Distinguishing Between Core & Secondary Technology Uses
June 2024
Katherine Kalpos, Morgan Sexton, Amelia Vance, and Casey Waughn
CC BY-NC 4.0
Schools use technology to take attendance to ensure they create accurate records of which students are present, and FERPA protects this personally identifiable information (PII).
Students might wear heart monitors as part of gym class, which also creates PII. FERPA protects this very different type of PII in the same way and to the same degree that it protects attendance data.
A fundamental problem with FERPA is that it includes all-or-nothing protections for data regardless of why the data was collected, how critical or irrelevant that data is to learning or administrative processes, or how sensitive it is. This is partially because FERPA was enacted at a time when most student data was collected manually and with the knowledge of students and parents. Since its enactment in 1974, the landscape of student data collection has transformed significantly. Advances in technology now allow for the tracking of intimate details about students' lives, even beyond school hours. This means that FERPA permits and protects supplemental data collection, such as data collected by wearable heart rate monitors, to the same degree that it protects routine, essential data collected for schools’ daily functioning, like taking attendance. This all-or-nothing framework is not conducive to current uses of technology in schools. Moreover, any external efforts to regulate supplemental data collection in schools would likely unintentionally also interfere with required data collection.
To better address the reality of current technology use in schools, a distinction should be added to FERPA that enables schools to consent to technology-enhanced instruction for core curricular purposes while giving parents an appropriate level of control over technology uses that are secondary to core curricula (hereafter secondary technology uses). Allowing schools to determine whether parental opt-in or opt-out is appropriate for secondary technology uses would give teachers the flexibility to offer technology-enhanced learning experiences to their students in ways that provide appropriate privacy protections for different contexts and honor parents’ fundamental role in their children’s education.
Why the All-or-Nothing FERPA Framework Is Outdated
FERPA is a federal law that protects the confidentiality of student personally identifiable information (PII) maintained in education records, but FERPA does not account for how the PII it protects becomes part of education records in the first place. The result is that data collected from various technologies used in schools is treated the same under FERPA despite the vastly different uses and privacy concerns associated with each different technology.
Parents may hesitate to let teachers track their children’s heart rate in gym class but have no issue with their children using electronic textbooks to learn math. Both electronic textbooks and wearable heart rate monitors used in school can collect PII from students that then becomes part of education records. And heart rate data is arguably more sensitive and personal than is data related to simply using an electronic math textbook. But since FERPA treats all student PII in education records the same way, the law protects the data collected by electronic textbooks and by wearable heart rate monitors the same way. Without creating a distinction in FERPA that differentiates protections according to the type of PII collected, efforts to restrict more-sensitive technology uses under FERPA would also likely restrict mundane technology uses such as electronic textbooks as well. Many state laws already make a distinction between these different types of data and uses. For example, numerous states impose additional consent requirements for biometric information.
Prior Proposed Solutions Are Insufficient
Ideas have circulated about how to give parents more control over the technologies their children use in school. But many of these suggestions would not work in practice due to how difficult it is for schools to obtain widespread parental consent (see our recent blog for more details).
For example, one proposed solution is to obtain parental consent before children can use any technologies in school. This approach overlooks the reality that parents may have differing concerns for different types of technologies depending on how and why they’re used, as well as the specific information each technology collects from their children. To facilitate this method of parental consent, schools would likely add a universal parental opt-in or opt-out form for all technology uses to the general back-to-school paperwork packet at the start of each school year. Not only does this approach lack meaningful transparency regarding which technologies are actually used in classrooms, but it also runs the risk of broad (potentially unintentional) parental opt-outs of technologies they expect their children to use in school. For example, parents may misinterpret their universal opt-out as preventing their child from using only unvetted, emerging technologies, when in fact their decision will also prevent their children from using technologies that are common in modern classrooms, such as smartboards. Additionally, parents who are concerned about classroom projects involving the use of social media would be forced to either consent to such projects or prohibit their children from using any technology at all.
