IV. LESSONS LEARNED AND KEY PRINCIPLES FOR STUDENT PRIVACY

Previously published in the Seton Hall Journal of Legislation and Public Policy

IV. LESSONS LEARNED AND KEY PRINCIPLES FOR STUDENT PRIVACY

The unintended effects discussed above are emblematic of the challenges that privacy legislation has posed in the last decade, echoing many issues that arose when the U.S. Congress passed FERPA in 1974. For legislators, this history offers more than a cautionary tale; it suggests specific lessons and principles that policymakers can use to change the trajectory of future privacy legislation. For example, some of the student privacy laws were passed hastily in response to public fears or specific incidents, with little input from stakeholders.229 Other laws neglected to clearly define their scope and requirements, resulting in confusion and anxiety.230 These patterns indicate four principles that are essential for crafting clear, balanced, and fair education privacy laws: trust, transparency and inclusion, context, and clarity. As discussed further below, each of these principles is multifaceted in terms of student privacy. Trust is not simply a value to assume among education stakeholders; it requires understanding dominant perceptions about data privacy, particularly fear. Transparency means not just communicating with stakeholders, but also understanding how transparency works in the laws themselves. This section describes how these principles can function as a roadmap for producing better education privacy laws and for helping lawmakers use carefully crafted laws to encourage a culture of privacy in schools and districts.

A. Trust: Understand the Role of Trust and Fear in Student Privacy Legislation

Privacy is an amorphous concept rooted in trust.231 As a society, we want to trust that when institutions use our personal information to make decisions that affect our lives, they will use it fairly and protect it. FERPA and subsequent student privacy laws emerged in part from contexts in which the public had lost trust in institutions. FERPA arose in the aftermath of revelations about the Vietnam War and Watergate.232 The wave of student privacy laws in 2014 followed the Edward Snowden leaks and major data breaches from trusted, everyday entities such as the retailer Target.233 Virginia passed its restrictive data sharing law after legislators lost trust in the information sharing process, because one bad actor exploited the process and gained access to students’ contact information.234

A profound sense of fear replaced this broken trust, both in the days of FERPA and in the past decade, informing public perceptions and driving privacy legislation. The fear of harm resulting from lack of privacy protections in part spurred FERPA, as people worried that schools were creating permanent student records to which parents had no access but that would follow students throughout their lives, potentially predetermining their opportunities and perpetuating discrimination.235 Forty years later, several state student privacy laws, including those passed after the demise of inBloom, sought to address the fears that “personalized learning” would do the same––create a record that tracks students and predetermines their opportunities.236

Effectively addressing privacy harms means avoiding the instinctive response to do something in reaction to public fear, and, instead, approaching policymaking with intent to address the harms. First, reactive, hastily passed laws often do not address the actual harms. Although widespread fears about data breaches contributed to the 2014 deluge of student privacy laws, very few of those laws include data breach provisions.237 Likewise, transparency measures that require stakeholders to navigate to a school district website to read contractual clauses is unlikely to quell fear of the unknown, such as “the cloud,” complex technology, and technical jargon. Moreover, very few state student privacy laws require training for staff, making operationalizing data privacy practices a monumental task.238

Second, because rushed legislation often does not appropriately address the actual harms, most of the original fears catalyzing the laws remain, including fears of a permanent record, security breaches, the lack of transparency regarding data collection, improper sharing of student data, and general fear of the technological unknown.239 Thus, it is not surprising that recent statistics still reflect low public trust overall in tech companies and significant fear of data breaches. The Pew Research Center reported in 2018 that only twenty-eight percent of Americans trust tech companies to do the right thing always or most of the time.240 Another 2018 survey shows that eighty-three percent of respondents support tougher regulations and penalties for data privacy breaches.241

Policymakers should strive to understand the fears underlying privacy concerns, so they can address those fears effectively and, in doing so, gain the trust of education stakeholders. Sometimes, the response need not involve new legislation. Guidance explaining how current laws and frameworks apply to emerging issues can help stakeholders implementing laws to approach privacy compliance in flexible ways.242 For example, the Department of Education periodically updates its FERPA “Frequently Asked Questions” guidance, to help schools and districts to better understand how to comply with the law in a constantly changing educational environment.243

B. Transparency and Inclusion: No Legislation Without Representation

Transparency and inclusion are integral to building trust in privacy legislation.244 Transparency in student privacy laws is essential both as part of the laws’ content and for the process of creating effective laws.245 Similarly, inclusion is essential for obtaining stakeholders’ expertise to ensure the laws work as intended and also to encourage stakeholders to buy in to carefully considered efforts to protect students’ data.

