Building on last year鈥檚 energetic debate in states over how best to protect student data, legislators have intensified efforts in 2015 to address the issue in statehouses.
And this year, there鈥檚 particularly prominent tension between privacy advocates concerned about loopholes through which data can be shared and used inappropriately, and the education technology providers who don鈥檛 want restrictions on access to learning software and other services.
The template is being set by two bills in particular鈥攐ne state and one federal. The California Student Online Personal Information Protection Act (SOPIPA), passed last year, has been praised by data-protection advocates and is the model for bills introduced in 15 states this year. And national attention is focused on the federal Student Digital Rights and Parental Rights Act of 2015, sponsored by Democratic U.S. Rep. Jared Polis of Colorado and Republican U.S. Rep. Luke Messer of Indiana, which is designed to limit the sale of student information to postsecondary institutions and restrict educators鈥 discretion over its dissemination. Federal lawmakers have also recently discussed proposals to overhaul the Family Educational Rights and Privacy Act.
Good and Bad Cholesterol
According to the Data Quality Campaign, a Washington-based organization that lobbies for the effective use of student data, 177 bills have been introduced in 45 states dealing with student-data privacy and protection so far this year, as of early May. That鈥檚 up from 110 bills that were introduced in 36 states in 2014. But the approval rate for new laws has actually slipped dramatically.
A big issue this year: how service providers use or don鈥檛 use data, and in what situations they鈥檙e held accountable.
Although more bills on student-data privacy have been introduced in states this year than last鈥177 in 45 states, according to the Data Quality Campaign鈥攐nly 10 have been signed into law. Some of the notable legislation includes:
Maryland
House Bill 298 was signed by Gov. Larry Hogan last week. The law places new requirements on service providers for data security, but critics say there are several loopholes.
Virginia
Gov. Terry McAuliffe, a Democrat, signed four bills this year related to how student data can and can鈥檛 be used, and the rights of parents concerning their children鈥檚 participation in certain surveys. House Bill 2350, for example, requires the state to create a model data-security plan for districts. It also creates the new position of chief data-security officer to help districts with their security plans.
Utah
This year, Gov. Gary Herbert, a Republican, signed House Bill 163, which requires schools to notify parents if there is a security breach involving their children鈥檚 personally identifiable data. Gov. Herbert also signed a bill that requires the state school board to submit a proposal regarding how state lawmakers can update student-privacy laws.
Source: 澳门跑狗论坛
The right environment for providers is one in which their software or applications are tailored to students鈥 learning experiences, and in which they can suggest other educational services based on children鈥檚 data, without allowing that data to be used for things that have nothing to do with education, said Paige Kowalski, the vice president for policy and advocacy at the Data Quality Campaign.
That could mean, for example, a ban on advertisements for soft drinks in applications that students are using, but not a prohibition on recommending certain products in schools that individual student data have indicated could help the child.
鈥淚t鈥檚 like cholesterol. Don鈥檛 just lower cholesterol. It鈥檚 a little more complicated than that. You want to raise one and lower another one,鈥 Ms. Kowalski said. 鈥淭hat wasn鈥檛 something any of us were talking about a year ago.鈥
Mark Schneiderman, the senior director of education policy for the Software and Information Industry Association, who testified in a legislative hearing about a Maryland bill, said one of his organization鈥檚 broader goals is to smooth over inconsistencies in various states鈥 policies, in order 鈥渢o ensure that we鈥檙e not creating inappropriate barriers to technology access in the name of privacy.鈥
Avoiding Future Use
One proposal this year that creates the right balance while also establishing a clear accountability system for governing student data, according to Ms. Kowalski, is Georgia Senate Bill 89. That legislation, which was signed into law by GOP Gov. Nathan Deal earlier this month, allows student data to be used 鈥渇or adaptive learning or customized student learning purposes鈥 as well as 鈥渢o recommend additional content or services to students.鈥
The new Georgia law also requires each local school system to designate a person to address data-privacy complaints from parents, and for the state education department to create a 鈥渃hief privacy officer鈥 and develop a model policy for handling parent complaints.
Broadly speaking, states should also be working to protect student data so information from the K-12 years doesn鈥檛 鈥渃ome back to haunt the student later in life,鈥 said Joni Lupovitz, the vice president of policy at the San Francisco-based Common Sense Media, which advocates for student-privacy protections.
鈥淚f the worst thing that happens from focusing the public鈥檚 attention on this is that companies compete on which does privacy best, I鈥檓 not going to complain,鈥 she said.
Battle Over Balance
But Maryland鈥檚 tug-of-war over a recently enacted law covering student-data privacy shows that there can still be significant divides between privacy advocates and the K-12 technology industry.
House Bill 298, which was signed by GOP Gov. Larry Hogan last week, places new restrictions on the sharing of data by companies entering into contracts with schools to provide educational services. It also prohibits targeted advertising to students, as well as the creation of profiles about individual students 鈥渆xcept in furtherance of a pre-K-12 school purpose.鈥
One of the biggest issues with the new Maryland law is that it only covers education vendors that enter into contracts with districts, leaving a big loophole for other education technology providers, Ms. Lupovitz said.
鈥淚s it covering the wide swath of entities, from all online services and apps and websites that are used for K-12 purposes? That鈥檚 been an issue,鈥 Ms. Lupovitz said.
One consequence of limiting provisions of the law only to contractual arrangements is that websites and other services not covered by contracts aren鈥檛 required to delete student-level data they acquire, said Ellen Zavian, a privacy advocate in Maryland who opposed the final version of the bill.
Speaking before Gov. Hogan signed the bill into law, Ms. Zavian added that if the governor approved it, 鈥渢here is going to be a lawsuit, and it is going to come up again.鈥
But Del. Anne Kaiser, a Democrat and sponsor of House Bill 298, said that while her original bill was stronger than what Gov. Hogan ultimately signed, she stressed that the bill represents notable progress from where the state stood previously. She added that she hasn鈥檛 closed the book on her efforts to strengthen protections for student data.
鈥淲e鈥檙e planning next year to ... have a commission look more deeply at some of these issues, and sharpen some of the provisions,鈥 Ms. Kaiser said.
Industry Influence
Although there isn鈥檛 a single unified opinion in the educational technology industry about the best privacy policies, and while some companies are beginning to market themselves as good stewards of data, the industry in general has paid close attention to such bills, Ms. Lupovitz said.
鈥淲e鈥檝e seen markedly increased industry lobbying on this issue in the states,鈥 she said. 鈥淭hat has had some effects on some of the legislation.鈥
Asked about the Maryland law, Mr. Schneiderman said that the state Senate鈥檚 changes to the bill simply 鈥渁ddressed practical concerns that senators had about the bill coming out of the House.鈥
In addition to the 15 states where lawmakers have introduced bills modeled on the California law, which the K-12 technology industry has indicated needs some clarification, lawmakers have introduced bills in 10 other states that are based on model legislation written by Microsoft that鈥檚 also similar in some respects to the California statute, according to the Data Quality Campaign.
Despite the uptick in the number of bills lawmakers have considered, so far in 2015 legislative sessions, only half a dozen states have enacted new laws addressing student-data privacy, totaling 10 new statutes, according to recent information from the DQC. Last year, 21 states enacted more than two dozen such laws. According to the National Conference of State Legislatures, 31 states had adjourned or were due to adjourn their sessions this year by mid-May.
Mr. Schneiderman indicated that the industry hasn鈥檛 dramatically changed its lobbying regarding the issue from last year to this year. But he did say his group has worked with lawmakers to clarify portions of the several bills modeled on California鈥檚 law.
