Tag Archives: student privacy

Our comments to the Attorney General on how to regulate the NY Child Data Protection Act

Sept. 23, 2024

See here and below; our comments to the Attorney General’s office on how to implement regulations for the Child Data Protection Act, passed by the NY State Legislature in  June 2024, so that it doesn’t inadvertently weaken student privacy and instead strengthens the privacy of children and teens, in and out of schools.

For more on the AG’s request for comments see their website here.  The deadline is September 30, 2024 to be sent to [email protected] 

If you’d like to send in your own comments, here is a sample message:

As a parent [or teacher], I support the comments provided by the Parent Coalition for Student Privacy and urge you to make it clear in the CDPA regulations that 1- nothing in the law should weaken the stronger student privacy protections in federal and state law, including parent consent  provisions and prohibition against using student data for marketing purposes; 2- that the monetization of children’s data through transfer to third parties for commercial purposes should be prohibited just as the outright sale of that data; and 3- clear and concise privacy policies and consent documents must be required, or any consent on the part of a parent or minor cannot be meaningful.

Signed with your name, address, email

PCSP Comments on regulations to implement the CDPA 9.23.24

For Data Privacy Day — take our Survey: online apps used by districts and their privacy provisions

Today, January 28th is Data Privacy Day, the international annual day of action and awareness to promote the privacy of our personal data.

The Parent Coalition for Student Privacy is researching which ed tech apps schools are asking students to use and whether they are sufficiently protective of children’s privacy.

Since the pandemic hit, school districts across the nation have purchased many commercially-produced online apps and programs to implement remote learning. Even before last spring, districts had been using a large number of programs, many of which have access to personal student information. Many of these apps collect and use personal student data in ways that are not transparent and we do not understand.

More recently, this past December, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned aboutmalicious cyber actors … targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services.” This follows another warning the FBI put out in 2018 that the use of ed tech apps in schools posed a serious threat to children’s privacy and safety.

Please let us know what online apps and programs your district or school is using, and check to see if they have been transparent about their privacy policies. Your name and district will be kept confidential.

Click here to take the survey.

On Data Privacy Day and every day, it is important to protect children’s information. Below are a few resources to help.

The 2019 State Student Privacy Report Card lists and rates state laws based on Transparency, Parental and Student Rights; Limitations on Commercial Use of Data; Data Security Requirements; and Oversight, Enforcement, and Penalties for Violations. https://studentprivacymatters.org/map/map.html

Federal Laws enabling parents to protect their Children’s Privacy: FERPA, PPRA and COPPA https://studentprivacymatters.org/ferpa_ppra_coppa/ . Read how FERPA was weakened here and how to request to inspect your child’s education record maintained by your school or the state here.

Parent Toolkit for Student Privacy https://www.studentprivacymatters.org/wp-content/uploads/2017/05/Parent-Toolkit-for-Student-Privacy.pdf

Top 10 back to school privacy tips and resources https://studentprivacymatters.org/top-10-back-to-school-student-privacy-tips-and-resources-for-parents/

A Privacy Blueprint for Biden

Privacy And Digital Rights For All

The weakening of The Family Educational Rights and Privacy Act (FERPA) and the Covid19 rush to usher in virtual learning and edtech in place of in-person learning, have created a perfect storm for student data collection and tracking. Students are increasingly subjected to edtech data collection, profiling, and surveillance as a condition of attending a public school. We call on the next administration to protect children and begin implementing these important recommendations within the first 100 days of office.

Leading privacy and civil rights advocates recently called on the next U.S. administration to make protecting digital privacy a top priority. The press release signed by Campaign for a Commercial-Free Childhood, Center for Digital Democracy, Color of Change, Consumer Action, Consumer Federation of America, Electronic Privacy Information Center, Privacy Rights Clearinghouse, Parent Coalition for Student Privacy, Public Citizen, and U.S. PIRG states:

“The Biden administration and the next Congress should make protecting digital privacy a top priority, and 10 leading privacy, civil rights and consumer organizations today released a memo of recommendations for executive actions on Day One, actions during the first 100 days and legislation.