Policymakers can build trust by communicating with stakeholders about why student privacy laws are necessary. Many laws protect data but do not explain why the data is needed in the first place.246 Better data can lead to more effective teaching and learning,247 but if parents and other stakeholders do not understand how data can help students, they will not understand how or why the state needs to protect the privacy and security of the data.248 They may demand that schools not collect data at all. Thus, a key part of transparency involves communicating the value of data, but also why education agencies partner with companies to store, analyze, and protect data.

It is equally important for policymakers to understand how transparency works in the laws themselves and to practice transparency in the process of creating the laws. Legislators are not always aware of how transparency should function in strong privacy legislation—for example, in the Connecticut law, legislators decided that transparency meant notification to parents within five days of every school contract with edtech vendors.249 This resulted in excessive notices that did not help parents understand how their children’s privacy was protected.250

To understand how transparency should work in student privacy laws, lawmakers need to practice inclusion in two ways: they need to include all stakeholders who will implement and be affected by the law, which will encourage these parties to buy into legislators’ efforts; they also need to get the right input from experts to understand key concepts, which will facilitate effective bills. Inclusion is essential because, for example, if the disability rights community is left out of the consultation process, they may rightly believe that student privacy laws create further barriers for students with special needs. Such lack of transparency can severely undermine even wellintentioned laws.

To obtain input from experts, policymakers should with consult those who implement the law, are regulated by it, affected by it, and those with additional expertise.251 These stakeholders include educators, district officials, state leaders, lawyers, and technology experts and vendors, all of whom bring immeasurable value and perspective to the conversation.252 Many legislators were students long before tablet computers and edtech apps were a standard part of curricula.253 Modern data protections or new technologies that seem reasonable to laypeople may strike experts as impossible or unwise. One of the most common problems that occurred as student privacy legislation was introduced in states in 2013 and 2014 centered around school memorabilia like photos and yearbooks. In addition to the problems in Louisiana described above, some bills proposed banning the use of “portable media devices” to store or transmit student personally identifiable information (PII). However, since photos were considered student PII in most proposed bills, these bills would have banned cameras.254

For these reasons, seeking guidance from the right stakeholders regarding the twenty-first century classroom is essential. The National Association of State Boards of Education (NASBE) recommends “[a]sking those who have to implement laws how they would affect their districts or schools” as a best practice to help decrease unintended consequences.255

700x510 USE THIS FOR IN-TEXT IMAGES (12)

Not only does consulting with stakeholders help avoid such consequences, it also ensures that policies and laws are practical and can be implemented. If Congress had held hearings and called for public comments before enacting FERPA, the uncertainties regarding student loans and letters of recommendation might have been addressed before the law went into effect. If New Hampshire’s legislature had consulted with teachers before banning video recordings, lawmakers likely would have learned that recordings are required as part of some students’ IEPs.

Policymakers can incorporate stakeholders’ input at many points during the legislative process. The West Virginia State Board of Education, for example, held statewide public forums to help communities understand how the state gathered and protected students’ data.256 Another Connecticut student privacy law, the Act Concerning Students’ Right to Privacy in Their Mobile Electronic Devices, required the state to establish a diverse working group of representatives from the Commission on Women, Children, and Seniors; the Association of Public School Superintendents; the Center for Children’s Advocacy; and the ACLU.257 The working group was tasked with providing recommendations for a statewide policy on student mobile phone searches and seizures.258 By mandating the convening of diverse perspectives on student privacy, the Act laid the foundation for sustained conversations and collaborative relationships.259 Other states, such as Maryland and New York, have laws that mandated working groups to review current student privacy laws or provide input on regulations.260 These types of official working groups can be invaluable by providing a designated space for diverse stakeholders to learn about and weigh in on student privacy issues.

