With a new school year underway, concerns about student privacy are at the forefront of parents’ and students’ minds. The Student Privacy Pledge, which recently topped 300 signatories and reached its two-year launch anniversary, is at the center of discussions about how to make sure tech and education companies protect students and their information. A voluntary effort led by the Future of Privacy Forum and the Software and Information Industry Association (SIAA), the Pledge holds the edtech companies who sign it to a set of commitments intended to protect student privacy.
But the Student Privacy Pledge as it stands is flawed. While we praise the Pledge’s effort to create industry norms around privacy, its loopholes prevent it from actually protecting student data.
All in the fine print
The real problems with the Student Privacy Pledge are not in its 12 large, bold commitment statements—which we generally like—but in the fine-print definitions under them.
First, the Pledge’s definition of “student personal information” is enough to call into question the integrity of the entire Pledge. By limiting the definition to data to that is “both collected and maintained on an individual level” and “linked to personally identifiable information,” the Pledge seems to permit signatories to collect sensitive and potentially identifying data such as search history, so long as it is not tied to a student’s name. The key problem here is that the term “personally identifiable information” is not defined and is surely meant to be narrowly interpreted, allowing companies to collect and use a significant amount of data outside the strictures of the Pledge. This pool of data potentially available to edtech providers is more revealing than traditional academic records, and can paint a picture of students’ activities and habits that was not available before.
By contrast, the federal definition, found in FERPA and the accompanying regulations, is broad and includes both “direct” and “indirect” identifiers, and any behavioral “metadata” tied to those identifiers. The federal definition also includes “Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.”
Second, the Pledge’s definition of “school service provider” is limited to providers of applications, online services, or websites that are “designed or marketed” for educational purposes.
A provider of a product that is marketed for and deployed in classrooms, but wasn’t necessarily “designed or marketed” for educational purposes, is outside the Pledge. This excludes providers while they’re providing “general audience” apps, online services and websites. We alleged in our FTC complaint against Google that the Pledge does apply to data collection on “general audience” websites—for example, when that data collection is only possible by virtue of a student using log-in credentials that were generated for educational purposes. However, SIIA, a principal developer of the Pledge, argued to the contrary and said that the Pledge permits providers to collect data on students on general audience websites even if students are using their school accounts.
The Pledge’s definition also does not include providers of devices like laptops and tablets, who are free to collect and use student data contrary to the Pledge.
Simple changes to the definitions of “student personal information” and “school service provider”—to bring them in line with how we generally understand those plain-English terms—would give the Pledge real bite, especially since the Pledge is intended to be legally enforced by the Federal Trade Commission.
While enforcement only applies to companies who choose to sign on, we think that if the Student Privacy Pledge meant what it said, and if signatories actually committed to the practices outlined under the heading “We Commit To”, it would amount to genuine protection for students. But with the definitions as they stand, the Pledge rings hollow.
Notwithstanding the need to improve the definitions, the Pledge could do some good. Unfortunately, the FTC has yet to take action on our complaint alleging that Google violated the Student Privacy Pledge. We urge the Commission to take this matter seriously so that parents and students can trust that when companies promise to do (or not do) something, they will be held accountable.
As the school year continues, the conversation about education technology and student privacy is more important than ever. Tell us about your experience in your own schools and communities by taking our student privacy survey.