“The inBloom debacle in 2013 exposed the longstanding culture of fast and loose student data sharing among government agencies, schools and companies,” said Rachael Stickland, co-chair of the Parent Coalition for Student Privacy, parent of two public school children in Colorado and the primary author of the report. “Consequently, parents across the nation began urging their state legislators to address the problem, resulting in a complex web of state privacy laws that are difficult to untangle and understand. Our hope is to bring attention to state laws that make a reasonable effort to protect student privacy and identify those that need improvement. Parents and advocacy groups can use our findings to advocate for even stronger measures to protect their children.”
Every state received points and grades on each of the following seven categories: Parties Covered and Regulated; Transparency; Parental and Student Rights; Limitations on Commercial Use of Data; Data Security Requirements; Oversight, Enforcement, and Penalties for Violations; and Other Provisions.
The report tracks specific versions of state laws over time. For example, many of the state privacy laws enacted since 2013 used California’s 2014 law known as the Student Online Personal Information Protection Act (SOPIPA) as a model. Iowa was one of the states to pass similar legislation in 2018.
The issue of data security was also a critical part of the report as the primary federal student privacy law known as FERPA requires no specific protections against data breaches and hacking, nor does it require families to be notified when inadvertent disclosures occur.
“This report card provides not only critical information regarding the existing laws but also serves a blueprint for parents to use for lobbying for better protections for their children,” Carol Burris, Executive Director of the Network for Public Education, noted.
Iowa was one of 28 states who received less than a “C-.” No state received an “A.” Colorado received the highest grade with a weighted average grade of a “B.” Three other states: New York, Tennessee, and New Hampshire, received a “B-.” Except for New York, states receiving a “B” or “B-” enacted more than one student privacy law.
Iowa received a “D” for parties covered and regulated by state law. The report states that the more parties covered and regulated by state law, the stronger privacy protection the law provides.
For transparency, the state received an “F.” The report card graded states on whether, under state law, education agencies were required to inform parents about what data they collect and why, whether they are required to execute a written agreement before sharing student data with third parties, whether those agreements are made public or available to parents, and whether those agreements include specific student data privacy and security protections.
Iowa received a “D” for the parental and student rights category. This category covered how much access parents and students can have to data collected and whether they can edit or delete it, prohibitions on collected certain kinds of sensitive data, whether parents and students can opt out, etc.
Iowa’s highest grade was a “C” for limiting commercial uses of data. They looked at how a state’s law prohibited or restricted the sale of student data or using it for commercial purposes.
The state received a “D” for data security. They looked at whether state law required education agencies and any third parties who receive student data to implement a data security program, including, but not limited to, encryption, security audits, audit logs, data retention and destruction procedures, and training;
Iowa received an “F” for oversight and enhancement. They evaluated whether there were actual “teeth” to a state’s privacy law to ensure compliance.
Iowa’s student privacy law, HF 2354, is based on California’s SOPIPA law that regulates the activities of companies operating online services that are designed and marketed to K-12 schools.
“The original SOPIPA made efforts to protect student privacy, but it contained some significant loopholes later adopted by other states, and in some cases, such as in Iowa, and was further weakened in subsequent versions,” Stickland told Caffeinated Thoughts.
“Iowa’s law prohibits online operators from ‘knowingly engaging’ in targeted advertising to students using their information collected over time. However, the law does allow companies to target ads to students based on their one-time use of a website,” Stickland shared. “We see no educational value for serving ads – especially targeted ads – to students while performing their school work online.”
“HF 2345 also generally prohibits operators from ‘knowingly’ selling or renting student information, but the data can be sold without notice or consent by operators in a purchase, merger or other acquisition by another company. Student data can also be sold/rented with parental consent by ‘national assessment’ providers, presumably including the College Board which currently offers student names and other information for $0.45 each through its Student Search Services®,” Stickland added.
Staci Hupp, the spokesperson for the Iowa Department of Education, was not familiar with the report card but provided a general comment about student data collection in the state.
“Student data help teachers, parents, and education leaders understand how our schools are changing, how our students are progressing academically, and how education programs are working. While student data are essential to school improvement efforts, we know how critically important it is to protect student privacy. In addition to following state and federal laws, the Department requires employees and partners to sign legally binding agreements, including confidentiality agreements and agreements that govern how data must be used and protected,” Hupp told Caffeinated Thoughts.
Stickland countered, “Any discussion about the benefits of student data should also include the risks. In fall of 2018, the FBI released an advisory warning of the many privacy and security threats posed by ‘widespread’ data collection and the use of education technologies, including ‘social engineering, bullying, tracking, identity theft, or other means for targeting children.’ Until we adequately address these and other privacy-related issues, districts and states should be minimizing the student data they collect, investing heavily in securing the data it maintains, and engaging parents and students in dialogue about what data is collected and why.”