C. Context: Foresight from the Field

Inclusion and transparency allow legislators to understand the context in which education stakeholders use student data and implement privacy safeguards. This process allows policymakers to, in the words of Louisiana privacy expert Kim Nesmith, be aware of “what they don’t know. It doesn’t matter who you are, but the reality is we sometimes don’t recognize there are things we don’t know, and we don’t know what that is.”261 The more that stakeholders participate in the legislative process of crafting student data privacy laws, the more deeply legislators will understand the nuances and implications of privacy regulations in education.

Context is particularly important at the state level, where policymakers need to understand not only current federal requirements, but also what is happening on the ground in classrooms throughout their state. For example, most of the 130 student privacy laws passed since 2013 have not provided funding or training for implementation.262 As privacy experts have noted,”[c]ompared to large businesses, schools have far less funding and technical expertise. Even large school districts are hard pressed to keep up with the continual security alerts, patches, and updates needed to maintain secure systems of their own.”263 In this context, sweeping legislation with strict penalties coupled with lack of funding for training and implementation, as occurred in Louisiana, can cause panic and paralysis in schools.264 Without people on the ground who know how to protect student privacy and have the resources to do so, schools will struggle to comply with privacy laws.265 For this reason, context in this realm also means analyzing the effects of laws in other states, which may reflect consequences to avoid or useful models to consider.

Similarly, it is unwise to limit how schools use third parties without first understanding how and why schools partner with them in the first place. Most schools use private companies to assist with digital technology and student data because districts simply do not have the human or technical resources to build and manage the required systems.266 Consequently, banning third parties may seriously disrupt school systems, particularly in small and under-resourced districts, which cannot build in-house capital and attract in-house expertise.

D. Clarity

Deep understanding of the context of student data and privacy laws allows policymakers to draft clear, balanced legislation. Here, clarity means defining actual threats and how laws intend to address them, ensuring that legislative language is targeted and specific, and defining key terms. First, laws should clearly explain how privacy provisions will mitigate actual privacy threats, and these provisions should be evidence-based and vetted by privacy experts. In the above-mentioned Connecticut law, it was unclear how increased parental notification actually helped to protect students’ data.267

Second, the case studies also demonstrate how vague, sweeping language can create serious problems when stakeholders try to implement privacy laws. The sponsor of New Hampshire’s law intended to prevent teachers from having their classrooms recorded without their consent and to protect students’ privacy in classrooms where recording occurred.268 Yet, the law’s sweeping language (“No school shall record in any way a school classroom for any purpose without school board approval after a public hearing, and without written consent of the teacher and the parent or legal guardian of each affected student”) seemed to allow no exceptions for IEPs and other necessary cases.269 The law’s vagueness also left school districts wondering how many public hearings and consent forms were required for each recording.270 Such vague language results in misinterpretations and misapplications of the same law. Those implementing the law may construct their own standards to meet their particular needs, which may contradict the law’s original intent.

Third, creating precise legislative language means defining key terms. Debating FERPA’s original language, Senator Buckley responded as follows to criticisms of the ambiguous language regarding parental consent for research and experimental programs: “In general, the premise is that parents are generally responsible adults, having prime responsibility for their children. I have no doubt that they would act responsibly.”271 Here, Buckley assumed that parents, as rational actors, would allow their children to participate in indisputably beneficial experimental programs, such as “new math.” Yet, in doing so, he apparently believed that all parents would understand the term “experimental” in the same way.

More recent examples of this issue include a 2013 executive order signed into Georgia law. The executive order prohibited education agencies from tracking, housing, reporting or sharing “psychometric data” with the federal government without defining the term.272 The common definition of “psychometric” is information that is designed to show someone’s personality, mental ability, or opinions, i.e., “any measurement of learning.”273 Left undefined, this prohibition could be understood to ban Georgia schools from tracking, housing, reporting or sharing student homework assignments or testing outcomes because they evaluate student learning. Legislators should therefore define key terms precisely and consider potential misinterpretations, particularly by seeking feedback from stakeholders.

