IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

3 Student Data Privacy Bills That Congress Could Act On

Over the next few years, federal legislators may work out some of the details on how to codify student data privacy protections.

Congress may make some progress this year as it works through the details of how to protect student data privacy.  

Legislators introduced eight federal bills last year that addressed student data privacy, but only three of them seem to have a chance of moving forward in the next few years, said Amelia Vance, director of education data and technology at the National Association of State Boards of Education.

"It's been a continuing priority," Vance said. "I think the question is less about the fact that people care about this issue and much more about how should this work, what is the federal government's role in all this."

For the last two years, congressional leaders and President Obama have publicly said that student data privacy is important. At the same time, legislators and educators have raised concerns about how to find a balance between three things that have kept bills from moving forward at the federal level:

  1. A balance between protecting student information and allowing schools and service providers to use it in ways that help students;
  2. A balance between providing guidance and not being so prescriptive that technological advances quickly outpace the provisions; and
  3. A balance between federal and state roles and laws.
"I would caution people just not to get too prescriptive, saying, 'When you install security, do it this way. And when you're doing something, do it this way.' Because technology evolves so quickly, I'll have to replace it in another year," said Bob Swiggum, CIO of the Georgia Department of Education.

Swiggum served as an expert witness about student data privacy in a hearing before the House Committee on Education and the Workforce on Tuesday, March 22. In that hearing, representatives heard from four witnesses as they considered bills including the Student Privacy Protection Act, a rewrite of the Family Educational Rights and Privacy Act of 1974 (FERPA) that governs student records. 

Reps. Todd Rokita (R-Ind.), Marcia Fudge (D-Ohio), John Kline (R-Minn.) and Bobby Scott (D-Va.) introduced the bill in July. This bill would update the law to protect student data in the digital age in seven ways:

  1. Include student data from classroom technology in the definition of an education record;
  2. Forbid schools and third parties from using student data to market services to students;
  3. Spell out parental rights to see their children's records and opt them out of sharing directory information such as their name and date of birth;
  4. Increase security standards for student data;
  5. Be transparent about the information schools can use for educational purposes;
  6. Give schools guidance; and
  7. Require schools to hire a privacy official to govern student data use.
Along with Vance, some legislators indicated that the FERPA rewrite could move forward this year.

"Insofar as we have bipartisan legislation already before the committee, I'm confident that we'll be able to pass legislation to update the Education Science Reform Act and the Family Educational Rights and Privacy Act in such a way that maximizes the available use of student information to improve student education policy without jeopardizing student and family privacy," said Scott in his closing remarks.

2 Bills That May Take More Time to Pass

While the Student Privacy Protection Act could pass this year, several other bills may make progress over the next few years, Vance said:

  1. The SAFE KIDS Act from Sens. Steve Daines (R-Mont.) and Richard Blumenthal (D-Conn.)
  2. The Student Digital Privacy and Parental Rights Act of 2015 from Reps. Luke Messer (R-Ind.) and Jared Polis (D-Colo.)
These two bills place similar restrictions on third-party service providers and give the Federal Trade Commission authority to deal with providers that don't follow the law. A number of their provisions have roots in California's landmark Student Online Personal Information Protection Act (SOPIPA) legislation passed in 2014. They also continue the efforts of a working group that Messer and Polis started in 2014, which resulted in a Student Data Privacy Pledge that more than 200 companies have signed. 

The SAFE KIDS Act would give the FTC the authority to enforce student data protections at the provider level. This bill prohibits providers from selling or sharing protected student information, targeting advertising to students based on the data they collect, and sharing data with third-party operators in ways that don't follow the law. It also requires them to establish tighter security protections.

Parents would be able to view and correct their children's data, and the operator would be required to delete information within 45 days of a parental request or within two years of student inactivity. In addition, providers would need to publish a privacy policy and ask for school permission to use data for specific purposes.

The Messer-Polis bill prohibits third-party service providers from advertising to students based on their behavior online and in the service they provide. It also doesn't allow them to sell student information or create student profiles that don't have educational purposes. 

Parents would be able to choose whether to share their students' data for purposes outside of education; delete the information that schools don't need; see and correct student data; and use the data they find.
Operators would need to publicly share on their websites what information they collect and how they're using it. But they would be able to use student data for adaptive and personalized learning purposes, as well as to improve their products with aggregated, deidentified data.
The FTC would enforce the bill's requirements and work with the U.S. Department of Education when its enforcement affects a particular school. If a data breach affects student data that operators collect, the operator would need to let the commission and potential victims know, which current law already requires.  
These bills are still in the beginning stages of the legislative process, and with a lame-duck Congress after the upcoming November elections, legislators have less time this year to work on student data privacy, Vance said. But they're hammering out some of the details and may pass at least one bill this year.