Earlier this year, the Federal Trade Commission and the US Department of Education held a workshop in Washington, DC. The topic was “Student Privacy and Ed Tech.” We at EFF have been trying to get the FTC to focus on the privacy risks of educational technology (or “edtech”) for over two years, so we eagerly filed formal comments.
We’ve long been concerned about how technology impacts student privacy. As schools and classrooms become increasingly wired, and as schools put more digital devices and services in the hands of students, we’ve been contacted by a large number of concerned students, parents, teachers, and even administrators.
They want to know: What data are edtech providers collecting about our kids? How are they using it? How well do they disclose (if at all) the scope of their data collection? How much control (if any) do they give to schools and parents over the retention and use of the data they collect? Do they even attempt to obtain parental consent before collecting and using incredibly sensitive student data?
In the spring of 2017, we released the results of a survey that we conducted in order to plumb the depths of the confusion surrounding edtech. And as it turns out, students, parents, teachers, and even administrators have lots of concerns—and very little clarity—over how edtech providers protect student privacy.
Drawing from the results of our survey, our comments to the FTC and DOE touched on a broad set of concerns:
■ The FTC has ignored our student privacy complaint against Google.
Despite signing a supposedly binding commitment to refrain from collecting student data without parental consent beyond that needed for school purposes, Google openly harvests student search and browsing behavior and uses that data for its own purposes. We filed a formal complaint with the FTC more than two years ago, but we’ve heard nothing back.
■ There is a consistent lack of transparency in edtech privacy policies and practices.
Schools issue devices to students without their parents’ knowledge and consent. Parents are kept in the dark about what apps their kids are required to use and what data is being collected.
■ The investigative burden too often falls on students and parents.
With no notice or help from schools, the investigative burden falls on parents, and even students, to understand the privacy implications of the technology that students are using.
■ Data use concerns are unresolved.
Parents have extensive concerns about student data collection, retention, and sharing. Many edtech products and services have weak privacy policies. For instance, it took months for the lawyers at EFF to get a clear picture of which privacy policies even applied to Google’s student offerings, much less how they interacted.
■ Lack of choice in edtech is the norm.
Parents who seek to opt their children out of device or software use, and particularly those without the resources to provide their own alternatives, face many hurdles. Some districts have even threatened to penalize students whose parents refuse to consent to what they believe are egregious edtech privacy policies and practices.
■ Overreliance on “privacy by policy.”
School districts generally rely on the privacy policies of edtech companies to ensure student data protection. Parents and students, on the other hand, want concrete evidence that student data is protected in practice as well as in policy.
■ There is an unfilled need for better privacy training and education.
Both students and teachers want better training in privacy-conscious technology use. Edtech providers aren’t fulfilling their obligations to schools when they fail to provide even rudimentary privacy training.
■ Edtech vendors treat existing privacy law as if it doesn’t apply to them.
Because the Family Educational Rights and Privacy Act (FERPA) generally prohibits school districts from sharing student information with third parties without written parental consent, districts often characterize edtech companies as “school officials.” However, districts may only do so if—among other things—providers give districts or schools direct control over all student data and refrain from using that data for any other purpose. Despite the fact that current edtech offerings usually fail those criteria, vendors generally don’t even attempt to obtain parental consent.
We believe it is incumbent upon school districts to fully understand the data and privacy policies and practices of the edtech products and services they wish to use, to demand that edtech vendors assent to contract terms that are favorable to the school districts and actually protect student privacy, and to be ready not to do business with a company that does not engage in robust privacy practices.
While we understand that school budgets are often tight and that technology can actually enhance the learning experience, we urge regulators, school districts, and the edtech companies themselves to make student privacy a priority. We hope the FTC and DOE listen to what we, and countless concerned students, parents, and teachers, have to say.
Sophia Cope and Nate Cardozo from the Electronic Frontier Foundation, the leading nonprofit organization defending civil liberties in the digital world