E. Create a Culture of Privacy

Unintended consequences notwithstanding, student privacy legislation, from FERPA to state laws in the twenty-first century, have encouraged public awareness of students’ right to privacy.274 Many states and school districts now have data governance plans, and third parties are more accountable for their responsibilities regarding student data.275 Practitioners and stakeholder organizations have developed hundreds of new resources to better protect students’ privacy.276

Nonetheless, significant hurdles and threats remain. School administrators have many extremely important responsibilities, and privacy may feel unimportant compared to ensuring students have enough food or raising graduation rates. The initial attention brought by a federal law such as FERPA or a state law such as Louisiana’s does not foster ongoing student privacy awareness; once public interest in the new requirements subsides, there is no incentive for continued privacy discussions or initiatives. Moreover, state and federal legislators continue to introduce poorly crafted student privacy bills.277 General consumer privacy bills have also emerged that may present unintended consequences for schools.278 Some student privacy laws require training but do not provide the resources to conduct it.279 Without such resources, districts and states may shut down innovation in the face of privacy concerns or requirements, rather than adopt appropriate safeguards.280 Education stakeholders at all levels still struggle to understand the effects of the dramatic changes in the student privacy landscape.281

For this reason, legislators should address the lack of incentives for engagement about student data privacy. They can do so by legislating to help schools and districts create a culture of privacy. The principles discussed above provide a roadmap for creating legislation that supports such a culture. Several states, such as Utah, have begun to lead the way–for example, Utah’s student privacy law not only mandates student privacy protections; it also requires an annual student privacy course for educator relicensure.282 In this way, it underscores the importance of continuing privacy education by creating a recurring obligation to keep privacy concerns at the forefront of educators’ minds.

V. CONCLUSION

Student data can be used to improve education outcomes, close achievement gaps, and inform fair distribution of resources. By reacting to privacy concerns without fully understanding their context or the landscape in which privacy laws will function, however, legislators risk greater harm to students in the form of unintended consequences. Policymakers should therefore solicit input from stakeholders and communicate with the public, prior to the passage of laws, to identify such consequences. Lawmakers must seek to protect students’ privacy with fair, balanced laws that ensure that schools can safely use data and technology to support equitable learning and opportunities for all students.