“The United States is facing an unprecedented privacy and data justice crisis,” the blueprint memo reads. “We live in a world of constant data collection where companies track our every movement, monitor our most intimate and personal relationships, and create detailed, granular profiles on us. Those profiles are shared widely and used to predict and influence our future behaviors, including what we buy and how we vote. We urgently need a new approach to privacy and data protection. The time is now.”

“The U.S. urgently needs a comprehensive baseline federal privacy law. The Biden administration and Congress should not delay in setting out strong rights for internet users, meaningful obligations on businesses, and establishing a U.S. Data Protection Agency with strong enforcement powers,” said Caitriona Fitzgerald, policy director, Electronic Privacy Information Center.

“Privacy is a basic human right, and children’s personal information should not be profiled, licensed, sold, commercialized or shared with third parties as a condition of attending a public school. We hope policymakers will move to prohibit the use of student data for marketing purposes and require all public schools and education agencies to adopt strict security and privacy standards,” said Leonie Haimson, co-chair, Parent Coalition for Student Privacy.

“For far too long, companies have deceptively tracked kids and used their sensitive data to exploit their vulnerabilities and target them with marketing. Families are counting on the Biden administration and the next Congress to recognize that children and teens are vulnerable, and to put protections in place which will allow young people to use the internet more safely,” said David Monahan, campaign manager, Campaign for a Commercial-Free Childhood.

The recommendation memo, Privacy and Digital Rights for All, specifically calls for protection of children, teen, and student data, including parent consent before sharing student data:

Action item within the first year: Protect children and teens.

Action 8: Protect Children and Teens from Corporate Surveillance and Exploitative Marketing Practices Recommendations for First 100 Days
•Urge the FTC to begin 6(b) studies on ad tech and ed tech companies’ data practices and their impacts on children and teens before undertaking any rulemaking under the Children’s Online Privacy Protection Act (COPPA).
•Protect students through an executive order that requires the Department of Education (DoE) to:
o Prohibit the selling or licensing of student data;
o Issue recommendations on transparency and governance of algorithms used in education;and
o Minimize data collection on students,ensure parental consent is affirmatively obtained before disclosing student data, and issue rules enabling parents to access and also govern data on their child.
Recommendations for Legislative Action
•Ensure children and teen privacy is legislatively protected as part of a comprehensive baseline federal privacy bill that:
o Establishes the special status of children and teens as vulnerable online users; provides strong limits on collection, use, and disclosure of data, and narrowly defines permissible uses;
o Requires employing privacy policies specific to children’s data on all sites and platforms used by children; and
o Prohibits targeted marketing to children and teens under the age of 18 and profiling them for commercial purposes.
•Strengthen COPPA by raising the covered age to 17 years and under, banning behavioral and targeted ads, banning the use of student data for advertising, and requiring manufacturers and operators of connected devices and software to prominently display a privacy dashboard detailing how information on children and teens is collected, transmitted, retained, used, and protected.
See more recommended principles for protection of children and teens here.

It’s time for the U.S. to take data privacy seriously.  Citizens should have consent and control over collection and use of their data; “pay-for-privacy provisions” and “take-it-or leave it” terms of service should be prohibited.  Finally,  our most vulnerable, our children should be protected, not exploited and surveilled as a condition of attending public school.

Top 10 back-to-school student privacy tips and resources for parents

It’s back-to-school time for K-12 students,  which will mean for many students remote online learning, or some type of hybrid, combining in-person with screen-based instruction.   We’ve gotten lots of questions from parents and educators concerned about the opportunity for expanded student data collection and disclosure in this new regime.

