This bill is clearly a step in the right direction but it needs to be further improved if it is going to protect our children from commercial exploitation and devastating breaches. Our children’s privacy and safety is invaluable and should not be put at risk by being handed off carelessly for profit or for gain.”