A more tailored idea involves giving parents the opportunity to opt in or opt out of their children using specific technologies at school. While more practical than the above-mentioned approach, this would likely still create an infeasible administrative burden for schools. To enact this method of parental consent, schools may have to choose between (1) listing all covered technologies used on a single consent form sent out at the beginning of the year and (2) sending out individual consent forms for every single covered technology the district wants to use. This would be extremely difficult for schools to do, especially considering the reality that on average K-12 school districts use more than 2,500 edtech products each year. And it would be even harder if parental opt-in were required for each specified technology, since school personnel would have to track each parent’s response for every specific technology and then implement safeguards to ensure that students whose parents have not opted in to various technologies are not allowed to use those technologies.
Reframing the Issue of Core and Secondary Technology Uses in Schools
As the sections above suggest, most technology used in schools falls into one of two categories: (1) technology used as core curriculum (core technology uses) and (2) technology used as secondary to core curriculum (secondary technology uses). Core technology uses include not only curriculum-based items like electronic textbooks but also basic school functions such as technologies used to take attendance, maintain bus schedules, provide access to school meals, and so forth. These core technology uses are central to the learning process and are a direct part of school functioning. Allowing parents to opt out of core technology uses would undermine classroom activities. In contrast, secondary technology uses, like wearable heart rate monitors in gym class, may supplement the learning process but do not provide content that is crucial for learning itself. Allowing parents to opt out of secondary technology uses would not undermine classroom activities.
Currently, schools can consent to certain edtech uses in the classroom subject to FERPA’s privacy protections and contractual agreements between school districts and technology companies. This should remain for core technology uses. But parental control could be increased in a way that is not likely to significantly disrupt schools’ ability to provide high quality educational experiences to all students, by allowing parents to opt in or opt out for secondary technology uses. We believe that adding this distinction to FERPA would be a moderate step that gives parents more power while allowing supplemental, technology-enhanced learning opportunities and would not significantly disrupt basic educational and administrative functions.
Our Recommendations
FERPA should be amended to differentiate core technology uses and secondary technology uses, which would then require different forms of consent for each type of technology use. Below we offer three recommendations that specify how this might work. Recommendation 1 provides a framework for determining when technology uses should be viewed as core or secondary. Recommendations 2 and 3 discuss which types of consent should be used for core and secondary technology uses, respectively.
1. Distinguish Between Technology Used as “Core Curriculum” and “Secondary to Core Curriculum”
To be considered a core technology use, a technology use would need to have a necessary instructional or operational educational purpose. Whether a particular use has this purpose should be determined on a case-by-case basis after weighing the potential benefits and risks associated with using the technology, specifically taking the following into consideration:
- Instructional quality and delivery;
- Student safety;
- Central classroom administrative and operational functions;
- Compliance with existing federal and state laws.
At no point should necessary instructional or operational educational purposes be interpreted to include:
- Using devices that provide ongoing reports on physiological indicators, including heart rate or brain waves;
- Using technologies that claim to predict emotional state or other psychological characteristics;
- Using student biometrics (including but not limited to facial recognition, retina or iris patterns, or finger or palm prints) for any purpose other than biometrics that are stored locally on a device, such as using facial recognition or a finger scan to unlock that device.
Technologies used in classrooms that disclose student PII from education records and do not amount to core technology uses should be considered secondary technology uses. For example, a teacher uses a translation app in the classroom to communicate with students who are English language learners. This is absolutely critical to the instructional quality and delivery as well as to the operation of the classroom. Additionally, since individual student accounts are not required to use the translation app, this technology use presents little risk to student safety or legal compliance. Therefore, this use of a translation app rises to the level of core curriculum.
