By Sara Collins, Stacey Gray, Tyler Park, and Amelia Vance
Privacy advocates have long feared that student data can be used to inappropriately market to students or limit their future opportunities. In the United States, information about students is often used to send them mail or emails about educational opportunities, scholarships, or after-school activities such as tutoring services or sport leagues. Access to student data is heavily regulated when it comes from schools, teachers, or school surveys. But what about when that same data can be collected from other sources, like public records, commercial sources, or the students themselves? This is the topic of a new study by Fordham University’s Center on Law and Information Policy (Fordham CLIP), “Transparency and the Marketplace for Student Data.”
In the study, the authors present findings from years of research into the commercial ecosystem for data about students, with a particular focus on the practices of “data brokers.” In general, data brokers are companies that buy and sell information about consumers from a wide variety of sources, often from public records or commercial sources. This information may be used for many purposes, such as analyzing trends, or buying and selling lists of contact information for various categories of consumers for commercial advertising or direct marketing. Data sharing such as this is common: as we described in our 2015 cross-device report, Oracle’s BlueKai links more than 80 sources of data to online IDs that can be used to target consumers based on categories or purchasing intents—e.g. “Back to School Shopper” or “Graduation Gift Buyer.” Many companies provide similar services, as personalized or targeted offers are more valuable to advertisers than generic content.
When commercial data involves categories of people known or inferred to be “students” — for example, because they might be shopping for new electronics — it raises understandable concerns from parents and advocates. For example, one seller contacted by Fordham CLIP was willing to sell a marketing list for “‘fourteen and fifteen year old girls for family planning services.'” Elana Zeide, Visiting Assistant Professor at Seton Hall University’s School of Law, remarked that the study’s findings “reflect the broader trend to score and credential human beings as an integral part of our data-driven society.”
Legal frameworks exist to protect student information, but when data does not come from teachers or schools, it will fall outside of the strict requirements of the Family Educational Rights and Privacy Act (FERPA) and most state laws, such as the California Student Online Personal Information Protection Act (SOPIPA). Nonetheless, schools must abide by the Protection of Pupil Rights Amendment (PPRA) when administering surveys that could be used for secondary commercial purposes. The Fair Credit Reporting Act (FCRA) and Children’s Online Privacy Protection Act (COPPA) may already be able to address some of the problems raised by the study.
FERPA and State Student Privacy Laws Governing Schools
“One bright spot in the report is that, among the small number of school districts that responded to the researcher’s requests for information, none appeared to be selling or sharing student information to advertisers,” noted Bill Fitzgerald, Project Director at InnovateEDU, on his personal blog. “However, even this bright area is undermined by the small number of districts surveyed, and the fact that some districts took over a year to respond, and with at least one district not responding at all.”
Under FERPA, schools and teachers are prohibited from sharing information from a student’s educational record — such as contact information, demographics, educational goals, or performance — unless there is parental consent or the disclosure falls within one of FERPA’s exceptions. Similarly, the 121 state student privacy laws passed since 2013 place strict requirements around student information held by local and state education agencies (LEAs or SEAs, respectively), or data that third parties obtain in order to fulfill a school function for an LEA or SEA. As a result, schools typically cannot be used as a source of commercial information for things like advertising and marketing.
However, as this study notes, FERPA and state student privacy laws only apply to personally identifiable information collected by a school or a third party acting on behalf of the school. As a result, if similar data can be collected from outside sources like public records, websites, or mobile games, the information can typically be used for commercial purposes (although not without restrictions, as we describe below).
PPRA and Surveys Administered in Schools
When schools administer surveys to students, a lesser-known federal law applies: the Protection of Pupil Rights Amendment (PPRA). In the research presented in this study, the authors describe how information about students can inadvertently become commercially available through surveys that students fill out online or in schools. For example, some schools are likely giving out surveys from the National Research Center for College and University Admissions (NRCCUA), an organization listed in the study as a “Student Data Broker.” NRCCUA says on its website that it obtains its information from surveys of high school students given by “teachers, guidance counselors, and online.”
PPRA requires schools and districts to have a policy, created in consultation with parents, that establishes a parental right to inspect any survey created by a third party before the survey is administered. If the survey asks about certain sensitive topics – such as family income, religion, political beliefs, or anti-social behaviors – PPRA requires even more: parents must be told about the survey and given the opportunity to opt their child out of taking it. The Department of Education has recently released guidance on administration of third party surveys, reiterating that the PPRA requires consent from parents, not students.
PPRA also has a little-known provision that covers student information marketers: the policy that schools and districts must develop must include specific policies regarding:
[t]he collection, disclosure, or use of personal information collected from students for the purpose of marketing or for selling that information (or otherwise providing that information to others for that purpose), including arrangements to protect student privacy that are provided by the agency in the event of such collection, disclosure, or use. 20 U.S.C. § 1232h(c)(1)(E).
If a survey is found to violate PPRA, it is the school, not the entity that created the survey, that faces liability. As a result, schools and districts should carefully review their PPRA policies and ensure that all school staff know the restrictions of the law. Schools should also review how the school as a whole or individual teachers decide which surveys to administer, to whom the survey authors are releasing the data, and for what purposes.
Existing Enforcement Opportunities
While the study mentioned the Fair Credit Reporting Act (FCRA) as a potential model for regulations that should be created to regulate student data brokers, the law itself may already cover certain limited uses of this data under some the most concerning circumstances. FCRA has a broad definition of “consumer report” which includes “any information” related to “general reputation, personal characteristics, or mode of living” used to make decisions regarding credit, employment, housing, or another benefit. For example, if data brokers provide information to colleges or universities with the knowledge that those institutions are using the information provided to make admissions decisions, they will be considered a “consumer reporting agency” and subject to the strict requirements under FCRA. The FTC has previously issued warning letters to a variety of data brokers in different fields regarding their obligations under FCRA.
Schools should also be aware that the FTC has stated that COPPA applies to any data collected from children under the age of 13, even if it is collected through surveys administered in schools or online. If a school or parent believes that data is being collecting information from children under the age of thirteen for secondary or inappropriate purposes, they may file a complaint with the FTC.
In light of this study, we may see greater regulatory attention to data about student consumers from the Federal Trade Commission (FTC) or the states’ Attorneys General. It is also possible that local, state, or federal policymakers will introduce legislation to regulate data about students that falls outside of FERPA, COPPA, and PPRA. For example, Vermont recently passed legislation requiring “data brokers” to post information about their data practices and opt-outs with the Vermont Secretary of State. These state and sectoral laws may prove to be imperfect solutions, and highlight the growing importance of crafting a baseline privacy law in the United States that would provide more consistent protections for all consumers.
Amidst calls for greater transparency and parental control over this type of data, it is important to ensure that strong privacy protections are balanced against legitimate educational uses of student data, such as providing more educational opportunities to students. Companies who provide these kinds of opportunities for direct marketing can help build trust by establishing clear policies around how data is collected, how it may be used in fair and non-discriminatory ways, and how it will be safeguarded.
Note: One of the CLIP study’s authors, Joel Reidenberg, is an FPF Advisory Board Member. Elana Zeide, quoted in this post, is also an FPF Advisory Board Member.