Privacy concerns arise over tech in classrooms

California lawmakers ban the sale and disclosure of data related to K-12 students

At a New York state elementary school, teachers can use a behavior-monitoring app to compile information on which children have positive attitudes and which act out. In Georgia, some high school cafeterias are using a biometric identification system to let students pay for lunch by scanning the palms of their hands at the checkout line. And across the country, school sports teams are using social media sites for athletes to exchange contact information and game locations.

Technology companies are collecting a vast amount of data about students, touching every corner of their educational lives — with few controls on how those details are used.

Now California is poised to become the first state to comprehensively restrict how such information is exploited by the growing education technology industry.

Lawmakers in the state passed a law last month banning educational sites, apps and cloud services used by schools from selling or disclosing personal information about students from kindergarten through high school; from using the children’s data to market to them; and from compiling dossiers on them. The law is a response to growing parental concern that sensitive information about children — like data about learning disabilities, disciplinary problems or family trauma — might be disseminated and disclosed, potentially hampering college or career prospects. Although other states have enacted limited restrictions on such data, California’s law is the most wide-ranging.

“It’s a landmark bill in that it’s the first of its kind in the country to put the onus on Internet companies to do the right thing,” said Sen. Darrell Steinberg, a Democrat who wrote the bill.

Gov. Jerry Brown has not taken a public position on the measure, or on a companion student privacy bill regulating school contracts with education technology vendors. If he does not act, the bills will become law at the end of this month. Steinberg said the bills had broad bipartisan support and were likely to be enacted.

James P. Steyer, chief executive of Common Sense Media, a children’s advocacy and media ratings group in San Francisco, said the bills were ultimately intended to shore up parents’ trust in online learning.

“You can’t have an education technology revolution without strong privacy protections for students,” said Steyer, whose group spearheaded the passage of Steinberg’s bill. “Parents, teachers and kids can now feel confident that students’ personal information can be used only for educational achievement.”

In a sign of the rapid growth of the education technology industry, even Steyer’s group has partnerships with Google, Apple and other software vendors, who distribute the group’s ratings of apps and videos for children.

The California effort comes at a pivotal time for the industry. Schools nationwide have been rushing to introduce everything from sophisticated online portals, which allow students to see course assignments and send messages to teachers, to reading apps that can record and assess a child’s every click. These data-driven products are designed to adapt to the abilities and pace of each child, holding out the promise of improved academic achievement.

Last year, sales of education technology software for prekindergarten through 12th grade reached an estimated $7.9 billion, according to the Software and Information Industry Association.

As schools embrace these personalized learning tools, however, parents across the country have started challenging the industry’s information privacy and security practices.

“Different websites collect different kinds of information that could be aggregated to create a profile of a student, starting in elementary school,” said Tony Porterfield, a software engineer and father of two pre-teenage sons in Los Altos, California. “Can you imagine a college-admissions officer being able to access behavioral tracking information about a student, or how they did on a math app, all the way back to grade school?”

Last year, parent groups and privacy advocates raised those kinds of concerns about inBloom, a student data warehouse that offered to streamline how educators and apps retrieved student information; inBloom withered in the face of that opposition, closing down in April.

A federal law, the Family Educational Rights and Privacy Act, limits the disclosures of student education records by schools that receive public funding. But critics have long complained that the 40-year-old law, written for the file-cabinet era when student records were kept on paper, has not kept pace with digital data-mining.

Privacy advocates say many of the details now collected by education sites and apps are not covered by the law because they do not form part of the institutional student education records maintained by schools. A recent study by researchers at Fordham Law School in New York reported that some public schools in the United States did not limit the kinds of information their education technology vendors collected from students or how the companies used those details.

During the past year, states have introduced more than 100 bills to regulate the collection or handling of students’ information. Many are narrow in scope. Lawmakers in Florida, for instance, passed a measure to prohibit schools from fingerprinting students or collecting scans of their palms or irises — scuttling the palm-scanning payment systems in school cafeterias there.

The California measure takes a fuller approach, formally extending privacy protections to a much wider array of information than the official student education record covered by the federal law.

Among other things, the California bill prohibits companies from selling, disclosing or using for marketing purposes students’ online searches, text messages, photos, voice recordings, biometric data, location information, food purchases, political or religious information, digital documents or any kind of student identification code. The idea is to prevent companies from using information about students for any activity not intended by their schools.

“The California statute is filling the void,” said Joel R. Reidenberg, a professor at Fordham Law School who is an expert in education privacy law. “They are modernizing the protection of student privacy for the computer era in schools.”

California lawmakers did make some concessions to industry. An exception in the legislation, for instance, allows companies to use student data for “legitimate research purposes.”

Last year, Steinberg sponsored an “eraser button” law that gives minors in California the right to delete their digital footprints. Subsequently, other states introduced their own eraser button bills, and the senator predicted that legislators elsewhere would now sponsor their own comprehensive student privacy measures. In Washington, D.C., this summer, two senators introduced a national student data privacy bill.

But Steinberg said he thought his current effort had implications beyond education. The California student privacy measure would essentially advance a fundamental principle of data rights for everyone: that a person who agrees to let a company collect personal details about them for a specific purpose has the right to decide whether that company may subsequently use that same information for unrelated activities.

“The bill sets a standard that is applicable to the larger privacy debate,” Steinberg said. “Personal information should only be used for other purposes with the permission of the individual.”