Footnotes

1. See, e.g., Forman supra note 197.
2. See, e.g., 11 Reasons, supra note 152.
3. Ari Ezra Waldman, Privacy as Trust: Sharing Personal Information in a Networked World, 69 U. MIAMI L. REV. 559 (2015).
4. Mary Margaret Penrose, In the Name of Watergate: Returning FERPA to its Original Design, 14 N.Y.U.J. LEGIS. & PUB. POL’Y 75, 94 (2011).
5. Sonja Trainor, Student data privacy is cloudy today, clearer tomorrow, KAPPAN (Feb. 2015), at 13–14. https://iu.instructure.com/files/56302724/download?download_frd=1.
6. See supra Section III E.
7. See supra Section II A.
8. Ariel Bogle, What the Failure of inBloom Means for the Student-Data Industry, SLATE (Apr. 24, 2014, 3:45 PM), https://slate.com/technology/2014/04/what-the-failure-ofinbloom-means-for-the-student-data-industry.html. (“It’s clear that legislators on both the federal and state level need to consider how to strengthen student privacy protections . . . [w]hile people seem willing to give up vast amounts of their own information to the cloud, there is a strict line when it comes to fears of a child’s learning difficulties haunting her into middle age.”).
9. State Student Data Privacy Legislation: What Happened in 2014, And What’s Next?, DATA QUALITY CAMPAIGN (Aug. 2014), https://dataqualitycampaign.org/wpcontent/uploads/2016/03/DQC-Data-Privacy-whats-next-Sept22.pdf.
10. “Although more than 300 bills have been introduced over the past two years on student data privacy, few mention training.” See Amelia Vance, Policymaking on Education Data Privacy: Lessons Learned, 2 EDUCATION LEADERS REPORT 2, 13 (Apr. 2016), www.nasbe.org/wp-content/uploads/Vance_Lessons-Learned-Final.pdf [hereinafter “Lessons Learned”].
11. See, e.g., supra Sections III B, C, D, E (discussing Louisiana, New Hampshire, Connecticut and Virginia’s student privacy laws which required subsequent amendments due to unintended consequences).
12. Aaron Smith, Public Attitudes Toward Technology Companies, PEW RESEARCH CENTER (June 28, 2018) http://www.pewinternet.org/2018/06/28/public-attitudes-towardtechnology-companies.
13. HarrisX, Inaugural Tech Media Telecom Pulse Survey 2018, available at http://harrisx.com/wp-content/uploads/2018/04/Inaugural-TMT-Pulse-Survey_- 16Apr18_Library_V3.pdf.
14. Guidance Documents from Federal Agencies, Government Accountability Office (May 18, 2015) https://www.gao.gov/assets/670/669721.pdf.
15. U.S. Dept. of Educ., Frequently Asked Questions, https://studentprivacy.ed.gov/frequently-asked-questions (last visited Mar. 6, 2020).
16. See generally Neil Richards and Woodrow Hartzog, Taking Trust Seriously in Privacy Law, 19 STAN. TECH. L. REV. 431 (2016).
17. Lessons Learned, supra note 238.
18. Richards & Hartzog, Taking Trust Seriously in Privacy Law, 19 STAN. TECH. L. REV. at 433 (2016) (“So much of modern networked life is mediated by information relationships, in which professionals, private institutions, or the government hold information about us as part of providing a service. Such relationships are everywhere we look.”).
19. “Data is one of the most powerful tools to inform, engage, and create opportunities for students along their education journey—and it’s much more than test scores. Data helps us make connections that lead to insights and improvements.” Why Education Data?, DATA QUALITY CAMPAIGN, https://dataqualitycampaign.org/why-education-data/ (last visited Apr. 14, 2020).
20. Empowering Parents and Communities through Quality Public Reporting, DATA QUALITY CAMPAIGN (April 20, 2015), https://dataqualitycampaign.org/resource/empoweringparents-communities-quality-public-reporting/
21. See Act Concerning Student Data Privacy, Pub. Act No. 16-189, § 2 (g) (effective October 1, 2016); Vance, supra note 169.
22. Vance, supra note 169.
23. Future of Privacy Forum, The Policymakers Guide to Student Data Privacy, FERPASherpa (April 4, 2019) https://ferpasherpa.org/policymakersguide.
24. Id. at 10.
25. Online learning environments first started to appear in 1995, and only became routine starting in 2008. See A.W. (Tony) Bates, Teaching in a Digital Age, at 6, 2 (October 10, 2019) https://opentextbc.ca/teachinginadigitalage/.
26. Lessons Learned, supra note 238, at 11.
27. Lessons Learned, supra note 238, at 11.
28. Amelia Vance, West Virginia’s Steady Course on Student Data Privacy, NASBE (February 2016), http://www.nasbe.org/state-innovation/west-virginias-steady-course-onstudent-data-privacy/.
29. H.B. 5170, 2018 Leg. Sess. (Conn. 2018).
30. H.B. 5170, 2018 Leg. Sess. (Conn. 2018).
31. H.B. 5170, 2018 Leg. Sess. (Conn. 2018).
32. See Ann. Code of Maryland, Education. Art. 1, § 7-2001-2005. (Md. 2018); McKinney’s Education Law § 2-d(4)(b) and § 2-d(5), 2 (N.Y. 2019); New York State Education Department, Proposed Addition of Part 121 to the Regulations of the Commissioner Relating to Student Privacy (Jan. 3, 2019) at 21, https://www.regents.nysed.gov/common/regents/files/119p12d1.pdf.
33. SXSWedu: Accidental Consequences of Student Privacy Laws Panel, supra note 133.
34. Lessons Learned, supra note 238, at 11.
35. Joseph Jerome and Jules Polonetsky, Student Data: Trust, Transparency and the Role of Consent, Future of Privacy Forum (Oct. 2014), https://fpf.org/wpcontent/uploads/FPF_Education_Consent_StudentData_Oct2014.pdf.
36. See, e.g., supra Section III B.
37. See Emily Tate, What It’s Like Navigating the Strictest Student Privacy Law in the Country, ED SURGE (Jun. 18, 2019) https://www.edsurge.com/news/2019-06-18-what-it-slike-navigating-the-strictest-student-privacy-law-in-the-country (interview with Kim Nesmith discussing the importance of training or assisting districts with navigating new student privacy laws and Louisiana’s approach through its Data Governance and Privacy Guidebook).
38. Lessons Learned, supra note 238, at 5.
39. See H.B. 5170, 2018 Leg. Sess. (Conn. 2018).
40. Zelin, supra note 156.
41. Morrill, supra note 149.
42. Morrill, supra note 149.
43. 120 CONG. REC. 14588 (1974) (containing the Senate Floor debate where Buckley posited that parents are ultimately responsible for their children—and their children’s data— not educational institutions).
44. Deal executive order protects students, local control, GEORGIAGOV (May 15, 2013), https://web.archive.org/web/20140109013246/https://gov.georgia.gov/press-releases/2013- 05-15/deal-executive-order-protects-students-local-control.
45. See Psychometric, CAMBRIDGE ADVANCED LEARNER’S DICTIONARY & THESAURUS (last visited Apr. 15, 2020) https://dictionary.cambridge.org/us/dictionary/english/psychometric; see also Amelia Vance, Regulating Student Data Privacy: Don’t Throw the Baby Out with the Bathwater, NASBE (April 2015), http://www.nasbe.org/policy-update/regulating-student-data-privacy-dontthrow-the-baby-out-with-the-bathwater.
46. See, e.g., supra Section III A (discussing inBloom and the reaction from parents and other stakeholders which ultimately led to its downfall).
47. Benjamin Herold, Are State Student-Data-Privacy Laws Changing Companies’ Behavior?, EDUCATION WEEK MARKET BRIEF (Jan. 2, 2019), https://marketbrief.edweek.org/market-trends/state-student-data-privacy-laws-changingcompanies-behavior.
48. Resources, FERPASHERPA (last visited Apr. 15, 2020) https://ferpasherpa.org/resources.
49. See, e.g., supra Sections III B, C, D & E (discussing Louisiana, New Hampshire, Connecticut, and Virginia’s poorly drafted student privacy laws that failed to account for unintended consequences when initially passed); S.B. 1341 § 6(d), 114th Cong. (2015-16) (Senator Vitter’s bill)
50. See, e.g., Anisha Reddy, Tyler Park and Amelia Vance, Child Privacy Protections Compared: California Consumer Privacy Act v. Proposed Washington Privacy Act, FUTURE OF PRIVACY FORUM (Jan. 27, 2020), https://fpf.org/2020/01/27/child-privacy-protectionscompared-california-consumer-privacy-act-v-proposed-washington-privacy-act.
51. Lessons Learned, supra note 238, at 11.
52. See, e.g., School Districts Struggle To Comply With New Student Data Privacy Law, Connecticut Public Radio (June 4, 2018) (accessed Apr. 14, 2020) https://www.wnpr.org/post/school-districts-struggle-comply-new-student-data-privacy-law (discussing forgoing the use of a game design app used in Advanced Placement classes for privacy concerns).
53. See supra Sections II & III (highlighting examples of unintended consequences resulting from both federal and state-level student privacy legislation and the dramatic changes that resulted).
54. Utah Code § 53E-9-204 (2019).