Here’s a checklist of resources and tips to help protect your students’ privacy:

  1. Opt-out of Directory Information.  Schools can share Directory Information about students with third parties without parental or student consent, unless you opt-out.   FERPA,  the Family Educational Rights and Privacy Act, requires schools to notify you of your right to opt-out of Directory Information, at the beginning of the school year. (FERPA is a privacy law that applies to any educational institution that receives federal funding, which includes all public schools and many private educational institutions as well.)  See our sample Directory opt-out form and resources  here and see World Privacy Forum’s video, flyer,  more information and opt-out form here Or use this school district’s Directory opt-out form as a template to also opt-out of online recorded or video conference learning.  Why does this matter?  What can be shared without your consent, via Directory Information? .According to the US Department of Education, Directory Information can include, but is not *limited to:
    • Student’s name
    • Address
    • Telephone listing
    • Electronic mail address
    • Photograph
    • Date and place of birth
    • Major field of study
    • Dates of attendance
    • Grade level
    • Participation in officially recognized activities and sports
    • Weight and height of members of athletic teams
    • Degrees, honors, and awards received
    • The most recent educational agency or institution attended
    • Student ID number, user ID, or other unique personal identifier used to communicate in electronic systems but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user’s identity, such as a PIN, password, or other factor known or possessed only by the authorized user
    • A student ID number or other unique personal identifier that is displayed on a student ID badge, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user’s identity, such as a PIN, password, or other factor known or possessed only by the authorized user. 
    • *some schools include video as Directory Information
    • Unfortunately, FERPA has been rewritten to allow other exceptions to requiring parental consent, including allowing schools to disclose student information to contractors, researchers and others – which we describe in this fact sheet. But opting out of Directory Information is a good way to start and ensure that your child’s information isn’t shared with just anyone that the school or district might like, without any restrictions on re-disclosure or how the information might be used.                                                …………………………………………………….
  2.  Many schools are using Zoom, Microsoft Teams, or Google Meet for distance learning all day long and as The Washington Post reports, kids and parents are concerned about screen time and privacy issues.  If you are using Zoom (read our What you need to know about Zoom) or other video conferencing app for distance learning, be aware of your background (ie: that poster on the wall, your little sister in the room, etc) and consider asking your teacher if you can leave your camera OFF, (and covered with a band-aid)  to protect your child’s privacy.  At the very least, when using these video conferencing tools from home, use a virtual background.   (Per this very short video: it is your civil right to turn your camera off or use a virtual background for distance learning.)  Here is a Zoom tutorial on how to do virtual backgrounds.  Remember, students under the age of 16 cannot create a Zoom account.
    • Click here to see the US Department of Education Student Privacy Policy Office information and resources regarding FERPA and Virtual Learning
    • Does FERPA prevent a parent from observing their student’s classroom, whether on Zoom or in-person?  No. 
      USDoE Privacy Office says in the (above) FERPA and Virtual Learning Related Resources
      FERPA neither requires nor prohibits individuals from observing a classroom.  Our Letter to Mamas on classroom observation is also applicable to virtual classrooms.” 
      Mamas Letter: “FERPA does not specifically prohibit a parent or professional working with the parent from observing the parent’ s child in the classroom.
    • See this FBI warning about virtual learning via video conferencing and online classroom hacking
    • Read about the class action lawsuit filed against Zoom which alleges that Zoom unlawfully shared Zoom users’ personal information with third parties. …………………………………………………………….
  3. Ask your child’s school to limit screen time, maximize hands-on learning, and use paper and pencil assignments whenever possible.  Have your child work outside in sunlight if possible. Concerns about screen time are real, as this important 2020 study states, “Over exposure to digital environments, from abuse to addiction, now concerns even the youngest (ages 0 to 2) and triggers, as argued on the basis of clear examples herein, a chain of interdependent negative and potentially long-term metabolic changes.  And this equally important 2020 JAMA analysis shows that increased screen exposure, regardless of quality, (even educational screen time) can put kids at risk for delayed development.  For a detailed list of studies and harm associated with screen time such as depression, suicide, myopia, loss of sleep, changes in brain structure and developmental delays, click here.

