For immediate release: Wednesday, Jan. 23, 2018
For more information contact: Rachael Stickland, email@example.com; 303.204.1272
In the first of its kind, the Parent Coalition for Student Privacy and the Network for Public Education have released a report card that grades all fifty states on how well their laws protect student privacy.
The State Student Privacy Report Card analyses 99 laws passed in 39 states plus DC between 2013 and 2018, and awards points in each of the following five categories, aligned with the core principles put forward by PCSP: Transparency; Parental and Student Rights; Limitations on Commercial Use of Data; Data Security Requirements; and Oversight, Enforcement, and Penalties for Violations.
Two more categories were added to the evaluation: Parties Covered and Regulated and Other, a catch-all for provisions that did not fit into any of the above categories, such as prohibiting school employees from receiving compensation for recommending the use of specific technology products and services in their schools.
No state earned an “A” overall, as no state sufficiently protects student privacy to the degree necessary in each of these areas. Colorado earned the highest average grade of “B.” Three states – New York, Tennessee and New Hampshire– received the second highest average grade of “B-“. Eleven states received the lowest grades of “F” because they have no laws protecting student privacy: Alabama, Alaska, Massachusetts, Minnesota, Mississippi, Montana, New Jersey, New Mexico, South Carolina, Vermont and Wisconsin.
The report tracks specific versions of state laws over time. For example, many of the state privacy laws enacted since 2013 were modeled after the California’s 2014 law known as the Student Online Personal Information Protection Act (SOPIPA). While California barred all school vendors from selling student data, eight states subsequently passed laws that allowed the College Board and the ACT to do so. Laws with specific loopholes to allow these companies to sell student data were enacted in Arizona, Colorado, District of Columbia, Nebraska, North Carolina, Texas, Utah and Virginia –presumably because of lobbying efforts.
The issue of data security is also critical. The primary federal student privacy law known as FERPA requires no specific protections against data breaches and hacking, nor does it require families be notified when inadvertent disclosures occur. In recent years, the number of data breaches from schools and vendors have skyrocketed, and some districts have even been targeted by hackers with attempted blackmail and extortion. A recent report rated the education industry last in terms of cybersecurity compared to all other major industries. As a result, this fall the FBI put out an advisory, warning of the risks represented by the rapid growth of education tech tools and their collection of sensitive student data, saying that this could “result in social engineering, bullying, tracking, identity theft, or other means for targeting children.”
“The inBloom debacle in 2013 exposed the longstanding culture of fast and loose student data sharing among government agencies, schools and companies,” said Rachael Stickland, co-chair of the Parent Coalition for Student Privacy, parent of two public school children in Colorado and the primary author of the report. “Consequently, parents across the nation began urging their state legislators to address the problem, resulting in a complex web of state privacy laws that are difficult to untangle and understand. Our hope is to bring attention to state laws that make a reasonable effort to protect student privacy and identify those that need improvement. Parents and advocacy groups can use our findings to advocate for even stronger measures to protect their children.”
NPE Executive Director Carol Burris noted, “This report card provides not only critical information regarding the existing laws, but also serves a blueprint for parents to use for lobbying for better protections for their children.”
As Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, pointed out, “FERPA was passed over forty-five years ago and has been weakened by regulation over time to allow for the sharing of personal student data by schools and vendors without parent knowledge or consent. State legislators have stepped up to the plate to try to fill in some of its many gaps and to require more transparency, security protections, enforcement, and the ability of parents and students to control their own data. Yet none of these laws are robust enough in each of these areas. Congress must strengthen and update FERPA, but meanwhile, this report card can serve as a guide to parents and advocates as to which state laws should be strengthened and in which specific ways.”
An interactive map that shows the grades of each state, both overall and in each of the categories is posted here. The report is posted here ; here is a technical appendix with a more detailed account of how each law was evaluated. There is also a downloadable matrix with links to all of the state laws, as well as specifying how many points were awarded in every category.