III. STUDENT PRIVACY IN THE MODRN ERA

All PIPC Resources

IV. LESSONS LEARNED AND KEY PRINCIPLES FOR STUDENT PRIVACY

A. Trust: Understand the Role of Trust and Fear in Student Privacy Legislation

B. Transparency and Inclusion: No Legislation Without Representation

C. Context: Foresight from the Field

D. Clarity

E. Create a Culture of Privacy

V. CONCLUSION

Footnotes

Table of Contents

I. INTRODUCTION

II. FERPA AND ITS FIRST AMENDMENT

A. The Landscape Before FERPA

B. FERPA's Introduction and Passage

C. Unintended Consequences in Practice

D. The Buckley/Pell Amendment

III. STUDENT PRIVACY IN THE MODERN ERA

A. The State Student Privacy Landscape: 2014-2020

B. Louisiana

C. New Hampshire

D. Connecticut

E. Virginia

IV. LESSONS LEARNED AND KEY PRINCIPLES FOR STUDENT PRIVACY LEGISLATION

A. Trust: Understand the Role of Trust and Fear in Student Privacy Legislation

B. Transparency and Inclusion: No Legislation Without Representation

C. Context: Foresight from the Field

D. Clarity

E. Create a Culture of Privacy

V. CONCLUSION

Get In Touch!

Additional Resources

About Us