    ……

  4. Ask teachers what apps they are assigning your kids to use; and if they have been screened by the state or district to protect privacy and to ensure they comply with student privacy laws. Ask teachers what data is being collected by these online apps and businesses; ask to see the contracts and terms of service.  Ask whether data are encrypted and held on the district servers.  Ask your school if they allow vendors to serve ads to students–some state laws prohibit targeted advertising, and federal law COPPA, the Children’s Online Privacy Protection Act, prohibits companies from collecting certain data from children under the age of 13, without parent consent.*

  5. Ask to see the data in your child’s education record – as is your parental right under FERPA. If information in their record is wrong, you also have the right to correct it. ……………………………………………………………………….
  6. Make sure your child only enters the minimum amount of personal information necessary when creating an account or using any app (supervise them if possible if they have to create an account). Ask teachers if your child can log-in to an online tool anonymously by using anonymous credentials (ie: log-in as blue42;  and use email that does not include student name or ID). …………………………………………………………..
  7. Make sure your child isn’t signed into their school account when engaged in non-school activities online.  Clear their cookies regularly. (Cookies are a privacy risk; they collect your personal information, track you across sites, and can use and sell your information to advertisers and brokers.)  Use privacy friendly browsers like Firefox or Brave that block ads and trackers. …………………………………………………………..
  8. Location, location, location.  Turn off location tracking permissions for any app and device.  (Ask your child’s teacher to help with this.)
  9.  If your school uses Gsuite for Education (Google Classroom, gmail, Google Docs, etc.), check your student’s account settings and make sure YouTube Search/Watch History, location tracking from apps, etc are turned OFF or paused. Use a privacy friendly search engine like Duck-Duck-Go instead of Google.  (Google Search is not in the GSuite for Ed “Core Services” and as an Additional Service, if a student uses Google Search or YouTube, their data will be processed under Google’s general terms of service, where their data could be mined and used for marketing purposes.)
  10.  When signing up for College Board AP,  SAT,  PSAT or ACT remember that students do NOT have to take the questionnaire /surveys and should only fill in required information. If  students opt-out of the surveys and Student Search Services, it will NOT affect their chances of getting into a college. Opting out will only prevent ACT or College Board from selling access to your student’s score ranges and  personal and family data the student would provide on the survey.
    • The U.S. Department of Education issued significant guidance in 2018 that prohibits states or districts to allow testing companies like College Board or ACT to sell or re-disclose student assessment data, including test score ranges, without parent consent. Regarding these College Board and ACT surveys, PTAC guidance also says:

      “The survey’s multiple questions are designed to allow targeted recruitment, and students are specifically asked whether they would like to receive materials from different organizations, including colleges and scholarship organizations. For students who consent to being contacted by these organizations, the testing companies then sell this information….The administration of these tests and the associated pre-test surveys by SEAs and LEAs to students raises potential issues under the Family Educational Rights and Privacy Act (FERPA), the confidentiality of  information provisions in the Individuals with Disabilities Education Act (IDEA), the Protection of Pupil Rights Amendment (PPRA), and several recently enacted State privacy laws, and generally raises concerns about privacy best practices.”

11. We know, we said top 10, but this last one is important.  Surveillance cameras in schools sometimes have video feeds that are shared with police, such as the Highland Park Independent School District in Texas where police and also the city have access to the school’s surveillance cameras. Parents were required to agree to this surveillance and waive their student’s privacy rights before they could register their child for school.

Some school surveillance cameras are powered with AI (Artificial Intelligence)– these cameras in Greeley, Colorado schools can read expressions on people’s faces and their mannerisms and be able to tell if they look violent.  Privacy experts warn about faulty facial recognition and predictive profiling.

Surveillance apps like Bark or Gaggle collect everything a student types and flag it for risk,  alerting teachers, administrators and sometimes warranting a visit from police.

As this Washington Post article details, some schools are using invasive online proctoring apps like Proctorio, ProctorU, and Examity, requiring students to agree to  let these apps monitor their webcams, their microphones, access their computers, and give the app companies “reams of sensitive student data such as their home addresses; details about their work, parental and citizenship status; medical records, including their weight, health conditions and physical or mental disabilities; and biometric data, including fingerprints, facial images, voice recordings and “iris or retina scans.”   As CNN reports, the AI and predictive algorithms  used in proctoring programs can be biased and inaccurate; wrongly flagging a student as suspicious can cause real life harm,  and these programs raise ethical and privacy concerns.  Parents and students are feeling pressured into giving up their rights as a condition of attending school. As this EdSurge article states, privacy leaders question whether school surveillance has gone too far:

“A growing chorus of education and privacy leaders are speaking out about the role of surveillance technology and whether it belongs in America’s schools or raises more issues than it solves. “

Parents have been told that students  cannot opt out of either the surveillance cameras or proctoring apps.   We challenge schools to do better.  We encourage parents to ask for copies of these data sharing agreements, contracts, MOUs.   Talk to your school boards, talk to your legislators and let them know that students should not have to pay the price of an education at the expense of their privacy.

