Parental Consent is Not a Panacea:
A Privacy Protective Path to Using Technology in Schools
December 2023
Katherine Kalpos, Morgan Sexton, and Amelia Vance
CC BY-NC 4.0
Introduction
Data collection, use, and sharing are everywhere–and classrooms are no exception. Schools increasingly use a wide array of technologies for many different reasons, ranging from promoting student learning and success, to making data-informed decisions, and also operationalizing administrative tasks. When harnessed correctly with appropriate privacy protections in place, technology in schools can enhance teaching and learning in powerful ways. But there are also serious privacy risks to introducing technology into classrooms that must be accounted for.
Why does technology introduce additional privacy risks? Traditionally, student data was kept in paper records that were maintained by the schools and districts themselves. This allowed educational institutions to have complete control over all aspects of student data, such as deciding what data is collected, who has access to it, how it is used and maintained, and how it is ultimately destroyed. Incorporating technology into classrooms often adds a third party to this equation - technology companies. When technology is part of instruction, schools are no longer the sole party collecting information from students and making decisions that will impact their data, resulting in a new layer of data privacy risk to students. But that doesn’t mean that technology companies get a free pass to do whatever they want with student data. The Family Educational Rights and Privacy Act (FERPA) and contractual agreements with school districts greatly limit what technology companies can do, often holding technology companies to the same standards that schools themselves are held to.
Despite the existing protections, there has been a lot of discussion recently around what the relationship between students, parents, schools, and technology use in K-12 classrooms should look like–especially when it comes to consenting to technology being used in the first place. Under the Children’s Online Privacy Protection Act (COPPA), schools can consent on behalf of parents to students using technology in educational contexts if the technology services are solely for the use and benefit of the school and for no other commercial purpose. However, some privacy advocates have pushed to change current law to explicitly require schools to get parental permission to use edtech in classrooms. There have also been various proposals to change general child and consumer privacy laws in ways that would indirectly–and likely unintentionally–impact whether schools could continue to make decisions about classroom technology. Requiring parental consent for all edtech use has the potential to drastically change how schools operate, could be detrimental to student learning, and should not be included in future legislation.
Barriers to Parental Consent
Obtaining parental consent seems easy enough in theory, but the practical hurdles to getting parental consent can complicate this process exponentially for schools. Take school-based Medicaid reimbursement for example, which requires schools to obtain affirmative parental consent to bill IEP services to Medicaid. A recent survey showed how catastrophic these requirements are for schools: half of respondents reported that over a quarter of required forms were not completed, and two-thirds of respondents said the burden of following up with parents was significant. This issue isn’t unique to Medicaid - just ask any educator how hard it is to get 100% of parents to consent to their child going on any field trip.
There are many reasons it can be challenging for schools to implement parental consent requirements for technology and data use. Sometimes it may be parents’ busy schedules, lack of familiarity with privacy and security settings, or a potential language barrier hindering their ability to provide consent. Other times, the form may accidentally be lost or misplaced. Furthermore, parents might be skeptical of consenting to data sharing when the reason for sharing is not obvious. For example, parents may not inherently understand why a bus driver needs access to student medical information, so they may withhold consent to sharing that data with their child’s bus driver. But if their child were to have an allergic reaction while riding the bus, those same parents would likely want the bus driver to immediately be able to see that their child has severe allergies. And that’s not all - this infographic from FPF illustrates even more friction points in the verifiable parental consent process.
Schools Need to Retain the Ability to Consent to Using Edtech
Realizing how difficult it is for schools to obtain parental consent is vital to understanding how hard it would be for schools if they were required to obtain parental consent for all classroom technology uses. Picture a scenario where parental consent is required to use technology in classrooms, but a teacher hasn’t received parental consent for each student. What would happen? Teachers may have to choose between creating and implementing multiple lesson plans for the same classroom or not using edtech at all. This change would leave teachers not only ill-equipped to teach in a modern environment, but also coping with post-pandemic challenges like learning loss with resources of the 1980’s. This would be highly problematic, especially when the technology is being used as core curriculum–the electronic equivalent of a textbook.
Imagine what may happen to the child whose parents don’t provide the required consent for them to use the digital textbook their teacher picked. What would happen if the school doesn’t have print copies of the textbook available for that child? And if they are the only child in a classroom of twenty students that isn’t permitted to use the digital textbook, would they be singled out with individualized lesson plans and homework assignments while the rest of the class uses the digital textbook? Should the teacher stop using the digital textbook with the other nineteen students so everyone is treated the same?
