Parental Consent is Not a Panacea:

A Privacy Protective Path to Using Technology in Schools

December 2023

Katherine Kalpos, Morgan Sexton, and Amelia Vance

 

 

 

CC BY-NC 4.0

Introduction

Data collection, use, and sharing are everywhere–and classrooms are no exception. Schools increasingly use a wide array of technologies for many different reasons, ranging from promoting student learning and success, to making data-informed decisions, and also operationalizing administrative tasks. When harnessed correctly with appropriate privacy protections in place, technology in schools can enhance teaching and learning in powerful ways. But there are also serious privacy risks to introducing technology into classrooms that must be accounted for.

Why does technology introduce additional privacy risks? Traditionally, student data was kept in paper records that were maintained by the schools and districts themselves. This allowed educational institutions to have complete control over all aspects of student data, such as deciding what data is collected, who has access to it, how it is used and maintained, and how it is ultimately destroyed. Incorporating technology into classrooms often adds a third party to this equation - technology companies. When technology is part of instruction, schools are no longer the sole party collecting information from students and making decisions that will impact their data, resulting in a new layer of data privacy risk to students. But that doesn’t mean that technology companies get a free pass to do whatever they want with student data. The Family Educational Rights and Privacy Act (FERPA) and contractual agreements with school districts greatly limit what technology companies can do, often holding technology companies to the same standards that schools themselves are held to.

Despite the existing protections, there has been a lot of discussion recently around what the relationship between students, parents, schools, and technology use in K-12 classrooms should look like–especially when it comes to consenting to technology being used in the first place. Under the Children’s Online Privacy Protection Act (COPPA), schools can consent on behalf of parents to students using technology in educational contexts if the technology services are solely for the use and benefit of the school and for no other commercial purpose. However, some privacy advocates have pushed to change current law to explicitly require schools to get parental permission to use edtech in classrooms. There have also been various proposals to change general child and consumer privacy laws in ways that would indirectly–and likely unintentionally–impact whether schools could continue to make decisions about classroom technology. Requiring parental consent for all edtech use has the potential to drastically change how schools operate, could be detrimental to student learning, and should not be included in future legislation.

 

2023-12-12 Canva Adapted Image (57)
Schools Need to Retain the Ability to Consent to Using Edtech

Realizing how difficult it is for schools to obtain parental consent is vital to understanding how hard it would be for schools if they were required to obtain parental consent for all classroom technology uses. Picture a scenario where parental consent is required to use technology in classrooms, but a teacher hasn’t received parental consent for each student. What would happen? Teachers may have to choose between creating and implementing multiple lesson plans for the same classroom or not using edtech at all. This change would leave teachers not only ill-equipped to teach in a modern environment, but also coping with post-pandemic challenges like learning loss with resources of the 1980’s. This would be highly problematic, especially when the technology is being used as core curriculum–the electronic equivalent of a textbook.

Imagine what may happen to the child whose parents don’t provide the required consent for them to use the digital textbook their teacher picked. What would happen if the school doesn’t have print copies of the textbook available for that child? And if they are the only child in a classroom of twenty students that isn’t permitted to use the digital textbook, would they be singled out with individualized lesson plans and homework assignments while the rest of the class uses the digital textbook? Should the teacher stop using the digital textbook with the other nineteen students so everyone is treated the same?

A comment submitted by AASA, The School Superintendents Association and the Association of Educational Service Agencies (AESA) to the FTC’s 2019 COPPA Rule Review further details how challenging it would be for schools if they were required to obtain affirmative parental consent prior to using edtech in classrooms:

 

If schools must actively obtain parental consent, this is likely to cause a number of harmful and unintended consequences. First, the requirement will create a substantial administrative burden on schools. Districts rarely receive 100% return on requests for parent consent which may impede the function and operation of critical technology services. Online and Ed Tech services, including learning management systems that deliver curriculum by collecting student input and providing an individualized level of instruction depending on student individual response, are ubiquitous in schools and may provide vital school functions. Additionally, some school districts serve tens of thousands of students and operate multiple educational software programs and applications that may serve the same purpose as textbooks or other core curricular materials. Therefore, in addition to the administrative burden, this requirement could shut down or inhibit many vital school functions, like managing curriculum materials, taking attendance, or transferring transcripts.

Requiring parental consent for all technology uses in schools is an unworkable standard in practice, but that does not mean that no privacy guardrails should be in place due to schools’ administrative feasibility concerns. FERPA, state student privacy laws, and school districts’ contractual agreements with technology companies already establish foundational privacy safeguards that are tailored to the realities of K-12 schools. FERPA prohibits schools from disclosing education records without consent or very specific safeguards and requires schools to give parents (and eligible students) access to education records upon request. Additionally, the FERPA regulations specify certain protections that must be included in written agreements with schools. For more information about the underlying privacy protections that already exist in FERPA, watch this introductory video from the Department of Education and check out the Privacy Technical Assistance Center’s website.

FERPA Exceptions: What Policymakers Need to Know

FERPA permits schools to share information contained in a student’s education record under certain circumstances. For example, most edtech companies, such as gradebook systems or classroom learning programs, receive student information under the “school official” exception. The exception says that a school may share education records with a third-party service provider if there is a “legitimate educational interest” in disclosing the information, the third party is performing a service the school would otherwise perform itself, and the third party is under the school’s “direct control.” FERPA is quite strict––but not always clear––about what third parties may do with information they receive under the “school official” exception. Schools must ensure that the third party uses FERPA-protected information only for the educational purpose at hand. For example, third parties cannot create user profiles in order to target students or their parents with advertising, collect information beyond what is necessary to fulfill their agreements, or share information from education records, except with subcontractors who are helping fulfill the third party’s contract.