Check out our Parent Toolkit for Student Privacy,  for more tips on how to protect your child’s personal data.  Read this open letter from our friends at Commercial-Free Childhood and Defend digital me,  signed by the Parent Coalition for Student Privacy and over 30 advocacy groups worldwide,  asking policy makers, data protection authorities, and providers to protect kids’ rights, privacy, and well-being when they are engaged on edtech platforms.  Join us.  If you have questions about your student’s privacy, we’d love to hear from you.

 

How NY State Ed Department is trying to weaken student privacy by allowing the selling & marketing of personal data

Update 10/10/19: This post was reprinted with the title Is New York state about to gut its student data privacy law? in the Washington Post Answer Sheet on Sept. 11,  along with responses from ACT and College Board.

As a result of the comments and concerns expressed by many parents and privacy advocates, the NY State Education Department decided to omit the provision they had added to the proposed regs to allow for the sale or commercial use of student data with parent consent.  Yet a third version of these regulations will be posted shortly for public comment, and will be voted on in January by the Board of Regents.

The New York Board of Regents is currently considering whether to approve a radical weakening of the state student privacy law, which would allow the College Board, the ACT and other companies that contract with schools or districts to use the personal student information they collect for marketing purposes – even though the original New York law that was passed in 2014 explicitly barred the sale or commercial use of this data. Parents and all others who care about protecting children’s privacy should send in their comments to the state now, by clicking here or sending their view to [email protected]. Deadline for public comment is Sept. 16. More on this below.

Starting in 2014, many states, including New York, approved legislation to strengthen the protection of student privacy, due to a growing realization on the part of parents that their children’s personal data was being shared by schools and districts with a wide variety of private companies and organizations without their knowledge or consent. The US Department of Education had weakened the federal student privacy law known as FERPA twice over the past decade, rewriting the regulations during the Bush and Obama administrations to allow for non-consensual disclosures for different purposes.

At that time, few parents were aware how federal law had been altered to allow their children’s information from being passed into private hands. Then controversy erupted over the plans of nine states and districts to share personal student data with a comprehensive databank called inBloom, developed with more than $100 million of funding from the Gates Foundation.

InBloom Inc. was designed to collect a wide variety of personal student data and share it with for-profit vendors to accelerate the development and marketing of the ed tech industry, to facilitate the adoption of online instruction and assessment. As a result of widespread parental activism and concerns, all nine states and districts that had originally intended to participate in the inBloom data-sharing plan pulled out, and 99 new state student privacy laws were passed across the country between 2014 and 2018.

New York was one of the first to pass a new student privacy law. In March of 2014, our State Legislature approved Education Laws § 2-c and §2-d , which among other things, prohibited the state from sharing student data with inBloom or another comprehensive databank, and also regulated the way schools and vendors must secure student data, including imposing a complete ban on the sale of personal student information or its use for marketing purposes .

As a result of these provisions, New York received a grade of A- in the category of “Limitations on the Commercial Use of Data” in our State Student Privacy Report Card, released last January by the Parent Coalition for Student Privacy (PCSP), which I co-chair, and the Network for Public Education. In turn, this high mark raised New York’s overall grade for protecting student privacy in our rating system to B-, the second highest grade of any state after Colorado. (You can check out the interactive map that grades every one of the fifty states on its student privacy laws, overall and in seven different categories).

Yet to the frustration of many parents and privacy advocates, it would be nearly five years before New York State Education Department drafted any regulations to implement its 2014 student privacy law. In October of 2018, NYSED finally released proposed regulations for public comment. In March 2018, PCSP along with the statewide coalition New York State Allies for Public Education (NYSAPE), submitted recommendations on how to strengthen and clarify those regulations, as did more than 240 parents and privacy advocates.

