What do you get when you have more than two-dozen leading edtech companies in a room in the Big Apple with student privacy and data protection on the agenda? A barrel-full of learnings and insights into how these companies are approaching this critical issue and what direction their privacy compass is pointing to for future action.
Recently, the Future of Privacy Forum (FPF) hosted its second Student Privacy Boot Camp for edtech start-ups and small businesses in New York City, in partnership with edtech venture fund ReThink Education and with support from the Bill & Melinda Gates Foundation. Attendees included over 30 start-up and small companies who provide learning programs or management tools to schools, and who wanted to better understand the sometimes complex and rather expansive legal requirements and best practices for handling student-data privacy.
As at the first boot camp in Washington D.C. in February, we came away with a number of takeaways that reflect the current state of the edtech vendor market. Most importantly, we continue to see that without training – for companies and schools, as well as parents and students – responsible maintenance of student data will not happen effectively or efficiently. Privacy in the ed-tech market continues to be a significant concern, particularly in light of many recent proposed bills at both the state and federal levels.
Understanding Federal Laws: FERPA and COPPA
At the second boot camp, the opening session provided background and context of U.S. privacy laws and laid the foundation for understanding the specific requirements for education service providers. The following sessions took the discussion to the next level with overviews of FERPA, the cornerstone law for all school and vendor data interactions, and COPPA, which regulates all on-line operators who market or target to children under 13, in or out of the education context.
Interestingly, the sessions covering FERPA and COPPA have drawn the strongest interest, the most detailed questions, the most requests for additional information or follow-up, and the highest ratings for “applicability” to the needs of attendees.
Why? Because these laws, which are 40 and almost 20 years old respectively, are not easily understood in the context of the present edtech and privacy ecosystem that schools and vendors occupy—yet all parties clearly want to know and follow the proper procedures to ensure compliance.
State-By-State Legislation
Vendor concerns extend to legislative activity at the state level as well. Notably, the past two years have set new records for the number of state bills drafted, discussed, or introduced regarding student privacy, with a few enacted that raise as many questions as they resolve. Students may or may not be more protected, and vendors are left to establish practices required for compliance in one state that — conversely — might be forbidden in others.
That’s why discussing a new law called “SOPIPA” was on our agenda. Passed by California’s legislature in 2014, it is likely the most comprehensive student privacy law to date, and one that is targeted to vendors rather than schools. As a result, laws in other states are frequently modeled on the SOPIPA example, or on variations of the Student Privacy Pledge, which FPF developed and introduced in 2014 in partnership with the Software and Information Industry Association.
Ed-tech vendors continue to be concerned at the expansion of unique and sometimes conflicting requirements across states, particularly as stiff monetary and contract penalties are attached to violations. Compliance with a multitude of laws becomes a high transaction cost and potential disincentive to the smaller companies hoping to enter this market.
Beyond state-level legislative activity, the regulatory perspective was also addressed. A popular panel, led by Michael Hawes, Statistical Privacy Advisor from the U.S. Department of Education, and Joe Baranello from the New York City Department of Education, reviewed minimum requirements and desired standards from the regulatory oversight angle, and addressed some of the complexities of complying with state-specific regulations in addition to federal standards.
Broader Approaches to Student Data Privacy
During a panel devoted to other stakeholders with advocacy interests in student data security, Joel Reidenberg, Law Professor and Founding Academic Director of the Center for Law and Information Policy at Fordham University Law, discussed the appropriate use and purpose of student data collection with Teddy Hartman, Coordinator of Data Privacy, Howard County, MD, and Olga Garcia-Kaplan, Parent Privacy blogger for FERPA|Sherpa. These panelists held a lively discussion of differing viewpoints that considered the fine balance required between the use of information for direct student benefit, versus the broader uses -- such as the analytical benefits of research from the large aggregation of students' data.
While Professor Reidenberg remained skeptical of the assumed beneficial effects of technology use on student outcomes, Garcia-Kaplan and Hartmann were strong advocates for the responsible use of data. Garcia-Kaplan in particular advocated for the student’s critical role in controlling and “telling their own story” via their own data. The discussion of “whose data is it” must include the student perspective, such as the decision to delete data upon contract completion when the student might wish to carry that account information forward on their own behalf.
Boot camp attendees picked their own topics for "unconference" sessions to more deeply delve into high interest subjects, including real-world examples of contracting practices, and other actual challenges faced by larger, more experienced ed-tech companies. Privacy leaders from such companies – such as McGraw-Hill, Amplify and Knewton – volunteered to lead these sessions and provide their expertise.
Given the high-level of attendance and interest these boot camps have generated, we’re looking forward to hosting our next boot camp on the West Coast this fall.