In 2014, the Department of Education released guidance on FERPA requirements regarding student data and online educational services. One issue the guidance addressed was metadata—data that describes other data, such as the author, date created, and size of a particular document—stating that identifiable metadata (e.g., a student’s username in a homework document) falls under FERPA, while metadata stripped of direct and indirect identifiers does not. This sort of information fills in the contours of FERPA, helping to clarify what the department believes federal law covers and what gaps remain.

Another FERPA exception permits the disclosure of “directory information” as long as parents can opt out. Examples of directory information include name, address, telephone listing, date and place of birth, participation in officially recognized activities and sports, and dates of attendance. Once released, directory information may be used for any purpose.

When Parental Consent Should be Obtained for Technology Use in Schools

While schools need to have the ability to consent on behalf of parents to using edtech in the classroom as core curriculum, there are times that parental consent is appropriate–and arguably necessary–in the K-12 context. In their comment to the FTC’s 2019 COPPA Rule Review, the National PTA wrote:

 

One example we frequently hear is the use of wireless heart rate monitors in physical education classes. In those instances, when declining to participate would not impact instruction or essential administrative functions, parents should retain their right to consent to data collection – much like parents must consent to field trips or other extracurricular activities.

Other Federal Laws of Note

While FERPA and COPPA are the two main federal laws concerned with protecting student data privacy, several other laws have narrower privacy applications.

The Protection of Pupil Rights Act (PPRA) regulates student participation in any survey, analysis, or evaluation funded by the U.S. Department of Education. Before a school administers surveys asking for certain personal information, parents must be allowed to review the survey. If a survey asks about sensitive subjects such as political affiliations, anti-social behavior, religious beliefs, or family income, parents must be notified and given the opportunity to opt their children out of participating. PPRA also prohibits the collection of information from students for marketing purposes. One important exception is that PPRA data use restrictions do not apply to the collection, disclosure, or use of students’ personal information for developing, evaluating, or providing educational products or services or to students or educational institutions.

The Individuals with Disabilities Education Act (IDEA) provides for a “free appropriate public education,” including special education and services, for children with disabilities. The law authorizes grants to states that comply with its requirements. In addition to granting parents access and deletion rights that are similar to those of FERPA, IDEA also establishes a higher standard of confidentiality for the student records it covers, such as a student’s Individual Education Program. While IDEA is not typically central to the student privacy conversation, policymakers should be aware of IDEA’s provisions when they consider specific protections for students with disabilities.

The Health Insurance Portability and Accountability Act (HIPAA) was designed to create standards for electronic health care transactions and to protect the privacy and security of individually identifiable health information. In most cases, HIPAA does not apply to student records since it generally applies only to health information possessed by “covered entities” such as hospitals or physicians. However, the two laws overlap to some degree, as FERPA incorporates the security standard set out in HIPAA. For a detailed examination of how HIPAA impacts student records, see the HIPAA- FERPA guidance in the resources section.

The Children’s Internet Protection Act (CIPA) applies to schools and libraries that receive  discounts  for  internet  access  or internal  network  connections  through  the E-rate program, which is administered by the Federal Communications Commission (FCC) and makes certain communications services and products more affordable. Schools and libraries subject to CIPA are required to create an internet safety policy that includes technological protection measures that block or filter access to obscene online content. CIPA also requires schools to monitor students’ online activities, and how they do so must be referenced in schools’ internet safety policies. Policymakers who wish to address content or internet access restrictions in schools should be aware of CIPA’s carefully balanced approach, which reflects both the intent to protect minors from harmful content and the First Amendment’s protections for access  to  information  and  speech  online.

2023-12-12 Canva Adapted Image (60)

Differentiating between technology used as core curriculum and technology used as secondary to core curriculum introduces a necessary nuance to the discussion of when parental consent should be obtained prior to using edtech in schools. To ensure that parents remain empowered to make appropriate decisions about the technology that supports their child’s education without overburdening schools and teachers, the core curriculum and secondary uses distinction should be explored and–if a change were to be made that would require parental consent for edtech use–should be seriously considered as the approach adopted in future legislation.

However, as previously pointed out, it is important to remember that “[e]ven where consent may be appropriate, students and parents are often not in the best position to assess the benefits and risks of data collection and use; the burden of vetting the technology used by their child’s school should not be placed on them.” Parental consent should not be a free pass for companies to violate core student privacy rights in the K-12 environment. If parental consent were to be required–whether for all technology or just edtech used as supplementary to core curriculum–additional safeguards should be implemented to ensure children are protected at school. For example, regardless of whether a teacher receives parental consent, teachers should not be allowed to use technologies in their classrooms that have not gone through the district’s technology vetting process and received official approval.

Closing Thoughts

Obtaining affirmative parental consent is a burdensome process for schools that seldom results in 100% response rate and–if mandated for all edtech used in classrooms–could lead to teachers choosing to not use edtech at all with their students. While parental consent can be appropriate for certain secondary uses of technology, it should not be required for technology used as core curriculum in schools. And where parental consent is appropriate, additional safeguards–including district technology vetting and approval–must be in place to ensure that parents do not have to bear the heavy burden of conducting due diligence on their own. The current legal framework allowing schools to consent to certain edtech uses in the classroom, subject to the privacy protections of FERPA and contractual agreements between school districts and technology companies, should be retained.