After the initial period of public comment had ended, instead of strengthening the regulations, the NYSED gutted them, and now proposed allowing student data to be used for commercial purposes as long as there was parental “consent” – a huge loophole that would create the opportunity for districts, schools and vendors to misuse this data in myriad ways.

In their rationale to the Board of Regents, posted here, NYSED officials were frank about their reasons for revising the proposed regulations in this way: to allow the College Board and ACT to offer “college search services to students and parents who consent to the release of college entrance test data to colleges and higher education institutions by college admissions testing companies.”

Yet the College Board and ACT do not just share the test score data in the ordinary ways that parents expect, that is, send these scores to whatever specific colleges that their children have applied to attend. They also sell personal student data to many unspecified organizations and institutions which then re-sell it to unscrupulous for-profit companies.

In particular, the College Board makes untold millions of dollars from marketing personal student data through their “Student Search Service”. Much of this confidential data is deceptively harvested through surveys administered to students right before they take the PSATs and SATs, or when they register for the test online, a practice that we have written about previously and more recently has been criticized by the US Department of Education.

In May of 2018, the Privacy Technical Assistance Center (PTAC) of the US Department of Education released guidance that if states and districts contract with the College Board or ACT to give these exams to students, as is increasingly the case across the country including in New York City, they may be violating federal privacy laws in several different ways.

First of all, as PTAC officials pointed out, the supposedly “voluntary” surveys given to students before taking the PSAT or SAT may include questions relating to highly sensitive issues including their religion, grade point averages and/or family income. Often, it’s not clear to these students that they have a choice not to offer this information, and since they are already feeling high levels of anxiety before taking these exams, they may feel pressured to do so. They certainly are not told that the data is sold will be sold at a profit by the College Board. In any case, some questions relating to sensitive issues cannot be asked legally of students who are under 18 without the prior notification and opt out or consent of their parents, according to the federal law known as the Protection of Pupil Rights Amendment (PPRA).

As the PTAC guidance document also makes clear, “the testing companies then sell [personal student] information to colleges, universities, scholarship services, and other organizations for college recruitment and scholarship solicitation.” If students are asked to take these exams by their districts, and the data is offered to third parties without explicit parental consent, this widespread practice also likely violates both FERPA and IDEA, the Individuals with Disabilities Education Act, the latter which has special provisions to protect the private data of students with disabilities.

To make things worse, the College Board is deceptive about whether this data is actually sold. In the College Board privacy policy for the “Student Search Service,” they falsely reassure parents that “The College Board does not sell student information.

Yet on another page on their website, they hedge this claim by saying they don’t “sell information about participating students to any third party without the student’s permission.” [Never mind that many of these students have not reached the age of consent.]
On a different, third page on their website designed for potential commercial customers, the purchase price of this data is made clear: 47 cents per student name.

The College Board is just as cagey and at times contradictory about what specific student data is shared with third parties through their “Student Search Service.” On their privacy policy page, they say the data may relate to the students’ “academic and extracurricular interests, career and field of study interests, family income, and religious preferences.”

A longer and more specific list of data is listed on the Student Search webpage, revealing that, depending on the test taken, it may include student email addresses, ethnicity, GPA, sports, or “educational aspirations.” On that same page, the College Board affirms that “we never share” information through this service relating to a student’s “disability status, self-reported parental income, Social security number, phone numbers, or actual test scores.”

Parents are forced to dig even deeper into a SAT registration booklet, to discover that while their child’s “actual test scores” may not be sold to third parties, “Colleges participating in Student Search … can ask for names of students within certain score ranges[emphasis mine].”

So unknowingly, students who are asked to answer questions from a survey before the administration of these exams may at the same time be unknowingly giving their permission to sell their data to a variety of institutions and organizations, who in turn, may then redisclose the data to other organizations and/or for-profit companies.

Last summer, in July of 2018, in an explosive article entitled “For Sale: Survey Data on Millions of High School Students,” the NY Times exposed how the College Board sells the personal information they collect via these surveys to various “partners,” who in turn may re-sell the data to for-profit companies, allowing them to use the information to market their dubious products and services to unsuspecting families.