A comment submitted by AASA, The School Superintendents Association and the Association of Educational Service Agencies (AESA) to the FTC’s 2019 COPPA Rule Review further details how challenging it would be for schools if they were required to obtain affirmative parental consent prior to using edtech in classrooms:
If schools must actively obtain parental consent, this is likely to cause a number of harmful and unintended consequences. First, the requirement will create a substantial administrative burden on schools. Districts rarely receive 100% return on requests for parent consent which may impede the function and operation of critical technology services. Online and Ed Tech services, including learning management systems that deliver curriculum by collecting student input and providing an individualized level of instruction depending on student individual response, are ubiquitous in schools and may provide vital school functions. Additionally, some school districts serve tens of thousands of students and operate multiple educational software programs and applications that may serve the same purpose as textbooks or other core curricular materials. Therefore, in addition to the administrative burden, this requirement could shut down or inhibit many vital school functions, like managing curriculum materials, taking attendance, or transferring transcripts.
Requiring parental consent for all technology uses in schools is an unworkable standard in practice, but that does not mean that no privacy guardrails should be in place due to schools’ administrative feasibility concerns. FERPA, state student privacy laws, and school districts’ contractual agreements with technology companies already establish foundational privacy safeguards that are tailored to the realities of K-12 schools. FERPA prohibits schools from disclosing education records without consent or very specific safeguards and requires schools to give parents (and eligible students) access to education records upon request. Additionally, the FERPA regulations specify certain protections that must be included in written agreements with schools. For more information about the underlying privacy protections that already exist in FERPA, watch this introductory video from the Department of Education and check out the Privacy Technical Assistance Center’s website.
When Parental Consent Should be Obtained for Technology Use in Schools
While schools need to have the ability to consent on behalf of parents to using edtech in the classroom as core curriculum, there are times that parental consent is appropriate–and arguably necessary–in the K-12 context. In their comment to the FTC’s 2019 COPPA Rule Review, the National PTA wrote:
One example we frequently hear is the use of wireless heart rate monitors in physical education classes. In those instances, when declining to participate would not impact instruction or essential administrative functions, parents should retain their right to consent to data collection – much like parents must consent to field trips or other extracurricular activities.
Differentiating between technology used as core curriculum and technology used as secondary to core curriculum introduces a necessary nuance to the discussion of when parental consent should be obtained prior to using edtech in schools. To ensure that parents remain empowered to make appropriate decisions about the technology that supports their child’s education without overburdening schools and teachers, the core curriculum and secondary uses distinction should be explored and–if a change were to be made that would require parental consent for edtech use–should be seriously considered as the approach adopted in future legislation.
However, as previously pointed out, it is important to remember that “[e]ven where consent may be appropriate, students and parents are often not in the best position to assess the benefits and risks of data collection and use; the burden of vetting the technology used by their child’s school should not be placed on them.” Parental consent should not be a free pass for companies to violate core student privacy rights in the K-12 environment. If parental consent were to be required–whether for all technology or just edtech used as supplementary to core curriculum–additional safeguards should be implemented to ensure children are protected at school. For example, regardless of whether a teacher receives parental consent, teachers should not be allowed to use technologies in their classrooms that have not gone through the district’s technology vetting process and received official approval.
Closing Thoughts
Obtaining affirmative parental consent is a burdensome process for schools that seldom results in 100% response rate and–if mandated for all edtech used in classrooms–could lead to teachers choosing to not use edtech at all with their students. While parental consent can be appropriate for certain secondary uses of technology, it should not be required for technology used as core curriculum in schools. And where parental consent is appropriate, additional safeguards–including district technology vetting and approval–must be in place to ensure that parents do not have to bear the heavy burden of conducting due diligence on their own. The current legal framework allowing schools to consent to certain edtech uses in the classroom, subject to the privacy protections of FERPA and contractual agreements between school districts and technology companies, should be retained.
Pingback: Fixing FERPA – Public Interest Privacy Center
Pingback: Tis the Season for Rulemaking: FTC Announces New COPPA NPRM – Public Interest Privacy Center
Pingback: COPPA Top 5 – Public Interest Privacy Center
Pingback: Fixing FERPA: Distinguishing Between Core & Secondary Technology Uses – Public Interest Privacy Center