Fordham Law

Parents Worry Student Data Will Be Used for Marketing, Not Education

Joel Reidenberg in U.S. News & World Report, January 23, 2014

Media Source

A large majority of American adults are becoming increasingly concerned that student data collected by school districts could be used by third-party companies to market to students, rather than being used to enhance academic achievement.

In a recent survey from the nonprofit organization Common Sense Media, 89 percent of 800 adults polled said they were at least somewhat concerned about advertisers using students' personal data to market to them.

"There's no question that, partly because of the attention to the NSA stuff in the past few months, that the public is way more concerned about privacy issues," says Jim Steyer, chief executive officer of Common Sense Media. "And the major new place this is occurring now is going to be in schools."

The survey also found that nearly 6 in 10 parents have heard little or nothing about the fact that many school districts contract with private companies to collect student data.

But Kristin Yochum, director of federal policy at the nonprofit Data Quality Campaign, says there are very strict guidelines governing what private companies can and cannot do once they receive certain student data.

The Family Educational Rights and Privacy Act (FERPA) prohibits private companies from using data found within a student's official educational record, stipulating the data can only be used for evaluation, audit and compliance activities, Yochum says.

"For example, doing the analysis to pull out data to report out to the federal government or to do analysis for teachers to use in the classroom to improve student achievement on a daily basis," she says. "They are absolutely prohibited from using that data for marketing purposes under FERPA."

But the new survey draws on a recent study from Fordham University's Center on Law and Information Policy, which found that when schools contract with third-party service providers, there often are gaps where there should be specific regulations governing what data the service providers can and cannot share with marketers.

While certain student information – specifically anything contained in a student's educational record, such as dates of birth, addresses, grades, test scores and disciplinary records – is protected under FERPA, there are many other data sources that are not protected under the federal regulation, says Joel Reidenberg, a law professor at Fordham.

"One of the things that we found in our study is that schools are using cloud service providers for a whole variety of functions," Reidenberg says.

If a school uses a cloud service provider for email, for example, the content of that email is not protected under FERPA, Reidenberg says.

If the service provider searches for keywords in a student's email, finds the particular student is interested in a certain product – like bicycles – and confirms that the information is available for sale, FERPA "would not preclude the sale of that information," Reidenberg says.

Other information that might fall into that unprotected category might include data collected when students use prepaid ID cards to pay for their cafeteria lunches, or data collected by schools to outsource planning bus routes.

"The busing company now has data that a third-grader is standing on the corner at 7 a.m. waiting for the school bus," Reidenberg says.

Even still, Reidenberg found in his study that many schools do not maintain acceptable control over student data – even information included in an educational record – when they deal with third-party providers.

School districts are allowed to share data protected under FERPA with service providers – such as a student's transcripts to be used for data analytics purposes – as long as they set a contract spelling out the restrictions on the use of the data, Reidenberg says.

But fewer than 10 percent of the contracts Reidenberg reviewed explicitly prohibited the sale of student data for marketing.

"When we looked at the content of these contracts, various elements that are essential to the school district to be in control of the data were missing," Reidenberg says. "Essentially what that means is the legal relationship the school district has established does not give the school district control once the third party gets it."

Yochum says although there have been no known data-related violations under FERPA to date, states "can and should" introduce new policies at the state level to build off of the federal law.

"We need parents and citizens to be clear and understand the policies that exist, and make sure they understand how their students' data is being used for the benefit of students' outcomes," Yochum says. "We need to just dispel the myths out there, and that's something we're working very hard to do."

Collecting student data is very valuable "if used wisely," Steyer says, because administrators and teachers may be able to develop more personalized instruction for students who are struggling. By analyzing certain data about the students, teachers can narrow down where students struggle and adjust their teaching accordingly.

"We want the data to only be used for academic and educational achievement purposes, not for marketing, not to sell them weight-loss pills or clothing or fast food," Steyer says.

In February, Common Sense Media plans to host a national summit in Washington, D.C., to outline practices they believe will better protect student information, such as setting tighter security standards to protect student information stored "in the cloud."

"It shows that privacy is a big deal, and most of all, that now student privacy is going to become a very important aspect of the proliferation of technology in classrooms," Steyer says. "And that can be taken care of, but you need state and local governance and education officials to put in place simple student privacy laws."