The article described how thousands of students attended a “Congress of Future Science and Technology Leaders” costing $985, run by the for-profit National Leadership Academies. The company had bought their names and other data from an unnamed university, which in turn had purchased it from the College Board: “In filling out those surveys, the teenagers ended up signing away personal details that were later sold and shared with the future scientists event.” Once the data is sold by the College Board, it is nearly impossible to monitor any other use or redisclosures of the data.

College Board is far from the only untrustworthy actor in this regard. ACT has been similarly surreptitious about what personal student data is collected and sold to colleges and other third parties, through the survey on the online ACT Student Profile Section that students are asked to voluntarily fill out when registering or before taking the exam.

Without their knowledge, ACT allegedly identified student disability status through this information on the score reports sent to colleges and sold this information to colleges and other third parties. After this practice was discovered, a class action lawsuit was filed in August 2018 in the US District Court in Los Angeles. In a recent legal filing, ACT informed the court that it will no longer sell student disability status in the data collected voluntarily by students, but refused to admit to flagging its regular score reports with this information.

As Joel Reidenberg, a professor at the Fordham University School of Law, the head of the Center on Law and Information Policy told the NY Times, “The harm is that these children are being profiled, stereotyped, and their data profiles are being traded commercially for all sorts of uses — including attempts to manipulate them and their families.”

A research report co-authored by Professor Reidenberg found that there exists a thriving marketplace in student data, in which brokers offer a wide variety of sensitive student information for sale, including their ethnicity, income, religion, and interests, and that this data could “be used for a range of malicious purposes, including discrimination and identity theft.”

In 2014, after both New York and California passed laws prohibiting the selling of personal student data or their use for any commercial purposes, College Board and the ACT stepped in, realizing how these laws represented a severe threat to their thriving business in student data.

In Colorado, the College Board stepped in to persuade legislators to provide a special exemption from the law for their benefit – to allow school vendors to “sell, rent, or trade” personal student information for the “purpose of providing the student with information about employment, educational scholarship, financial aid, or postsecondary educational opportunities “ – as long as parents or students over the age of thirteen gave their consent.

In Arizona, Nebraska, North Carolina, Texas and Washington D.C. as well, their student privacy laws incorporated these exemptions, to allow the College Board and ACT to continue selling personal data for these purposes.

Now, these same companies, College Board and ACT, have apparently persuaded the NY State Department of Education to rewrite our state law by creating an expansive new loophole that would allow these practices to continue, by redefining the term “marketing” in the following way:

Where a parent or eligible student requests a service or product from a third-party contractor and provides express consent to the use or disclosure of personally identifiable information by the third-party contractor for purposes of providing the requested product or service, such use by the third-party contractor shall not be deemed a marketing or commercial purpose prohibited by this Part.”

As PCSP and NYSAPE wrote in a letter to NYSED after the new draft regulations were revealed,

“To create a new, huge loophole in the law that would allow the College Board, ACT or any other contractor or subcontractor to sell student data and/or use it for marketing purposes, by making the untenable claim that such sale or marketing purpose is not truly marketing if there is consent, is a drastic weakening of the law which should NOT be contemplated….

If the College Board lobbyists or its supporters would like to eliminate the prohibition of the sale or marketing of student personal data in the law, they should go to the Legislature and ask that it be amended. This should not be done through regulations or by attempting to redefine the meaning of the term “marketing.”

In fact this loophole could benefit many other vendors, and even perhaps schools or districts that may want to profit off the use of student data, by asking for parental or student consent in surreptitious ways, for example requesting that they click on a button to signal their “consent” without carefully reading the privacy policy. Even if students or their parents knowingly consented to the initial marketing use or sale of the data, once the transfer of information has occurred, it is nearly impossible to track how it will be commercialized from that time on.

This wholesale rewriting and evisceration of the New York student privacy law should not be allowed. The deadline on public comment on the new regulations is September 16, and the Board of Regents are due to vote on the new regulations during their monthly meeting on October 8-9. Parents and all others who care about protecting children’s privacy should send in their comments now, by clicking here or sending their view to [email protected].

They should also call their Regents members, to urge them to reject these regulations which would violate the original intent of the law, and would open a Pandora’s box of an unfettered marketplace of personal student data, with potentially damaging results.