In contrast, using virtual reality (VR) headsets to allow students to take virtual field trips to the moon is likely supplemental. This technology use collects a large amount of student PII, as explained in a Future of Privacy Forum report: “Twenty minutes of VR use can generate approximately two million data points and unique recordings of body language. VR headsets track a dozen types of movements upwards of 90 times per second to convincingly render a scene.” Non-participation in this use of VR would likely not limit instructional quality if the student can instead view 2D images of the moon, and students’ not using the VR is not likely to inhibit the school’s central operational functions. Therefore, this use of VR should be classified as a secondary technology use.
2. Maintain Schools’ Ability to Consent to Technology Used as Core Curriculum
Currently, schools can and frequently do consent on behalf of parents to students’ use of technology in educational contexts when the services are solely for the use and benefit of the school and for no other commercial purpose (see section N of the Federal Trade Commission’s COPPA FAQs for details). Schools should retain the ability to consent in this way when the technology is used as a core technology use. In doing so, schools should continue to follow best practices for thoroughly vetting the technologies prior to use and ensuring that appropriate safeguards are in place to protect student information.
As mentioned, it can be difficult for schools to obtain widespread parental consent––just ask any educator about their experience trying to get field trip permission forms signed and returned for all of their students. If parental consent were required for core technology uses, there is a significant possibility that many students would not be allowed to use technology in school, potentially preventing teachers from using any technology with their students to avoid differential treatment in the classroom.
For example, if parental consent were required for a child to use a smartboard to collaboratively solve math problems, students who did not get their permission slip signed (no matter the reason) would not be able to use the smartboard in this way, effectively shutting those students out of the learning experience that most other students enjoy. An example of this is Louisiana's 2015 student privacy bill, which imposed punitive measures on educators and school officials who violated student privacy, even unintentionally. The measures were not only stringent, but the bill's ambiguous language made it challenging to discern permissible data-sharing practices. This ambiguity caused a chilling effect, leaving school officials reluctant to share student data, even for legitimate purposes. Consequently, schools refrained from sharing student information with the state scholarship fund, demonstrating how poorly crafted legislation can inadvertently harm the very students it aims to protect.
3. Determine Parental Rights to Opt In or Opt Out of Technology Used as Secondary to Core Curriculum on a Case-by-Case Basis
For secondary technology uses, parents can and arguably should be given more autonomy to opt their children in or out of such uses since exercising such control would not significantly disrupt students’ education. However, there is a big difference between what it means for parents to opt in and what it means to opt out of secondary technology uses, so each method must be carefully evaluated on a case-by-case basis at the local level.
Requiring parents to opt in to using technology will prohibit students from using technologies if their parents do not actively give permission. Requiring parental opt-in presents significant risks that students will not be allowed to use the technology even when the data collected is already subject to FERPA protections. There are many different reasons that parents may not actively provide consent––some of which may include their email spam filter blocking the consent request, missing the form because they are busy, or not understanding the form due to language barriers. Due to the likelihood that many parents who want their children to benefit from secondary technology uses would unintentionally withhold consent, parental opt-in should primarily be used only when the technology use will collect particularly sensitive data about students.
In contrast, allowing parents to opt out of technology sets the default of allowing students to use technologies unless a parent actively says no. For secondary technology uses that do not collect particularly sensitive data about students, defaulting to allowing parents to opt out rather than requiring parents to opt in is likely a better approach; it safeguards students whose parents cannot actively engage so that those students are not disadvantaged by losing access to the learning opportunities that edtech provides. Under this approach, teachers would be able to supplement core curriculum with activities such as virtual reality field trips for any students whose parents do not actively object and would still require the student data collected to be protected under FERPA.
Closing Thoughts
Enacted in 1974, FERPA ensures appropriate access and limits unauthorized disclosure of student PII. While FERPA is still actively and effectively used to protect student data, the past 50 years have brought new digital technologies to schools in ways that lawmakers in 1974 could scarcely imagine. These new technologies have naturally created new contexts in which schools collect and use student data. Amending FERPA to differentiate core and secondary uses of technology simply makes sense in this new educational context.