The Federal Trade Commission (FTC) and the U.S. Department of Education have recently announced their intent to host a joint workshop on ‘Student Privacy and Ed Tech.’ About this workshop and related work, they write:
The use of “Ed Tech” has exploded over the past several years. More than half of K-12 students have access to a school-issued personal computing device, and in many school districts, online curriculum is becoming the norm. While these technologies have tremendous potential, this transformation in Ed Tech has raised questions about how the Rule implementing the Children’s Online Privacy Protection Act (“COPPA Rule”) applies in the school context, and how it intersects with the Family Educational Rights and Privacy Act (“FERPA”).
In light of these questions, the Federal Trade Commission (“FTC”) and the Department of Education (“ED”) will hold a Student Privacy and Ed Tech workshop on December 1, 2017 in Washington, D.C. The workshop is intended to gather information to help clarify how the FTC and ED can ensure that student privacy is properly protected without interfering with the promise of Ed Tech.
While there are many important issues at the intersection of the COPPA Rule and FERPA, I have submitted a comment on the narrow, but critically important issue of student data security. In this comment, I make four assertions:
- There is an emerging knowledge base on cybersecurity incidents involving schools and student data that should be used to guide decisionmaking.
- Parents and taxpayers should expect uniformity in student data breach reporting and remedies across schools, states, and technology providers.
- Liability and penalties for negligent student data security practices must be assignable and enforceable.
- School administrators lack guidance, resources, and the capacity to assess the reasonableness of their own and third-party data security practices.
Both FERPA and the COPPA Rule presume that schools have the resources and knowledge to assess their own data security practices, to say nothing of that of their vendors. Emerging evidence suggests that this presumption should be challenged and that – at a minimum – such expertise and capacity is unevenly distributed across the thousands of public school districts, charter schools, and other public schools serving U.S. PreK-12 students.
Now is the time to shore up student data security practices, and I urge the FTC and ED to take affirmative action in any revised regulatory guidance or policy that may emerge from this workshop and associated efforts.
You can read the full comment below.